Context for connections: improving security with behavioral biometrics
This is a guest post by Ethan Ayer, CEO of Resilient Network Systems.
With faceprints, voiceprints and iris scans beginning to replace passwords in everything from police work to amusement park admission, behavioral biometrics is becoming one of IT security’s hottest trends. 2017 may finally be the year that it delivers on its hype. With promising contenders in Scandinavia to stateside biometrics companies being snapped up by the likes of MasterCard and others, the security race is on as organizations move to understand—and adopt—behavioral biometrics technology.
IT security is a central concern for organizations as they seek to keep intellectual property and customer information secure. In today’s threat climate, passwords and security questions are no longer enough to dissuade hackers. Behavioral biometrics offers a new and secure take on the old adage to “just be yourself.” It turns out that with this new field of technology, a person’s natural behavior patterns online can be the basis for improved cybersecurity.
Depth and breadth of authentication
As hacks continue to garner attention and make headlines, from Target, Home Depot and Sony to the recent election, cybersecurity is top of many people’s minds. Once the gold standard, now even the most complicated passwords can be cracked easily. Enter multi-factor authentication (MFA).
MFA has been around for some years now and is increasingly becoming a prevalent step for any online login. It adds layers to secure logins, such as codes sent through SMS, email or physical biometric data like fingerprints, in addition to passwords and security questions. Most people use a form of this regularly when they put their credit or debit card in the machine at the checkout lane and enter their PIN.
Layers of MFA
Even two-factor authentication, despite being a step in the right direction, isn’t entirely secure. Hackers can steal control of your cell phone account through your provider or hack the instant messaging system itself, but behavior doesn’t lie. Behavioral biometrics identifies people through their behaviors and follows from using other biometric markers, like fingerprints and iris scans, as unique security markers.
As security measures, behavioral biometrics, the way a person uses a keyboard to type or mouse movement dynamics, create a more powerful environment for user authentication. Adding this type of user behavior to existing MFA architecture can ensure that the entity with the credentials is the same as the entity who was issued the credentials.
When added as a layer of MFA, user actions can be used to perform a continuous authentication process. While difficult to institute as a first line of defense, an intruder’s irregular actions will be identified over time as the system accumulates data on behavior patterns. The differences in typing cadence, pressure on keys and mouse speed and acceleration serve as a warning to lock out a user.
If boiled down, the crux of cybersecurity is access. Who is allowed access to what? How is it restricted for others? Stolen security credentials, whether through phishing scams, hacks in public wifi systems or guessing (the most common password is still “123456”), give access to those who don’t belong in the system.
One of the most common methods of controlling user access role-based access controls (RBAC). While this approach is easily managed for small organizations with a handful of individuals, when entering into the enterprise territory, can quickly become unwieldy and onerous to manage as people’s needs change and roles blend.
With behavioral biometrics, flexible access can be determined both by a user’s role and by the context of their access needs. Who, where, when, what and how matter. And contextual access control allows for greater elasticity in sharing secure data. It can also cut down the workload of those responsible for administering and monitoring permissions. Behavioral biometrics offers greater surety in determining if the “who” in a given situation is actually the right user.
Nuts and bolts of behavioral biometrics
Each advance in IT security, from the lowly password to security questions to physical biometrics, has eventually been cracked. But behavior is unique to each user and is nearly impossible to replicate. While credentials and other biometric data can be stolen, it is much more difficult to mimic a person’s exact behavior enough to fool an AI system. Behavioral biometrics is built on compiling user data on keyboard strike cadence, mouse movements, gesture recognition and device movement.
The way someone types is unique to an individual. This is simpler to define and capture for an AI. When it comes to mouse movement, this factor is notoriously more difficult to nail down. In behavioral biometrics, the capture environment can vary rapidly and widely, from hardware type to mouse settings for speed and acceleration. The possible combinations are nearly endless.
Another challenge in this technology field is attaining a clean base-case. Users act differently when they’re tired, in a bad mood or sick. Developing a model that establishes expected behavior and then controls for the antsy mood after that 2 o’clock cup of coffee or someone having the flu is no small feat.
Typing is the easiest behavioral biometric to track and use for authentication. The QWERTY keyboard is standard across most computers and allows for better tracking of keyboard cadence. People’s skill and dexterity with typing can be analyzed and a mean for speed and the time between typing sequences of letters can be established. This cadence can then be used as a method of telling the difference between the real owner of an account and an intruder.
Race to market
Onerous login and authentication procedures slow productivity. Passwords aren’t secure. User workarounds and credential sharing compromise security. It’s no wonder that behavioral biometrics are hot. From their personal quality to the ongoing authentication they provide throughout a session, these up-and-coming measures are the next gold rush. Integrated into a MFA system, behavioral biometrics help create the right context for secure and productive connections.
In today’s amorphous workplace, organizations no longer stop at the office walls—or the firewall. Mobile workers, customers, clients and suppliers all need varying degrees of access to information. But all parties involved, regardless of location, need secure connections.
The solution is to utilize a policy workflow engine to automatically flesh out the framework for granting and monitoring access. To do this, automation is a must. Even if your IT team tracks users well, any system is fallible. And manual user management is not only labor intensive, dependent on a limited number of staff and hard to scale, it can undermine security measures.
Whether your organization is still using role-based access control (RBAC) or MFA, granting access through context is the most secure and informed way of ensuring security. The who, where, when, what and how of a connection matters. Behavioral biometrics, driven by AI and machine learning, is the next layer in creating contextual connections.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.