Did you know that when it comes to user authentication, there are actually two types of biometric categories? Many are familiar with “inherited traits” like our fingerprints, irises and face recognition. We’re born with these and some change over time (voice) while others are with us for a lifetime (fingerprints). The other category is known as “behavioral biometrics.” So, what is behavioral biometrics? This involves how you go about through life and interact with the things around you. For example, how you type on a computer keyboard, move your mouse, or hold your cell phone to your face. These may not seem unique to you, but with advanced analytics, behavioral biometrics can distinguish you from an insider threat, fraudster, bot or other unauthorized users with relative ease.
Forward-thinking CSOs, security architects and other security practitioners are exploring how this promising technology can be leveraged to accurately authenticate users based on how they interact with their smartphones, laptops, desktops and other devices.
Why Use Behavioral Biometrics?
Here are the grim statistics: 2.3 Billion account credentials compromised from 51 organizations in 2017, costing an estimated $400 billion globally. Clearly, we need better authentication solutions.
Signs show that behavioral biometrics can help overcome some of today’s most common authentication problems. Here are 9:
- User friction: Username/password combos and complex passwords can be difficult to create and remember, resulting in workarounds and an overload of calls to the help desk. Behavioral biometrics work in the background, requiring no action from the user.
- Insider threats: The inconvenience of passwords can lead directly to insider threats. For example, users may write down passwords and store them near a workstation or share passwords with co-workers. Even if a password were phished, it a fraudster using it would not be able to easily replicate the keystroke cadence of a legitimate and would be denied.
- External threats: There are an estimated 45,000 ransomware products for sale at more than 6,300 dark web marketplaces. This market has grown from around $250,000 in 2016 to more than $6.2 million so far in 2017. A ransomware attack has a harder time compromising the credential of a sysadmin when behavioral biometrics are in play.
- Fraudulent identification: Behavioral biometrics are hard to fake. Even studying a person’s movements, how they type, how they move their mouse would not result in a successful identity compromise.
- Location- and condition-based: Fingerprints and iris scans are highly accurate, but they also require that a person is situated right at the networked device. Conditions can also cause problems. For example, a sweaty finger can foil Touch ID. Similarly, bad lighting can hinder face recognition. Behavioral biometrics just require that you show up and be yourself.
- Not just correct data: One in nine of all online accounts created in 2017 was fraudulent. Behavioral biometrics prevent fraud by monitoring user behavior while filling out online applications, in contrast to just proofing actual information to see if it’s correct.
- Beyond MFA (multi-factor authentication): MFA is a step beyond passwords, using several factors in the authentication process such as a combination of a password, token and fingerprint. MFA has also proven to be somewhat inconvenient to many users—passwords can be forgotten; tokens may get lost. We can’t lose or forget our individual behaviors.
- Continuous authentication: Inherited or natural biometrics are based on static physical features. With machine learning, behavioral biometrics adapt to behaviors that change over time such as learning new keyboard shortcuts.
- Consumer acceptance: Despite some privacy concerns, the consumer success of biometric authentication like Apple’s Touch ID and Samsung Pay is paving the way for potentially game-changing behavioral biometric apps.
Companies looking for next-generation data protection are advised to talk to leaders in authentication technologies. Crossmatch offers composite solutions that go beyond multi-factor authentication with contextual risk factors of time, velocity, location and behavior. Follow the signposts by exploring our DigitalPersona solution to set you on the right path.
Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.