The role of behavioural biometrics in authentication

Despite its popularity, it’s well known that the password is one of the least secure forms of authentication. But with recent announcements from several UK banks adopting voice and facial recognition, it’s clear that biometrics is catching up and becoming a much more popular tool in the layers of authentication now available.

How does behavioural biometrics differ from other biometric technology such as fingerprint/retinal scans?

When we interact with our devices, whether they be desktops or mobile, we leave a signature behind. That signature is the way we press and depress keys, move from one key to the next, and how we use our mouse to move and click. Behavioural biometrics analyses these behaviours, which are unique to an individual, instead of their physical attributes. It is highly accurate and very suitable for the biometric verification use case.

These unique behavioural characteristics are collected and analysed, and turned into a profile that we can use as a comparison when a user attempts to authentication. We can then continuously analyse the behaviour throughout the session, allowing us to maintain a high level of trust that a malicious user has not taken over. If the behaviour deviates, we can 'step-up' the user, requiring an additional second factor to continue, or simply end the session.

A key difference between this technology and physical biometrics is that the data is collected passively, using hardware that the user already has. It does not require additional hardware like a retina or fingerprint scan would. The user may not even be aware that their behaviour is being analysed. This is key to user experience – there is no extra step for the user.

Does this technology collect data on individual users?

With the new EU Data Protection Regulations coming into effect this year, it's important to address potential privacy concerns. This technology does not record individual keystrokes. It uses keystrokes (press and depress) and mouse movements and clicks to construct a statistical model of how the user interacts with the device. The authentication for that user is done on the customer’s servers and the behavioural profile stored within the customer’s user data store.

In many cases customers will already be managing sensitive information in these data stores. They would be required to have the correct controls and processes in place for handling that information in accordance with EU regulations.

How will behavioural biometrics impact the cybersecurity industry?

We expect this technology to become integral to authentication. When analysing risk around authentication, the physical behaviour of a user must be considered. Our research showed that 62 per cent of organisations in the UK have no plans to stop using password. Why? The simple fact is it’s a comfortable and well-understood form of authentication that doesn’t impede the end user.

However, the password as the sole authentication method is no longer effective. Attackers are simply stealing credentials and using them to log into organisations. This technology can augment the use of passwords, providing a more realistic way forward from where we are today. We must innovate and push the boundaries of this extremely critical realm of security.

There are many ways this technology can be beneficial to the wider public, namely consumers. Imagine a situation where you log into your online banking application with a username and password. If the bank augmented their application with behavioural biometrics they now know, with a higher level confidence, that it is actually you logging in. Now imagine that a malicious user gets a hold of your device. The malicious user would be asked for an additional factor of authentication or the session would be killed before significant damage could be done.

Beyond banks, are other industries using this technology?

The financial industry is often the first adopter for new security technology, and is already leading the charge with physical and behavioural biometrics for verification. We work with businesses in a wide range of industries, including finance, insurance, banking, healthcare, government institutions. Many of these industries are incredibly security conscious but the potential use cases for this technology extend far behind these sectors alone.

With new Verizon research showing that 42 per cent of breaches are caused by stolen credentials, can behavioural biometrics fix this problem? Well, the technology is ideally suited for the stolen credential problem. It can render stolen credentials useless to an attacker. Within adaptive access control, it serves as one of many layers of analysis that further protect credentials from misuse.

How easy would it be to hack this technology?

It is very difficult to replicate the behaviour of an individual and recreate the statistical model we use for verification. However, no technology is a silver bullet and impervious to a determined adversary. It is very important to layer this technology within adaptive access control, alongside analysis techniques like IP reputation, geo-location, geo-velocity, identity store analysis and device recognition. Security is still very much about layers.

How can behavioural biometrics develop in the future?

We expect the technology to become more even accurate and easier to integrate into homegrown web and mobile applications, allowing it to be utilised in a wide array of use cases. We also expect additional telemetry to be available to augment the behavioural profile, such as device orientation, on a wide array of devices.

What other security trends are on the horizon?

The 'death of the password' has been largely heralded, but unfortunately I think we’ll see the pace of breaches resulting from stolen credentials continue to accelerate. It’s simple and effective for attackers in the current landscape. A large amount of innovation is happening in this space right now, but it will take some more time for organisations to catch up.

We’ll see a rise in the use of password managers or vaults, for purposes of storing and generating passwords, in both the enterprise and consumer sectors. Single-sign-on, fronted with adaptive authentication provides the best balance of risk reduction and usability, but the use of password vaulting is a low friction way to bridge stronger security to those legacy, non-federation enabled applications.

We’ll continue to see consolidation between the UEBA (user and entity behaviour analytics) and the SIEM market segments. A good example is Splunk’s acquisition of Caspida. The SIEM vendors are looking for further avenues to allow their customers to improve the effectiveness of their SIEM implementations, and the vast data that’s already there. They are also recognising that analysing user behaviour, in its many forms, is fundamental to the security problem.

Keith Graham, CTO at SecureAuth

Image Credit: Shutterstock/Carlos Amarillo