Risk Assessment of a Biometric Continuous Authentication Protocol for Internet Services

Distributed internet services involve multiple heterogeneous applications that communicate with each other. Guaranteeing their security is in general both mandatory and complex. Amongst the many security requirements that have to be guaranteed, secure user authentication is one of the most fundamental. Authentication is traditionally executed only at login phase, based on username and password. However, a single authentication point may not always guarantee a sufficient degree of security, especially in the context of critical systems. In a previous work we proposed a continuous authentication protocol that applies multiple biometric traits to continuously compute its trust in the user. This paper analyzes the security provided by such solution through a qualitative risk assessment, focusing on both threats related to transmission and specific of the biometric system level. Applying a NIST-compliant threat analysis, we identify the main threats and we assess their impact. Finally, we define the required countermeasures which allow us improving the security of our authentication solution.