Continuous authentication for sessions and transactions in modern IAM

At a glance

What this is: The article says authentication must move beyond login to continuous session and transaction control, with passkeys, FIDO2, adaptive signals, and transaction signing as the core pattern.

Why it matters: That matters because IAM, PAM, and application security teams need controls that still hold when attackers bypass static login and target in-session actions, high-value transactions, and mobile workflows.

By the numbers:

• More than 500 million users are protected through OneSpan's authentication offerings.
• OneSpan is recognized by 60% of the 100 largest global banks.

👉 Read OneSpan's analysis of continuous authentication for sessions and transactions

Context

Continuous authentication is the idea that identity checks should not stop at login. The article argues that modern attacks increasingly target sessions, mobile interactions, and transaction approval steps, which makes a single authentication event too narrow for real-world risk.

For IAM and application teams, the governance question is not whether to add more prompts, but where trust should be re-evaluated during a user journey. That puts session context, device signals, and transaction intent at the center of modern authentication design.

Key questions

Q: How should security teams handle authentication after login in high-risk workflows?

A: They should treat authentication as a session and transaction control, not only an access check. That means combining phishing-resistant login, continuous risk signals, and approval steps that are bound to the specific action. The goal is to stop attackers who wait until after login to hijack a session or alter a transaction.

Q: When do passkeys and FIDO2 reduce risk most effectively?

A: They matter most where phishing, credential replay, and password reuse are realistic threats, especially for employees or customers who approve sensitive actions. Passkeys and FIDO2 reduce dependence on shared secrets, but they work best when the rest of the journey also includes session monitoring and transaction-bound approvals.

Q: What breaks when organisations rely on MFA alone for digital interactions?

A: MFA can confirm the user once, but it does not automatically protect the active session or the transaction being approved later. Attackers can still hijack a session, manipulate a mobile workflow, or abuse a valid login to authorise a high-value action. Stronger assurance has to follow the interaction, not stop at the prompt.

Q: How can teams prove that their transaction approval controls are working?

A: Look for evidence that approvals are bound to the exact transaction context, not just the user session. In practice, that means test whether changing the amount, destination, or action invalidates the approval path. If the approval still succeeds after the action changes, the control is too loose.

Technical breakdown

Passkeys and FIDO2 for phishing-resistant access

The article places passkeys and FIDO2 at the front of the control stack because password-only access is easy to intercept, replay, or phish. Passkeys shift authentication toward device-bound or hardware-backed assertions, while FIDO2 reduces dependence on shared secrets that can be stolen. The design goal is to make initial access harder to compromise, not merely more convenient. In practical terms, this is still an access-layer control, but it becomes the first trust signal in a broader session security model.

Practical implication: replace password-dependent login paths for high-risk users and applications with phishing-resistant authenticators.

Session risk scoring with device, behaviour, and context signals

The article's core technical shift is the use of continuous signals during the session, not just at login. Device posture, user behaviour, and contextual signals feed an adaptive decision loop that can raise assurance when the session looks abnormal. This matters because many modern attacks succeed after the first successful authentication, especially in mobile and web flows where the attacker hijacks the active session rather than the password. The architecture is closer to runtime risk evaluation than classic MFA.

Practical implication: instrument session telemetry so abnormal device or behaviour patterns can trigger step-up authentication.

Transaction signing and dynamic linking for high-value actions

Transaction signing binds the approval to the specific action the user is authorising, which helps stop fraud that manipulates what appears on screen versus what is actually executed. Dynamic linking is the cryptographic or procedural binding between the user intent, the amount, the destination, or the action context. This is especially relevant in financial and enterprise workflows where a valid session should not automatically authorise a sensitive transfer or administrative change. It is the transaction, not the login, that becomes the real security boundary.

Practical implication: require transaction-bound approval for sensitive actions instead of relying on session authentication alone.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Authentication has become a runtime control, not a one-time event. The article reflects a broader shift in identity security: login is no longer the end of assurance, because attackers increasingly operate inside valid sessions. That changes the governance model for human IAM and connected application flows alike. Practitioners should treat authentication as an ongoing trust decision across the full interaction path, not as a single gate at the front door.

Session risk is the new attack surface for human identity programmes. Device compromise, overlay attacks, and session hijacking all exploit the gap between successful login and trusted action. That gap is where traditional MFA often stops protecting the user journey. The implication is that IAM teams need to think in terms of session assurance, not just credential assurance, especially for mobile-first workflows.

Transaction integrity is the named concept this article makes unavoidable. Authentication that does not bind user intent to the specific action leaves a structural opening for fraud and abuse. In financial and enterprise workflows, the problem is not simply who logged in, but what they were authorised to do at the moment of approval. Practitioners should recognise transaction integrity as a separate control domain from access verification.

Mobile interaction security now sits inside the identity boundary. The article's emphasis on app shielding, malware resistance, and compromised device detection shows that authentication governance now extends into the application runtime. That is a material change for teams that still separate IAM from application-layer protection. For practitioners, the boundary between identity and application security is no longer clean, and governance has to follow the session.

Strong authentication only helps if the approval path still matches human intent. The article's focus on transaction signing and dynamic linking reflects a deeper control principle: assurance must survive the handoff from login to action. When that handoff is weak, attackers can turn a legitimate session into an unsafe transaction. Practitioners should treat approval integrity as a separate policy objective, not a side effect of MFA.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
• A separate finding from the same research shows that 71% of NHIs are not rotated within recommended time frames, which keeps exposure windows open longer than most teams expect.
• For a broader control baseline, see Top 10 NHI Issues for the lifecycle and privilege gaps that tend to persist across identity programmes.

What this signals

Transaction integrity is becoming a governance line item, not just an anti-fraud feature. As authentication moves deeper into the session, teams need to decide which actions require cryptographic approval, which require step-up verification, and which should be blocked outright when the device or context changes. That is especially relevant in mobile banking, finance, and other high-value workflows where the session itself is the target.

The broader programme signal is that identity and application security are converging. Once session risk, device compromise, and transaction binding sit in the same control plane, IAM teams need clearer ownership with application security and fraud operations. The organisations that separate these disciplines too rigidly will miss the attack path that begins after login.

With 96% of organisations storing secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, per the Ultimate Guide to NHIs, the same pattern of trust overreach appears across both human and non-human identity programmes. Session assurance is one response, but the underlying programme issue is still the assumption that a single trust decision can cover the whole interaction.

For practitioners

• Shift high-risk populations to phishing-resistant authentication Prioritise passkeys and FIDO2 for employees and customers who approve sensitive actions, especially where password reuse and phishing exposure remain high. Keep fallback methods tightly controlled so the weaker path does not become the default path.
• Add session-level assurance signals Collect device, behavioural, and contextual signals during active sessions so abnormal patterns can trigger adaptive authentication before a sensitive action completes. Use the same signal set consistently across web and mobile flows.
• Bind approval to the transaction itself Require transaction signing or dynamic linking for high-value transfers, administrative actions, and other critical workflow steps. The approval should identify the specific action, not just confirm that a user is still signed in.
• Treat mobile app protection as identity control For mobile-first journeys, integrate app shielding and device compromise detection into the authentication design so session trust is not assumed once the user is inside the app.

Key takeaways

• Login is no longer the only identity checkpoint, because attackers increasingly target the active session and the approval step that follows.
• Phishing-resistant access, runtime session signals, and transaction-bound approval solve different parts of the same problem and need to work together.
• Teams that keep treating authentication as a front-door control will continue to miss fraud and abuse inside the interaction itself.

Key terms

• Continuous Authentication: A control model that re-checks trust during an active session instead of treating login as the only identity event. In practice, it uses device, behaviour, and context signals to decide whether the session should continue, step up, or be interrupted when risk changes.
• Transaction Signing: A method of binding user approval to a specific action, amount, or destination so the approval cannot be reused for a different transaction. It is especially valuable when a valid session is not enough to prove the user intended the exact action being executed.
• Dynamic Linking: A security pattern that ties authentication or approval to the precise transaction context the user sees and confirms. If the action details change, the approval should fail. This reduces the risk of fraud that hijacks a valid session but changes the underlying transaction.
• Phishing-Resistant Authentication: Authentication designed to resist credential interception, replay, and fake login prompts, usually through device-bound or hardware-backed factors. It reduces reliance on shared secrets and makes initial access harder to steal, though it does not by itself secure every later session action.

Deepen your knowledge

Session assurance, phishing-resistant authentication, and transaction signing are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is moving from login controls to interaction controls, it is worth exploring.

This post draws on content published by OneSpan: authentication and security across access, sessions, and transactions. Read the original.