What is Continuous Authentication?

This topic introduces you to Secure Web Sessions Continuous Authentication security layer.

The solution

CyberArk Identity Secure Web Sessions protects against unauthorized application access, allowing organizations to re-authenticate users under special circumstances when using high-risk applications. Continuous Authentication offers protections via integration with CyberArk Identity multi-factor authentication (MFA) or via CyberArk Mobile QR code.

Continuous Authentication with MFA integration

SWS integrates with CyberArk Identity multi-factor authentication (MFA) to define triggers for re-authenticating users. Secure Web Sessions creates the Continuous Authentication application in CyberArk Identity for managing authentication flows and is SAML based. The initial setup of the application is done when the Continuous Authentication feature is turned ON in the Secure Web Sessions portal.

To define the authentication methods, such as re-entering password, the administrator needs to create an authentication policy and add it to the SWS Continuous Authentication application. According to the conditions set in the authentication policy, high-risk sessions are postponed until the user is re-authenticated. Only the user with the same identity as the one that originally initiated the session is able to resume the session.

A session's timeout is determined by the administrator. This is the amount of minutes that needs to pass before the session requires re-authentication by the user, should the session remain idle. The SWS browser extension retrieves the timeout value, and starts enforcing it when a new session is opened.

In the case where multiple application sessions are active with Continuous Authentication and are paused by reaching timeout, re-authenticating to one of them allows users to regain access to all other applications, as long as:

  • The session is still ongoing (24 hours hadn't passed since it has first been initialized, and no additional MFA log in to CyberArk Identity)

  • The web page is manually refreshed

When Continuous Authentication feature is turned OFF, the SWS Continuous Authentication application is automatically deleted, effectively disabling Continuous Authentication from all application policies where it is applied.

Continuous Authentication with the CyberArk Mobile app

Secure Web Sessions uses the CyberArk Mobile app for monitoring threats during sensitive web access. Using the end users mobile device pedometer, the number of footsteps taken are counted from the beginning of a session, to indicate if an end user might have left a sensitive web session unattended.

At the beginning of the sensitive session with continuous authentication, the user is prompted with a QR code to scan with the CyberArk Mobile app, which enables monitoring additional triggers (such as from the mobile device). If Secure Web Sessions detects suspicious behavior, such as idle time, or maximum number of footsteps, this can trigger a prompt to the user within the browser. This prompt can only be confirmed by the specific user’s mobile device with the CyberArk Mobile app – requiring a biometric authentication. If the user who is meant to be in the session is indeed present, they can scan the browser prompt from Secure Web Sessions and can continue with their session. But if not – then Secure Web Sessions is able to close the sensitive application tab to prevent unauthorized access to data.

How does continuous authentication with pedometer lock work?

When continuous authentication with the pedometer lock is enforced by the administrator, the end user needs to provide additional permissions via their mobile app for using location and fitness activity. This is used for monitoring footsteps taken by the end user during their sensitive web session, indicating if they might have left a sensitive web session unattended.

If the footsteps count crosses the configured threshold, the CyberArk Mobile app automatically send a signal to lock the web session to protect your organization's data. The end user is then prompted with a QR code to scan with the CyberArk Mobile.

Continuous authentication with the pedometer lock requires CyberArk Mobile access to Location and Motion & Fitness activity (for iOS), or access to physical activity (Android), on the end user's device. These access permissions are only used to count the number of footsteps taken from the start of the web session, and this data is collected and processed locally on the end user device to protect privacy.

The end user's activities are only monitored during sensitive web sessions that require it, and activities are no longer tracked when the web session is closed.

End user activity flow: