To make this happen, single sign-on platforms rely on continuous authentication, which is the sustained evaluation of trust for a request for access.

"Continuous authentication is really an advanced security approach that verifies the identity of a user during a session rather than simply at login," says Dave Smith, senior director for the U.S. and Canada public sector at Citrix.

Historically, systems may have verified user identities at a program's launch, then assume they are clear afterward. By contrast, "continuous authentication really leverages a variety of factors, such as the kind of user behavior, device health, location and even things like biometrics to ensure that a user is who they claim to be, and continuously is who they claim to be so that they remain authorized the entire time they're accessing an individual system," Smith says.

Frazier adds, "These things are kind of peas and carrots when you think about security, enabling the right security posture and dealing with threats at the identity layer."

Prior to continuous authentication technologies, government agencies might have issued an identity token with a long life to enable multiple access queries to an application from an individual, Frazier explains. Such a token might remain useful for 24 hours or a week.

But attackers could hack these credentials and then potentially could access resources authorized by those tokens for the life of the token. Now, with continuous authentication, systems evaluate an individual request and determine if it can be trusted. If all factors relating to the work of an individual employee seem correct, the system grants extended access to authorized resources.

"You don't want to punish your users," Frazier says. "You don't want your users having to log in every five minutes, because then your users will hate you. You have to build a model that does this evaluation mostly based on context behind the scenes. If the user's location doesn't change, if they're coming from the same device, if their transactions look exactly the same, you'll evaluate that all the time. But you only prompt the user for authentication if any of those context pieces change."

With continuous authentication, a system may require employees to provide credentials again if their location changes, if their work behavior appears different in an application, if they log in with a new device or if other factors change.