Skip to main content

Behavioural & biometric authentication will kick passwords to the kerb sooner than you think

(Image credit: Image Credit: / Shutterstock)

Before there were ‘preppers’ there were the sign holders, who would boldly proclaim, “The End is Near” on street corners, in football stadiums, and in fact anywhere large crowds gathered.

Today, there are pundits (and others) in the security industry heralding a similar message, the end - or to really put a fine point on it - the death of static passwords is near. For too long consumers and businesses alike have relied on it to protect either private or corporate data. Its failings – and there are many – are well known and documented. There have been plenty of incidents whereby passwords were hacked and sensitive information exposed. Yet it still lingers as – for some – the only defense between private data and accounts and those who are determined to hack into an account. This slightly blasé approach to its vulnerabilities is even more alarming given that for many their online life is as active as their offline life, with precious data, information and valuable assets existing in the digital world with barely sufficient protection. Quite why users persist with static passwords when they know the risks, is baffling not least in light of their risks. 

Given all of that, it’s no surprise, really, that there are many reasons why passwords should just go away. Let’s look again at their weaknesses: 

  • They’re static
  • They’re easily hacked/stolen
  • They’re hard to remember
  • They’re often re-used on multiple sites, maximizing the impact of breaches.

So, if passwords are going away – and it is high time that they did - then it’s logical to ask what will take their place. In short, security technology that minimizes friction and for the purposes of this discussion, behavioural authentication. 

At a high level biometric authentication reflects technologies like fingerprint scans, voice recognition and selfie authentication to secure a business’ applications and services. In other words, biometrics use physical and behavioral aspects of each individual as the basis of secure authentication. 

Appropriately, in the healthcare industry, providers in the four-state Novant Health Network can link a patient’s biometric data at enrollment (e.g. fingerprints, iris recognition, veins — in the finger or palm — and face) to his or her medical record to produce a unique signature that can later be used to rapidly call up their medical records. 

Before you diminish the significance of this technology, the Biometrics Research Group predicts that such technologies will produce over $US9 billion of revenue by 2018 for the biometrics industry. 

Analysts, too, are paying attention to this evolution. In fact, Mercator Advisory Group, a trusted advisor to the payments and banking industries globally, recently issued a report entitled “Biometrics: A New Wrinkle Changes the Authentication Landscape,” that suggests the need for software-based solutions like multi-modal biometric authentication to drive innovation as well as security.

So, what are these behavioural inputs? 

Simply put, they’re the way you interact with your device; how you hold and use your mouse, make keystrokes, how quickly you move line-to-line or from page to page. These actions, analyzed and learned, over time, are interpolated through algorithms to establish a unique pattern of each user to determine if it’s the same user requesting access or potential fraud (behavioural authentication). When the behaviour of the user (or machine) trying to log in does not match the established user model, the technology can “step up” authentication, which can include an additional biometric authentication measure or security question, for example. 

Right now, you’re probably thinking that on paper that all sounds good, but what about in practice? For example, are there banks that are using these kinds of bleeding-edge behavioural authentication tools today? Although VASCO has just entered this market via a partnership with BehavioSec, the broader answer is… yes! 

-A large subsidiary of a UK bank, has incorporated machine-learning software, integrated with the bank’s mobile app and online banking site, to monitor and capture metrics on 500 different bank customer online and mobile behaviours. These include everything from literally the angle at which a user holds their phone to the amount of pressure used when a customer taps on a screen and even the cadence of keyboard strokes. All this data is compiled to build out a unique biometric profile for each customer, comparing it against each time a user logs onto an app or online banking site. 

-A subsidiary of a Middle East bank, has likewise introduced an integrated mobile identity verification solution based on behavioural biometrics. The selected technology continuously monitors every in-app activity based on a unique personal usage profile within the mobile device. This includes things like finger size, touch pressure and strike area, giving the bank the ability to identify, in real-time, whether the card owner is actually the individual accessing and using the app. An executive vice president at the bank, suggests that, for them, passive forms of biometrics like behavioural authentication were appealing “because they’re far more natural, seamless and far less intrusive for users than things like facial recognition and iris scans which mostly require them to stop and take an action.” 

In summary, many believe that the death of the password will become a reality soon — one interesting factoid provided in a news article from 2004 where Bill Gates predicted the demise of the traditional password — here in 2017. However, the pragmatic evolution of the password will first make it a supplement to a more layered security approach, leveraging biometrics and other contextual data. From this point, you can count the days before it’s officially kicked to the kerb. 

 David Vergara, Head of Global Product Marketing at VASCO 

Image Credit: / Shutterstock

David Vergara
David is the Head of Global Product Marketing at VASCO and has over 10 years of experience in the software security space.