Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

5/7/2019
10:30 AM
Rajiv Dholakia
Rajiv Dholakia
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Better Behavior, Better Biometrics?

Behavioral biometrics is a building block to be used in conjunction with other security measures, but it shows promise.

The quest for frictionless yet secure authentication has been the central driver of innovation in identity and access management (IAM) systems for a long time. But today — as new technologies become available and passwords continue to fall by the wayside — novel forms of authentication are coming faster than ever.

For instance, many industries have grown comfortable using device-based biometrics such as fingerprint, voice, and face recognition, and some major brands — including Bank of America, Cigna, Intuit, and T-Mobile — have even begun to allow "biometric gesture"-based authentication on mobile phones, tablets, and PCs. A unique swipe or similar gesture is used to securely access online services and eliminate the need for passwords.

The global market for biometrics overall is growing nearly 20% annually and is on track to reach more than $10 billion by 2022. Amid this burgeoning market, "behavioral biometrics" has emerged as a new segment. This new area uses various sensors on your phone to create a behavioral signature. Behavioral biometrics on smartphones may prove to be a big driver of biometrics market growth. Against this backdrop, the evolution of behavioral biometrics could have a major impact on the whole IAM industry. 

Understanding Behavioral Biometrics
What is behavioral biometrics? Normal biometrics actively asks the user to engage the system in some way, such as swiping a finger or looking into the facial recognition camera or iris sensor/camera. Once the active gesture is complete, the biometric system match is done. 

The phrase "behavioral biometrics" is typically applied to the passive monitoring of biometrics on a continuous basis. For example, to check how a user interacts with his or her device and to assess if this is the same person who initially was enrolled or authenticated through active measures. The first wave of behavioral biometrics looked at how the user was typing on a keyboard. With mobile devices, it became possible to look at other sensor data indicating the angles at which the phone is held, the speed of taps and swipes, etc. The key is that behavioral biometrics does not ask the user for a gesture but instead passively monitors his or her interactions on the device.

Behavioral biometrics continues to evolve. Its assessments may include the steps a person takes, the gait while walking, the angle at which the phone is held, and the way the user types on the keyboard, etc. All these elements are captured, analyzed, and aggregated to create a behavioral "profile" for that user to verify identity and detect when the user changes. 

One of the major benefits of behavioral biometrics is that authentication can continue after the user was authenticated with his or her password, one-time password, or biometric. The behavioral system would passively monitor interactions over time. The goal is to detect when the "user" of the phone (or PC) changes or is different from the one who authenticated at the start, thereby indicating potential risk. This passive monitoring infers that nothing has changed, which allows the user session (cookies or tokens) to be long-lived without explicitly asking the user to repeat an authentication gesture.

Breaking Down Security and Privacy
Despite the "wow" factor of behavioral biometrics, there are issues around both security and privacy. Behavioral biometrics is not a substitute for strong authentication and cannot protect against phishing or other common attacks. It is suitable to augment strong authentication to detect changes in the user of the device.

Strong authentication is required to establish the initial session. Then, depending on the risk profile of the application, a returning user could be taken directly into a secure session without repeating strong authentication. Usually, this is done for the sake of lowering user friction. Note that if the user is performing a sensitive operation or when the maximum advisable time for a session is met, you should repeat the strong authentication step.

You should also clearly understand what user behaviors and data from the mobile device are being used for the behavioral system in order to ensure they don't present privacy concerns for your jurisdiction. How user data (such as location or other identifying information) is sourced, stored, and processed, for instance, needs to be clearly understood. If the system extracts other data from the device unrelated to the usage (such as a user's contacts), that should be clearly understood as well. If user profiles are being built or registered or cross-correlated across websites, that should be clearly understood because such profiling may run afoul of certain privacy mandates that may require transparency as well as explicit user consent and control over the gathering and use of such information.

The Right Way to Build Behavioral Biometrics
Ultimately, behavioral biometrics is a building block to be used with other security measures. Effective identity and access management implementations require strength on multiple fronts, including strong identity proofing and easy-to-use strong user authentication such as face, finger, or iris biometrics; strong signals for risk management (versus spoofable signals from virtual machines); strong recovery in case of loss of primary authenticator; and strong session management to avoid situations like the recent Facebook debacle during which session tokens were compromised. Behavioral biometrics is not a panacea but, when used in conjunction with the measures above, provides added benefits.

Coupling behavioral biometrics with strong proofing and authentication can deliver great benefits for a more frictionless user experience and can provide a solid foundation for security, while also respecting privacy.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Rajiv Dholakia is the vice president of products at Nok Nok Labs and is responsible for strategy and the development of the company's products and solutions. He has more than 30 years of global operating experience in private and public companies spanning security, ecommerce, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18216
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.