If you authenticate a person at the beginning of a session and never authenticate them again, you have a huge security hole.
For example, you may authenticate an adult delivery person and then find a kid illegally making your delivery. 31,000 Brazilians already know how to do this.
That’s why more secure firms practice continuous authentication for high-risk transactions.
But continuous authentication can be intrusive.
How would you feel if you had to press your finger on a fingerprint reader every six seconds?
Enough of that and you’ll start using the middle finger to authenticate.
Even face authentication is intrusive, if it’s 3 am and you don’t feel like being on camera.
Now I’ve already said that Amazon doesn’t want to over-authenticate everything.
But Amazon does want to authenticate the critical transactions. Identity Week:
“Amazon treats authentication as a continuous process, not a one-time event. It starts with verifying who a user is at login, but risk is assessed throughout the entire session, watching for unusual behaviours or signals to ensure ongoing confidence in the user’s identity.”
That’s right: Amazon uses “somewhat you why” as an authentication factor.
I say they’re smart.
Bredemarket 