Skip to content
An individual typing on a keyboard with indicators showing they are completing a multi-factor authentication challenge-response

How Does Continuous Multi-Factor Authentication Work?

The principles of MFA are actually quite simple. In order to gain access to a network, an application, or a VPN, you are required to authenticate with two of the following: something you know, something you have, and something you are. 

 

Powered By Behavioral Biometrics

“Something you are” can really only mean one thing: Biometrics, the measurement and statistical analysis of an individual’s unique physical and behavioral characteristics. Behavioral biometrics are a form of passive biometrics that take into consideration the way a person behaves. This could be the way they walk, the rhythm in which they use a keyboard, the way they move a mouse, or the gestures they use when scrolling on their smartphone. These “passive” or behavioral biometrics are done instinctually, and because of the intrinsic nature of these behaviors, they have become a fundamental variable in identity security.

 

PCI DSS Approved Biometrics

While PCI guidance recommends biometric authentication, it does not specifically define what is considered a biometric factor.  For that, PCI DSS relies on NIST for guidance:

“PCI DSS relies on industry standards—such as NIST, ISO, and ANSI—that cover all industries, not just the payments industry. ”

The MFA Guidance document links specifically to NIST Special Publication 800-63 for that.  SP 800-63 defines the term biometrics in the following way:

 “Biometrics: Automated recognition of individuals based on their biological and behavioral characteristics,” 

Here, NIST clearly labels behavior as a biometric, which is in line with their current approach to Zero Trust. NIST advocates for behavior as a factor across the board, with NIST Special Publication 800-207 Zero Trust Architecture as a prime example.  This is also in line with international regulation, where behavioral characteristics have been approved by the UK ICO as a strong authenticator for EU payments PSD2. 

Simply put: according to PCI SSC and NIST, behavioral biometrics do meet PCI DSS and PSD2 requirements for multi-factor authentication. 



Leveraging Machine Learning

The Twosense Windows agent continually collects keystroke timing and mouse coordinates from each user. This data does not contain any actual keystrokes or information about what the user clicked.  By itself, this data is worthless; it is only when machine learning is applied that patterns can be identified.

Twosense’s cloud-based machine learning platform analyzes the passive biometric data to learn who your users are, creating a unique profile for each user. Whenever a user passes an MFA challenge, each model continues to learn and adapt to changing behaviors. The more behavior is observed, the more confident Twosense can be that the user is who they claim to be. When the model is mature, Twosense can validate the user's identity and create a baseline of trust.



Digital Behavior

With Continuous MFA, the user’s recent behavior is continually compared to their behavioral biometric model.  This means that multifactor checks are being performed on the user consistently throughout the day, instead of waiting for the moment the user is authenticating to an application.  

Users are assigned a trust score based on how much their behaviors match. If the trust score is high enough, the user will not be inconvenienced with a manual MFA challenge when accessing an application.  Some organizations will even use high trust scores in passwordless policies, and let the user bypass password requirements entirely.

If the trust score is low, which could indicate that the wrong user is behind the keyboard, multiple options are available for Twosense administrators:

  • Fallback MFA can be required.
  • A manager approval workflow can lock the user’s session until a supervisor investigates.
  • An alert can be sent that will later be investigated without interrupting the user’s session.

 

Continuous MFA is the Future

Traditional multifactor authentication is falling further behind as its flaws become apparent.  

MFA that requires a phone is prone to issues with broken and lost phones, or the inconvenience of registering a new device whenever an employee buys a new phone.  It is also prone to user error, phishing attacks, and sophisticated prompt-bombing attacks that have led to large-scale breaches.

Hard tokens can similarly be broken or lost, and frequently need to be replaced whenever an employee quits or is fired.  The time and effort required to assign tokens to users can also be overwhelming for IT departments. Both phone-based and hard token-based MFA waste valuable time, and interrupt users when they’re trying to do their jobs.

Behavioral biometric MFA is the only solution that can check user identity hundreds of times each day without requiring any participation from the user, making it completely phishing proof.  Finally, the best user experience is also the most secure solution.

More from the Blog

December 14, 2021

Human Error is a Bigger MFA Security Risk Than You Think

Nobelium, the Russian cyber group that was responsible for executing the Solarwinds attack is at it again, and this...
March 22, 2022

White House Warns of Evolving Intelligence Indicating Potential Cyberattacks

On Monday, March 21st, 2022 the White House released a statement by President Biden warning the private sector of...
May 9, 2022

Is Biometric MFA Ideal for Call Center Identity Security?

As we’ve mentioned in the past, phones aren’t allowed in contact centers and hard tokens are too difficult to manage...

Sign Up for our Blog

We will never share your email address with third parties.