GUEST ESSAY: ‘Continuous authentication’ is driving passwordless sessions into the mainstream

By Nima Schei

Much more effective authentication is needed to help protect our digital environment – and make user sessions smoother and much more secure.

Related: Why FIDO champions passwordless systems

Consider that some 80 percent of hacking-related breaches occur because of weak or reused passwords, and that over 90 percent of consumers continue to re-use their intrinsically weak passwords.

Underscoring this trend,  Uber was recently hacked — through its authentication system. Let’s be clear, users want a better authentication experience, one that is more secure, accurate and easier to use.

The best possible answer is coming from biometrics-based passwordless, continuous authentication.

Gaining traction

Passwordless, continuous authentication is on track to become the dominant authentication mechanism in one to two years.

Continuous authentication is a means to verify and validate user identity —  not just once, but nonstop throughout an entire online session. This is accomplished by constantly measuring the probability that an individual user is who he or she claims to be; a variety of behavioral patterns sensed in real time and machine learning get leveraged to do this.

Passwordless, continuous authentication addresses the dire need for higher and better security. Cyber attacks continue to grow in sophistication, and ransomware attacks are only the tip of the iceberg. Compromised credentials represent the most usual way attackers penetrate networks. That simply is not tolerable, going forward.


With a market and a society ready to go for it, passwordless authentication expansion is about to accelerate. In fact,  demand for passwordless systems is expected to grow 15 percent per annum – topping $5.5 billion by 2032. It’s no surprise that passwordless authentication is at the core of Gartner’s report on emerging technologies and trends for 2022.

Invisible security

Authentication systems that leverage machine learning and biometric technology are now ready to replace legacy password-centric technologies. Machine learning can be applied to facial recognition data, for example, to provide an invisible security layer, with no actions required from the user.

This invisible authentication is very difficult to hack. This is because it relies on biometric features that can’t be shared. Widely adopted from healthcare to law enforcement, it  can deliver secure, accurate authentication even when the user is wearing a mask; it prevents unauthorized access that can now be done by compromising devices we use as a second factor of authentication.

In industries such as banking, healthcare and law enforcement, where employees work under pressure to handle sensitive information, cybersecurity and productivity often contradict each other.

Password-based multi-factor authentication (MFA) systems, for instance, require constantly logging in and out of user sessions; employees waste working time, and can even suffer from MFA fatigue. These inefficiencies can open the gate to cyber attacks.

By contrast, passwordless, continuous authentication affords a double gain for companies: cybersecurity is materially improved, while authentication friction gets erased. This improves daily productivity, not to mention employees’ happiness.

Continuous vigilance

Current authentication tools focus on single sign on. This means that the authentication mechanism confirms the user at the beginning of the session but offers no guarantees during a user session.

One opportunity attackers seek out is when an authenticated user leaves the device unattended. Up to 95 percent of cyberthreats are successful because of a human error, including unattended sessions or visual hacking incidents, such as shoulder surfing.

This lack of extended security cannot be addressed through legacy sign-on authentication tools such as Microsoft Hello, that  rely on one-time image authentication.

Fortunately, there’s a growing trend towards passwordless, continuous authentication

One touchless delivery model is through face recognition, and a good example is the core  functionality built into GuacamoleID, supplied by Hummingbird.AI.  GuacamoleID uses sophisticated vision AI to recognize and secure user sessions, thus enabling touchless automated access to computers for security, privacy and compliance in law enforcement, healthcare and financial services.

Passwordless, continuous authentication improves the user experience by making it frictionless – and it materially boosts security by ensuring that there’s always the right person behind the device.

About the Author: Nima Schei,  is the founder and CEO of Hummingbirds AI, a supplier of technology that leveraging artificial intelligence to automate access to computers through face matching.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone