(Updated April 14 to include reference to 'invisible buttons')
Today's authentication mechanisms are explicit and discontinuous - on some schedule (depending on the resource being accessed) we demand users stop what they are doing (e.g. doing work for us or buying stuff from us) and login - a distinct and unappreciated operation. Based on that action, we feel sufficiently confident that the user is who they claim to be and we don't bother them again with another interruption - until such time we feel we need to. Rinse and repeat.
Somewhat separate from the temporal nature of the authentication, today's default authentication mechanism of passwords is also less than ideal from a usability point of view (acknowledging that one man's usable is another woman's unusable). To make passwords even somewhat secure against brute-force attacks demands long strings that mere mortals can't remember. So we mere mortals write them down or store them somewhere, thereby opening up different attacks.
Mobile-based authentication models can offer improved usability relative to passwords, by freeing users from some of the worst implications. Phones, by way of their computing power and connectivity, and the generally tight connection users feel for them, make great 'what you have' authentication factors.
But, while current mobile-based models move us to the right along the usability axis shown above, they for the most part still presume an explicit user action, e.g. typing in a One-Time Password (OTP) sent by SMS, or clicking a confirmation button.
Similarly, the Fast Identity Online (FIDO) Alliance is standardizing an authentication framework whereby the emerging biometric capabilities of phones can be leveraged in order to authenticate users into network resources. But FIDO still mostly presumes that the biometric authentication to the device requires an explicit user action, i.e. place finger on reader, or scan retina.
Somewhat related, a Ping colleague of mine recently demonstrated how to use a fitness band (specifically the Jawbone Up) to authenticate into our PingFederate server. By prompting the user attempting login to toggle their wristband into sleep mode, and then querying the Jawbone API to see if that happened, the Jawbone effectively becomes a second factor.
So while the interruptions may be less onerous with a mobile (or wristband)-based model, they are nevertheless still interruptions from what the user is actually trying to do - report writing, tweet sending, or widget buying etc.
The premise of 'continuous authentication' is that explicit login interruptions (whether password, mobile, or fitness band) should be infrequent - replaced or at least diminished in number with a more passive and constant comparison of the user's current context against previously established patterns.
For instance, is the user typing with the same speed as expected? Are they holding the phone with the same orientation? The same firmness? Are they in a location consistent with the claimed user's past locations? etc. Bob Blakley, former Gartner analyst and now director of security innovation at Citigroup, previously characterized this model as 'recognition' in order to highlight how it differs from traditional authentication. He argues that recognition is how we deal with identifying actors in the real world.
But for a recognition model to work, there needs to be local sensors capable of doing the recognizing, i.e. collecting the current typing, holding, or location context. Mobile phones (and soon all the other devices that we will surround ourselves with) will enable continuous authentication by providing a suite of connected sensors with on-board computing and storage power - and thereby act as the 'first mile' of recognition systems.
In the future, it will be the phone (or the thermostat, or the fitness band, etc.) that will monitor our typing speed, our grip strength, our location and either report all that context up to a server for analysis and comparison, or instead perform the analysis locally itself in order to ascertain the identity of the user (as in FIDO's model of biometrics).
An invisible button is simply an area in space that is "clicked" when a person or object--in this case, a smartphone--moves into that physical space
Of course, if you apply this concept to authentication, the 'click' that is being performed is one replacing those we perform today on "Login" buttons. In the future, 'login' forms will be found only in tech museums which, when visited, will inspire us to bore our grandchildren with tales of favourite passwords and Post-it Notes.