For a long time, we relied on AUTHENTICATE and use forever, however, continuous authentication and other pattern recognition techniques have somewhat looked like a game changer for mobile security. Any thoughts!
If I understand correctly, you are worried about a user being authenticated once at the beginning of a session, and then never being re-authenticated. You would like "continuous authentication".
While I agree that a single authentication could be subject to session high-jacking and stealing of the UE, I don't see why you would need to jump to continuous authentication (whatever that even means - any practical authentication scheme would be run periodically, not continuously).
Standard practice is to use an inactivity timeout. Do you see cases where this is insufficient?
Moving targets are definitely more difficult to hit so continuous authentication has been helpful. Improved human context around all actions will continue to be a research area To improve security. i would refer you some papers in Applied Cyber Physical Systems (Springer 2012) for data that protects itself for a similar but alternative view.
I agree that under some conditions frequent reauthentication is possible (e.g., monitoring typing habits, speaker verification), but it is network/computation intensive, and even a small false alarm rate would be extremely annoying, so the question remains whether it is worthwhile for any but the most secure applications. Perhaps the launching of a nuclear strike or trading of millions of dollars should be based on continuous authentication, but it is far from clear that accessing Facebook should. (I couldn't track down the papers to which you refer ...)
Agreed. I have a question I ask often of my customers...”what is the level of your paranoia?” Additionally, Most organizations don’t know where data is, not why they are protecting it. it is most definitely perceived risk vs reward based In my opinion.
Continuous Authentication can be perceived as a promising solution for IT security in general but careful consideration should be given to the value/risk level for the asset/service to be protected as well as to the user convenience. So, having continuous AND transparent authentication mechanism would offer a trade-off solution.