The premise of continuous authentication is that we can deduce something about the identity of a user attempting to access a sensitive application resource through passive mechanisms - as opposed to explicit and active 'logins'.

The two modes, passive and active, complement each other - when passive mechanisms do not provide the necessary confidence for a given requested operation, you prompt for an explicit login. And when you do ask for an explicit login, you also simultaneously check passive factors to mitigate the risk of the login credentials being compromised.

Passive authentication models require that the system collect authentication signals (e.g. signals such as IP address, geolocation, time of day, typing speed, etc) and then analyze those signals to determine whether the value of the signal is consistent with expectations (and so enhancing assurance) or anomalous (and so decreasing assurance).

What you compare the current value of a signal against can differ. Follows is a model and terminology for distinguishing the different comparisons that can be made.

• Context - comparing the current value for an authentication signal against a prescribed value(s), e.g. check the location of the user's phone against a black list of untrusted locales (e.g. Saskatchewan), or against a whitelist of trusted locales (e.g. head office)
• Behaviour - comparing the current value for an authentication signal against a historical pattern, e.g. check the location of the user's phone against the user's typical locations (this established over some time period beforehand)
• Correlation - comparing the current value for an authentication signal against the value of the same signal collected from a different channel, e.g. check the location of the user's laptop against the location of the user's phone.

These different checks can mitigate different attacks and have different characteristics and requirements. For instance, a context check may not prevent a malicious insider but a behaviour check is more likely to (such as spotting that an exec is trying to move funds on the weekend). But of course, checking behaviour presumes that a pattern of typical behaviour has been established - hard to do for a new user or customer. A correlation check requires that a particular signal can be collected from different channels and so compared. Consequently, there is value in making multiple checks, or ideally, making the optimal check based on an intelligent assessment of the current risk factors.