Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

5/7/2019
10:30 AM
Rajiv Dholakia
Rajiv Dholakia
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Better Behavior, Better Biometrics?

Behavioral biometrics is a building block to be used in conjunction with other security measures, but it shows promise.

The quest for frictionless yet secure authentication has been the central driver of innovation in identity and access management (IAM) systems for a long time. But today — as new technologies become available and passwords continue to fall by the wayside — novel forms of authentication are coming faster than ever.

For instance, many industries have grown comfortable using device-based biometrics such as fingerprint, voice, and face recognition, and some major brands — including Bank of America, Cigna, Intuit, and T-Mobile — have even begun to allow "biometric gesture"-based authentication on mobile phones, tablets, and PCs. A unique swipe or similar gesture is used to securely access online services and eliminate the need for passwords.

The global market for biometrics overall is growing nearly 20% annually and is on track to reach more than $10 billion by 2022. Amid this burgeoning market, "behavioral biometrics" has emerged as a new segment. This new area uses various sensors on your phone to create a behavioral signature. Behavioral biometrics on smartphones may prove to be a big driver of biometrics market growth. Against this backdrop, the evolution of behavioral biometrics could have a major impact on the whole IAM industry. 

Understanding Behavioral Biometrics
What is behavioral biometrics? Normal biometrics actively asks the user to engage the system in some way, such as swiping a finger or looking into the facial recognition camera or iris sensor/camera. Once the active gesture is complete, the biometric system match is done. 

The phrase "behavioral biometrics" is typically applied to the passive monitoring of biometrics on a continuous basis. For example, to check how a user interacts with his or her device and to assess if this is the same person who initially was enrolled or authenticated through active measures. The first wave of behavioral biometrics looked at how the user was typing on a keyboard. With mobile devices, it became possible to look at other sensor data indicating the angles at which the phone is held, the speed of taps and swipes, etc. The key is that behavioral biometrics does not ask the user for a gesture but instead passively monitors his or her interactions on the device.

Behavioral biometrics continues to evolve. Its assessments may include the steps a person takes, the gait while walking, the angle at which the phone is held, and the way the user types on the keyboard, etc. All these elements are captured, analyzed, and aggregated to create a behavioral "profile" for that user to verify identity and detect when the user changes. 

One of the major benefits of behavioral biometrics is that authentication can continue after the user was authenticated with his or her password, one-time password, or biometric. The behavioral system would passively monitor interactions over time. The goal is to detect when the "user" of the phone (or PC) changes or is different from the one who authenticated at the start, thereby indicating potential risk. This passive monitoring infers that nothing has changed, which allows the user session (cookies or tokens) to be long-lived without explicitly asking the user to repeat an authentication gesture.

Breaking Down Security and Privacy
Despite the "wow" factor of behavioral biometrics, there are issues around both security and privacy. Behavioral biometrics is not a substitute for strong authentication and cannot protect against phishing or other common attacks. It is suitable to augment strong authentication to detect changes in the user of the device.

Strong authentication is required to establish the initial session. Then, depending on the risk profile of the application, a returning user could be taken directly into a secure session without repeating strong authentication. Usually, this is done for the sake of lowering user friction. Note that if the user is performing a sensitive operation or when the maximum advisable time for a session is met, you should repeat the strong authentication step.

You should also clearly understand what user behaviors and data from the mobile device are being used for the behavioral system in order to ensure they don't present privacy concerns for your jurisdiction. How user data (such as location or other identifying information) is sourced, stored, and processed, for instance, needs to be clearly understood. If the system extracts other data from the device unrelated to the usage (such as a user's contacts), that should be clearly understood as well. If user profiles are being built or registered or cross-correlated across websites, that should be clearly understood because such profiling may run afoul of certain privacy mandates that may require transparency as well as explicit user consent and control over the gathering and use of such information.

The Right Way to Build Behavioral Biometrics
Ultimately, behavioral biometrics is a building block to be used with other security measures. Effective identity and access management implementations require strength on multiple fronts, including strong identity proofing and easy-to-use strong user authentication such as face, finger, or iris biometrics; strong signals for risk management (versus spoofable signals from virtual machines); strong recovery in case of loss of primary authenticator; and strong session management to avoid situations like the recent Facebook debacle during which session tokens were compromised. Behavioral biometrics is not a panacea but, when used in conjunction with the measures above, provides added benefits.

Coupling behavioral biometrics with strong proofing and authentication can deliver great benefits for a more frictionless user experience and can provide a solid foundation for security, while also respecting privacy.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Rajiv Dholakia is the vice president of products at Nok Nok Labs and is responsible for strategy and the development of the company's products and solutions. He has more than 30 years of global operating experience in private and public companies spanning security, ecommerce, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18629
PUBLISHED: 2021-03-04
Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow an attacker to execute an unwanted binary during a exploited clone install. This requires creating a clone file and signing that file with a com...
CVE-2019-18628
PUBLISHED: 2021-03-04
Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow a user with administrative privileges to turn off data encryption on the device, thus leaving it open to potential cryptographic information dis...
CVE-2021-21331
PUBLISHED: 2021-03-03
The Java client for the Datadog API before version 1.0.0-beta.9 has a local information disclosure of sensitive information downloaded via the API using the API Client. The Datadog API is executed on a unix-like system with multiple users. The API is used to download a file containing sensitive info...
CVE-2021-27940
PUBLISHED: 2021-03-03
resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter.
CVE-2021-21312
PUBLISHED: 2021-03-03
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or /front/documen...