The future of authentication is continuous, contextual, and variable, and is based around the human rather than a device.

1. Authentication will happen constantly instead of just once when you start your session

2. You’ll be challenged based on what you’re doing, and what you’ve been doing

3. Challenges will vary in strength based on how long it’s been since you’ve authenticated, and/or what type of action you are trying to perform

4. The focus will be on the human authenticating through the device, not the device itself being authenticated

And there will be hundreds of authentication indicators available—some of which are silent and passive and invisible to the user, and some of which are multi-factor and heavy.

Authentication signal options

Inputs into authentication will include things like:

• Taking a snapshot of browser identification markers, and submitting silently on the wire (like marketers use to track users). If the fingerprint changes, prompt a higher tier auth event.
• Background noise
• Geolocation
• The presence of your voice
• The presence of friend or co-worker voices
• Check that the locally installed bio-behavior app matches still, and if it doesn’t, prompt a higher-tier auth event, e.g. keyboard typing signature, facial recognition, etc.
• Username/password (rarely)
• Facial recognition
• Surroundings recognition
• Other local sensor data (sound, RF, humidity, temperature)
• CAPTCHA
• Two-factor with token
• Two-factor with mobile device/app
• Two-factor with text
• Etc.

Some massive set of these items will be constantly polled by the mobile device to authenticate you as a person by looking at overall context at a given moment.

Sensitive events

1 is lowest, and 5 is highest.

Sensitive events might map to the OWASP AppSensor project, and then be labeled with a tier (1-5) and then have an auth strength associated with them (also 1-5). The logic will look something like this:

1. If you have an active session, and it’s been more than 15 minutes, authenticate with a type 1 challenge (transparent bio check and pass-through).

2. If you are within that 15 minute window and you try to do a type 3 activity, prompt the user with a type 3 challenge (username/password).

3. If you attempt to change account details, you must authenticate with a type 5 challenge regardless (7 factor bio-temporal-tesseract-infinitystone-retina-auth).

4. If you’ve done 3 passive auths in a row, make the next one one level higher (requiring user interaction).

Etc.

So authentication will never really stop. It will happen in the beginning, but then instead of just going away it’ll fade into the background with a current rating at any given moment.

Watching, adjusting, adapting to behavior and conditions and context, and then requiring additional authentication events according to what action is being performed.

That is the future of authentication.

Notes

1. A number of companies are racing towards the mobile/bio component of this by profiling everything about a human’s behavior (how you walk, where you are, how you hold your device, etc.) while they go about their day, and then matching that to current behavior for use during an authentication attempt.