How behavioral biometrics and continuous authentication offers organizations the next level of secure digital identity
By Dr. Shane Shook, BehavioSec board member.
If we’ve learned anything about threats, cybersecurity, and identity authentication over time, it’s that we cannot continue to rely upon yesterday’s solutions to solve today’s problems. The very nature of attacks – who they target, how they target, and why they target – is always adapting. Meanwhile, users increasingly expect (and demand!) that their experience with devices and apps continues to improve and not suffer onerous obstacles created by security requirements.
This means to be secure, we too must constantly evaluate and adapt our defense while striving to deliver an improved user experience. The financial services industry knows this well with 51 percent of banks seeking to strengthen their authentication capabilities and 55 percent planning to enhance the customer authentication experience, according FICO research.
These organizations are not “standing pat” because no enterprise – regardless of industry – can afford to. In the last two decades, we’ve seen hackers go from targeting individuals to conducting network-facilitated fraud, while consumer preferences have put the pressure on companies to develop more convenient, faster services for purchasing and payments. Unfortunately, criminal syndicates are well-aware of this, and are eager to take advantage of weaknesses within the very same functions that enable the scale of commerce, resulting in new and more readily exploitable opportunities for ID theft.
The COVID-19 era has only added to the complexities here and will likely continue to do so for the indefinite future. Nearly 42 percent of Americans are now considered “fully remote” workers, and by 2025 it is projected that 36.2 million Americans will work remotely, an increase of 16.8 million from before the pandemic. Yet, 6 of 10 professionals currently say their employer hasn’t provided the tools needed to properly protect the personal devices they’re using for work in an environment where 63 percent of cybersecurity pros have seen a rise in attacks since the pandemic.
These evolving dynamics have profoundly reshaped both the technology world and our greater society. Our digital selves are vastly more connected than our physical selves, and cyber adversaries are literally targeting us where we live. Due to their proven ability to find more sophisticated and formidable ways to steal credentials via social engineering and other methods, their efforts continue to pay off.
This is because, in large part, our collective response strategy has focused mostly on “locking the front door” with passwords, tokens and user challenges such as “Where did you go to elementary school?” and “What is your favorite movie?” These methods are based upon what users possess and what they know. But, unfortunately, hackers steal passwords, tokens and MFA codes, and they will scour social media pages to find out the answers to those questions that “only the user knows.”
In addition, such controls force users to take multiple steps before they access anything, leading to frustrating experiences. The more obstacles – and friction – customers encounter, the more likely they will seek better options and abandon a company for a competitor.
Therefore, we must transition from controls based only upon what we possess and what we know to those based upon something much harder to steal – “What we are.” Behavioral biometrics uses the way we uniquely physically interact with the world around us, building profiles based upon how users hold smartphones in their hands, type on keyboards, press their fingers on touchscreens and otherwise physically engage devices to use online services and apps. These behavioral profiles are used by security teams to not only more accurately validate ‘front-door’ authentication, but the true human user throughout the session.
In other words – instead of focusing strictly upon locking the front door, behavioral biometrics “installs cameras” inside “the house” too to monitor how people inside sit on a couch, turn on the TV and drink a glass of water, etc. to determine whether they actually belong in the home at all. A term we now use for this concept of following visitors beyond the front door is called continuous authentication.
And the timing to consider this new approach couldn’t be better. According to the FICO research, 51 percent of banks already intend to enhance biometrics capabilities. Because behavioral biometrics advancements represent the next level of innovation in such pursuits, these organizations could benefit from implementing continuous authentication in the following areas:
– Security. To counter hacker countermoves to MFA modalities including malware bots, behavioral biometrics can detect that the current session “types differently” than the user profile and enable real-time intervention to stop the fraud attack underway.
– Compliance. While regulations like European PSD2 and SCA requirement are placing burdens on organizations to support effective authentication and still provide a positive user experience, behavioral biometrics supports both goals – continuously and silently authenticating while better protecting privacy, thus gaining consumer trust and loyalty.
– User experience. Rather than drop customers or productivity as we react to massive increase in attacks, we can now turn authentication into a more “invisible” procedure, supporting a seamless experience while improving our security with a zero-trust, continuous monitoring approach.
To be candid, we will never know with certainty what our adversaries will do next. But we do know that there’s one thing that’s still hard for them to steal – our unique human selves. This is why behavioral biometrics is proving a superior alternative and evolution beyond traditional authentication methods, with the combination of our psychological and physical selves helping safeguard our digital selves.
About the author
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.