Every 39 seconds there’s an attack on a device with internet access. Nine billion stolen credentials since 2013. One in nine online accounts created in 2017 was created with stolen credentials.
The reason: Over-reliance on traditional forms of authentication which are not nearly strong enough to protect online information. They persist because of user demand for a totally seamless authentication experience. People are frustrated by the more secure (and more tedious) 2FA and MFA solutions, like using hard tokens or complex one-time-passwords. Convenience can make or break a security system. If it’s too demanding, people won’t use it.
Behavioral biometrics may be the solution.
They are based on the fact that no two people act the same, even when trying to impersonate another person. There are small ticks, rhythms, and movements that are as unique to us as a fingerprint. They are dynamic as opposed to static authentication — such as traditional biometrics, passwords, tokens. Using just the sensors in your phone, hundreds or even thousands of patterns can be used to continuously authenticate a person.
These sensors include touch screens, accelerometers, and gyroscopes. They can continuously analyze how a person interacts with their phone, including how it’s held, how someone scrolls to toggle between fields, even the amount of pressure used when typing.
Capturing the way a user typically uses their device over a period of time creates a “profile” of them that can be compared against unusual behavior. In the event of activity that seems out of the norm for the profile, a company can ask for extra forms of authentication, such as traditional biometrics or knowledge-based authentication. This is the biological equivalent of security systems which check accounts for unusual activity, like trying to access new data or spending in amounts and/or places very different than previously.
This creates an extra layer of security, but one that is completely passive. Because it operates in the background it can help bridge the gap between security and convenience for end-users. Not only can it help tell people apart, but it helps to identify malicious software attacks since the software can never imitate a real person’s biological behavior.
Behavioral biometrics are best used as an additional component in a larger, comprehensive authentication system. Some users may be nervous about their device logging all their movements and behaviors, but they are stored as a mathematical equation that is useless to hackers and criminals. A behavioral-based system will add to the time and effort it takes to hack an account, thereby further deterring many attacks.
