Understanding Behavioural Biometrics
It’s long been known that the password is a flawed method of authentication but our research has shown that 62% of businesses in the UK have no plans to stop using the password. The simple fact is it’s a low cost and well-understood form of authentication but it doesn’t stop attackers who simply steal the credentials and use them to login to a company’s network. Layered and adaptive security that can provide intelligent access protection and a convenient and appealing user experience is crucial.
While authentication is obviously the goal with these technologies, the adaptive part is just as important. In an era where burdensome or complicated security steps will alienate most users, adaptive technologies work with the user rather than disrupting their workflow. Maybe it’s a buyer trying to access his or her own account information or an employee looking up customer data. Whatever they’re doing, a variety of behind-the-scenes processes calculates their validity and takes dynamic action, rather than stopping them and asking them to complete yet another step to authenticate their identity. Using techniques like device recognition, geo-velocity, geo-location or comparing the authenticating IP address to those associated with anomalous activity, adaptive authentication contextualizes those elements for accurate user identification.
But while those may be the best-known techniques, they aren’t the only ones. With recent announcements from several UK banks adopting biometric-based technologies, it’s clear that this is becoming a much more popular tool in the layers of authentication now available. Behavioural biometrics specifically is becoming an important and integral new part of authentication solutions – precisely because they involve user behaviour that is almost impossible for an attacker to duplicate.
After all, attackers can steal login credentials; a device that’s already been logged in can be used by someone else. But attackers can’t usually mimic a user’s identity down to their typing behaviour and cursor movement. That’s where behavioural biometrics come in, by working with user traits so subtle that the human eye would have a hard time observing them. This technology records those nuances and micro-behaviours and compares them to subsequent logins to validate their identities.
Most are familiar with physical biometrics, such as a fingerprint swipe on your phone. Iris scans and voice comparisons are other common biometrics, which essentially authenticate users by measuring their biological characteristics. Again, these are factors that can be very costly for a malicious actor to fake or duplicate.
Behavioural biometrics, though, works with behavioural patterns rather than biological attributes. The concept is built on the same foundation in that the user acts as the core asset – something difficult for a hacker to imitate. Each user is an individual with their own ways of interacting with computers, and those unique elements become the authentication criteria.
Turning Individuality into Innovative Security
Granted, it’s not something that we’re often conscious of, but every person has unique patterns and idiosyncrasies in how they interact with keyboards and mice/trackpads. Consider the speed and rhythm of someone typing on the keyboard or the way they click and move their mouse. They may pause regularly at certain points, favour the top numeric keys over the side number pad or prefer certain controls over others. The way users access programs, move between apps or interact with graphic icons and visual indicators are distinctive too. Even subtle social and psychological cues like the use of language are highly individual.
Of course, most of us aren’t aware as these as we use our smartphones and laptops each day. And were we to observe our co-workers, for instance, we probably wouldn’t be able to describe most of their patterns either. But while these nuances may be too subtle for human observation, behavioural biometric technologies can perceive them just fine. And they can measure, analyse and record these unique characteristics and turn them into a pattern, one that can be compared when the user logs back in, to approve or deny their authentication.
Imagine an insider threat, for example. Maybe an employee obtains co-worker credentials or sits down at a workstation computer where a valid user has already logged in. With behavioural biometrics, the technology will analyse the input patterns of the new user and compare them to the stored behavioural biometric patterns of the valid employee. Both similarities and differences will be recognized and factored into an algorithm that calculates the possibility of it being the correct user. And because it’s highly unlikely the malicious employee can imitate the real user’s keyboard rhythm and mouse movements, the technology will perceive and shut down the threat.
There’s a certain irony here, in that the randomness of human behaviour has traditionally been a security vulnerability IT teams have had to anticipate in designing controls to reduce risk. Every customer, employee, administrator and user has their own set of preferences, patterns and nuances when they sit down at computer or type on their smartphone. Now, thanks to behavioural biometrics, security practitioners have found a way to turn our unique behaviours into a powerful weapon in being able to protect and detect against attacks.