Behavioral Biometrics: Continuous AuthenticationVeridium Author | June 14, 2016
An ATM logs a transaction, $50 was withdrawn from an account. The right card and pin were used, and nothing else seems out of the ordinary. However, the next day when you check your bank statement, you see $50 missing that you didn’t withdraw. Who was using your debit card? Your bank surely didn’t know.
Authenticating who is truly behind any action, whether it’s logging into Twitter or accessing a bank account, is the biggest challenge in security today. Users want a fast and convenient way to access their accounts, but also want to ensure no one else can hack into it with the same ease and convenience. At the enterprise level, businesses want to completely secure access to their systems and data, but also make sure their employees are able to work as productively as possible as well. These situations create a dichotomy that firms and security experts have struggled to overcome.
Mobile devices have offered an interesting solution to this schism, one that provides convenience and a little more security. By combining something the user knows – their password – with something they have – their phone – two-factor authentication allows for much more concrete access control to any account.
But is it enough?
Harnessing the Power of Mobile
Mobile devices provide us with significant computing power in the palm of our hands. The numerous sensors, cameras, and microphones in them allow us to record, store, access, and share nearly anything, at any time. These same tools can also be used to amplify security in interesting ways. Primarily by adding a third factor to authentication – what you are.
Many companies are already exploring the potential mobile devices provide for biometric authentication. Rather than entering in a passcode, millions of iPhone and Android users use their fingerprint to log into their device, and apps, instantly. But there’s still untapped potential in the modern smartphone.
Biometrics are Multiple Aspects of You
When we discuss biometrics we most often refer to physical biometrics: Your fingerprints, face, voice, iris, etc. These represent what you are. Unique, static features that can be used to identify you. Using fingerprint sensors, microphones, and cameras, we can record all of these biometrics using a smartphone for fast and convenient authentication. However, mobile devices are capable of so much more. From gyroscopes and GPS to accelerometers and pressure sensors, modern phones have a bevy of sensors in them that can read a much wider range of information. This opens up the opportunity for another form of biometrics based on behavior, rather than physical attributes.
Behavioral biometrics represent what you do, rather than what you are, and can be measured using these myriad of sensors. This can range from how you type on your phone to how often you spend time in specific locations, like home and work. What behavioral biometrics provides, beyond physical traits, is a way to perform continuous authentication.
Always Know Who You Are
Continuous authentication essentially means that your device, through constant passive data collection, will be able to tell if it is still near you. This is done by regularly checking behavioral biometrics – has the device moved to a new location, has the microphone picked up your voice recently, how is it being carried, does the movement pattern and gait match yours, when was the last time the camera captured your face, etc.
This passive data collection allows the device to do two things. It can assess if you’re still the person using it. More importantly, however, it can determine when the last time it checked the former was, and refresh that information based on one of those many behavioral points. This latter part is called a decay function. This decay function allows the device to create what is called a confidence score.
Confident that It’s You
Whenever you use a physical biometric to log into an app, your phone can increase its confidence score dramatically. Then, it will use passively collected data to maintain that score over time. This way, if you log into the app, then set your phone aside, but pick it up again a few minutes later to use the app again, it won’t log you out. However, if the confidence score drops below a specified level, either because you’ve moved to an unfamiliar area or haven’t used the phone in a while, the app might ask you to log in with your physical biometric again.
The confidence score can play another role as well. When determining physical biometric accuracy with a high confidence score, your app might be able to approve a low-quality biometric scan. For example, if your facial recognition capture would normally fail verification by a small margin, but you have a high confidence score at that time, the app might push it to pass, and vice versa. By creating a weight scale between physical biometric quality and the confidence score, you can improve overall False Rejection Rates.
When paired with more traditional biometric authentication, behavioral biometrics can amplify security and user convenience. However, we need to have proper guidelines and the right multimodal authentication platform in place as the foundation.