I recently traveled to the Ping Identity offices in Tel Aviv, Israel. I flew into Ben Gurion Airport. So this article, which lambasts the U.S. Transportation Security Administration (TSA) model for airport security and compares it to the Israeli model followed at Ben Gurion, hit home for me--more so than my normal hatred for airport security procedures.
The article's co-author, Rafi Sela, ran security at Ben Gurion Airport. He writes:
My name is Rafi Sela, and I was the head of security for the world's safest airport.
Ben Gurion is probably the most threatened airport in the world. It has between 50 and 70 incidents every day. Nobody hears about those because we handle them.
About 99.9 percent of travelers are just that: travelers. They want to get through security, buy a cup of coffee and some duty-free whiskey, then quietly drink and leech Wi-Fi from the airport McDonald's. These people pose no threat to anyone, and there's no point in even checking them.
Of the TSA security model, Sela writes:
The very few terrorists that exist are like needles in a haystack. But the TSA's approach is to check every single piece of hay, in case it might actually be a needle.
Whereas the Americans focus on luggage, the Israelis focus on travelers.
We interview every single customer several times, but we don't really care what you have to say. We're paying attention to your behavior.
I can vouch for this. I was "interviewed" five times at Ben Gurion Airport:
As my cab pulled up at the airport grounds
As I exited the cab at the terminal building curb
As I decided which check-in line to get in
At the check-in counter--twice here, actually, because I was asked to stand back and wait 5 minutes to get my boarding pass, which I highly doubt is accidental
At the actual security check point (where my belt stayed on and toiletries did not come out of the bag)
Of course, these were only the interviews I was aware of. (Clearly, I was being passively and continuously "interviewed" right up until I boarded the plane.) Some were nothing more than a friendly, "Where are you traveling to today?" Some were slightly more intimidating: "Did you pack your own luggage?" But each was designed to give staff the opportunity to look into my eyes and examine my behavior.
I can vouch for the efficiency of the system. Sela's claim that it takes 25 minutes to get from check-in to your gate is perfectly believable. I even had time to stop for a kosher burger (tastes great, FWIW).
Hmm... strong security and a great user experience? These aren't mutually exclusive?
What the Israelis have discovered about security--in their airports and other civic infrastructure, no doubt--is that user behavior is a reliable indicator of risk. Bad people behave differently than good people. Analyzing user behavior and comparing it to what's expected serves to enhance the more overt forms of authentication--like passports and plane tickets. Because their behavior is consistent with expectations, good travelers can be moved through the system much more quickly and easily. Bad travelers, whose behavior is likely inconsistent with expectations, well, let's just say they'd have a very different UX.
The premise of continuous authentication is that we can deduce something about the identity of a user attempting to access a sensitive application resource through passive mechanisms - as opposed to explicit and active logins.
The two modes, passive and active, complement each other. When passive mechanisms do not provide the necessary confidence for a given requested operation, you prompt for an explicit login. And when you do ask for an explicit login, you also simultaneously check passive factors to mitigate the risk of the login credentials being compromised.
Passive authentication models require that the system collect authentication signals (e.g., signals such as IP address, geolocation, time of day, typing speed, etc.) and then analyze those signals to determine whether the value of the signal is consistent with expectations (and so enhancing assurance) or anomalous (and so decreasing assurance).
Continuous authentication mechanisms do for online transactions what Ben Gurion's security model does for air travelers: they constantly examine user behavior, looking for anomalous signals. And, once spotted, they trigger appropriate mitigating mechanisms.
The result? Security remains high without compromising the experience for valid users. It's like the TSA Pre ✔® Program. You can keep your shoes on.