At banks across the country, there are ongoing conversations about an issue within identity security that is difficult to name. An incident occurs when a user shares their session or a contractor uses credentials that are not theirs, and the identity and access management logs show everything is fine. The audit trail is, technically, correct. The compliance posture is intact, but the security outcome is not.
It is a pattern our team is seeing and hearing about firsthand at multiple leading banks, most recently at one of the largest banks in the U.S.
It's time to talk about authenticator abuse: what it is, why it's a problem that is largely unseen, and how leading banks are getting ahead of it.
Defining Authenticator Abuse
Authenticator abuse is the use of a valid authenticated session by a person other than, or in addition to, the user to whom the authenticated session was started.
Authenticator abuse can occur in a variety of ways; however, four vectors are the most common, and they share a single property: the authentication event itself was clean.
Intentional unauthorized access: A non-authorized person actively uses someone else's authenticated session to perform work or take actions they are not authorized to take. The most direct case.
Unintentional unauthorized access: A user's session is used by someone with no harmful intent, but no business there either. The most common example is training. A trainer uses a trainee's keyboard to demonstrate a workflow, or a new hire borrows a colleague's session to see how a tool works. It happens on trading desks during shift handoff. It happens in operations when a manager logs in so a junior can approve something quickly. Nobody is doing anything malicious, but the audit trail is still wrong.
Insider threat: A legitimate employee, in their own authenticated session, acts against the organization's interests. This is the case most security programs already consider, and the one most authentication systems still cannot help with once login is complete.
Insider collusion: A legitimate employee provides access to their authenticated session to an external threat actor in exchange for payment, leverage, or coercion. The audit trail shows the employee's clean login, but the activity inside the session is fraudulent.
The four vectors of Authenticator Abuse
How Authenticator Abuse Happens in Banking
The cycle goes like this. Someone other than the credentialed user is working inside an authenticated session. An MFA prompt fires, and the legitimate user steps in, completes it, and hands the session back. The unauthorized user keeps going. A few minutes later, another prompt. The legitimate user completes that one too. The cycle continues for as long as the work goes on.
Every prompt is answered correctly, by the right person, with the right factor. The identity stack records a clean session, but an unauthorized person has been operating inside the session for an hour.
Phishing-resistant authentication does not close this loop either. Hand your hard token or PIN to a colleague. "It's one, two, three, four, five." They drop the token into their computer, fail the biometric check, enter the PIN, and are in. The identity stack reads a fairly high level of assurance. Biometrics do not catch it. Device-native biometrics and biometric keys both fall back to a knowledge-based, device-specific PIN. The audit trail records two valid logins. Neither one is the person to whom the credentials were issued.
Why the Existing Stack Misses it
Authenticator abuse lives in a specific gap in modern identity stacks. MFA authenticates a login. When the user signs in, it asks whether they can present additional factors. If yes, the gate opens. After that, MFA is done.
Adaptive MFA extends the check and watches the context. Is the device still healthy? Is the location plausible? Is the network the same? Those signals tell you whether the device is still the right device.
They do not tell you whether the human is still the right human.
MFA is the bouncer at the door. Adaptive MFA is the bouncer plus the security camera in the lobby. Neither one is the manager on the floor, noticing that the person at the desk is not the person who walked in.
The identity stack is context-continuous but not identity-continuous. The typical stack does not answer the question that matters: is the same person at the keyboard who started the session?
The Two Paths CISOs Are Offered, and Why Both Fall Short
Once a CISO accepts that the gap exists, the market has historically offered two answers. Neither survives contact with enterprise reality.
Accept the risk. Treat authenticator abuse as a rounding error. Let downstream tooling catch the bad outcome through data loss prevention, user behavior analytics, or privileged access monitoring. This is the default position for most organizations. It is reasonable until the incident count is no longer a rounding error. At most banks, that point has passed.
Deploy camera-based continuous verification. Put the webcam to work. Technically, it closes the gap. Practically, in regulated industries and in any environment with a works council, a privacy office, or an employee union, the tool will not clear legal and HR review. Leaders describe these tools in exactly the words their general counsels would underline: invasive.
A quieter third option often surfaces in these conversations and gets dismissed in the same breath. The biometric tools that emerged from the consumer fraud detection world in the early 2010s integrate at the web application layer. They are aimed at catching account takeover fraud on banking and e-commerce sites, not workforce identity assurance, and the math at enterprise scale closes the door quickly.
Neither accepting the risk nor watching the user through a camera is a CISO's idea of a good answer.
A Third Path: Continuous Authentication
Continuous Authentication closes the gap. Continuous auth is a security process that repeatedly verifies a user's identity after login, for the duration of the session, every second the user is active.
Twosense built this category and leads it. This work began with the Department of Defense, where accuracy is not optional, which is why the Continuous Authentication Platform is the ideal solution to solve authenticator abuse.
Where it runs. At the endpoint, for the full session. The authenticator runs next to the user, from login to shutdown.
What it measures. Behavior, such as how a specific person types and moves a mouse. No keystrokes are stored, and no screens are captured. No camera is used.
What it deliberately does not do. Watch the user's work. Transmit content. Depend on visual surveillance. Those constraints are not accidents. They are the reason the category clears reviews that camera-based tools fail to clear.
How it works
The Continuous Authentication Platform works by continuously building user trust throughout the endpoint session, from start to finish. The agent activates invisibly in the background and passively analyzes each user's unique behavioral biometrics, such as subtle patterns in their keystroke cadence, typing rhythm, and mouse movements. These behavioral characteristics are used to create a passive biometric authenticator for the user.
This authenticator is unique to each user and runs invisibly in the background at all times. Because it is based on individual biometrics, it cannot be shared, stolen, or passed off to another user, making it inherently resistant to authenticator abuse, phishing, and credential theft.
This behavioral "trust score" is then used as a powerful, live authentication factor, tied to the organization's authentication policy as a “something-you-are” factor for seamless multi-factor authentication (MFA). Throughout an employee's session, their real-time behavior is constantly authenticated against their established biometric profile. This guarantees the legitimate user remains present, thereby satisfying authentication requirements for accessing sensitive data or applications without interrupting the user with an MFA prompt.
The platform has three components.
- Continuous Authentication. Passive behavioral biometric signals confirm the identity of the user behind the keyboard, re-evaluating once per second. A divergence from the trusted pattern is a behavioral mismatch.
- Continuous Access Evaluation Profile (CAEP). Identity signals are shared in real time with connected systems to keep access decisions up to date.
- Policy-Driven Orchestration. Access is enforced based on policy. When trust drops, Twosense automatically triggers step-up authentication, session termination, or other remediation. Twosense delivers the only solution that bridges seamless user experience with actionable security, protecting users, data, and operations without friction.
Closing
When a behavioral mismatch fires, the response stops being a re-auth and becomes an investigation. Did the employee share their credentials, or did someone take them? Either way, the authenticated user is not the person operating the session, and the organization decides what happens next.
Authenticator abuse has shaped incident reports at the largest US banks for years. What is new is the capability to detect it without a webcam, a per-application integration, or a hard block on the user. The MFA logs will continue to show everything is fine. Whether everything is actually fine right now is what Twosense built Continuous Authentication to answer.