The quest for frictionless yet secure authentication has been the central driver of innovation in identity and access management (IAM) systems for a long time. But today — as new technologies become available and passwords continue to fall by the wayside — novel forms of authentication are coming faster than ever.
For instance, many industries have grown comfortable using device-based biometrics such as fingerprint, voice, and face recognition, and some major brands — including Bank of America, Cigna, Intuit, and T-Mobile — have even begun to allow "biometric gesture"-based authentication on mobile phones, tablets, and PCs. A unique swipe or similar gesture is used to securely access online services and eliminate the need for passwords.
The global market for biometrics overall is growing nearly 20% annually and is on track to reach more than $10 billion by 2022. Amid this burgeoning market, "behavioral biometrics" has emerged as a new segment. This new area uses various sensors on your phone to create a behavioral signature. Behavioral biometrics on smartphones may prove to be a big driver of biometrics market growth. Against this backdrop, the evolution of behavioral biometrics could have a major impact on the whole IAM industry.
Understanding Behavioral Biometrics
What is behavioral biometrics? Normal biometrics actively asks the user to engage the system in some way, such as swiping a finger or looking into the facial recognition camera or iris sensor/camera. Once the active gesture is complete, the biometric system match is done.
The phrase "behavioral biometrics" is typically applied to the passive monitoring of biometrics on a continuous basis. For example, to check how a user interacts with his or her device and to assess if this is the same person who initially was enrolled or authenticated through active measures. The first wave of behavioral biometrics looked at how the user was typing on a keyboard. With mobile devices, it became possible to look at other sensor data indicating the angles at which the phone is held, the speed of taps and swipes, etc. The key is that behavioral biometrics does not ask the user for a gesture but instead passively monitors his or her interactions on the device.
Behavioral biometrics continues to evolve. Its assessments may include the steps a person takes, the gait while walking, the angle at which the phone is held, and the way the user types on the keyboard, etc. All these elements are captured, analyzed, and aggregated to create a behavioral "profile" for that user to verify identity and detect when the user changes.
One of the major benefits of behavioral biometrics is that authentication can continue after the user was authenticated with his or her password, one-time password, or biometric. The behavioral system would passively monitor interactions over time. The goal is to detect when the "user" of the phone (or PC) changes or is different from the one who authenticated at the start, thereby indicating potential risk. This passive monitoring infers that nothing has changed, which allows the user session (cookies or tokens) to be long-lived without explicitly asking the user to repeat an authentication gesture.
Breaking Down Security and Privacy
Despite the "wow" factor of behavioral biometrics, there are issues around both security and privacy. Behavioral biometrics is not a substitute for strong authentication and cannot protect against phishing or other common attacks. It is suitable to augment strong authentication to detect changes in the user of the device.
Strong authentication is required to establish the initial session. Then, depending on the risk profile of the application, a returning user could be taken directly into a secure session without repeating strong authentication. Usually, this is done for the sake of lowering user friction. Note that if the user is performing a sensitive operation or when the maximum advisable time for a session is met, you should repeat the strong authentication step.
You should also clearly understand what user behaviors and data from the mobile device are being used for the behavioral system in order to ensure they don't present privacy concerns for your jurisdiction. How user data (such as location or other identifying information) is sourced, stored, and processed, for instance, needs to be clearly understood. If the system extracts other data from the device unrelated to the usage (such as a user's contacts), that should be clearly understood as well. If user profiles are being built or registered or cross-correlated across websites, that should be clearly understood because such profiling may run afoul of certain privacy mandates that may require transparency as well as explicit user consent and control over the gathering and use of such information.
The Right Way to Build Behavioral Biometrics
Ultimately, behavioral biometrics is a building block to be used with other security measures. Effective identity and access management implementations require strength on multiple fronts, including strong identity proofing and easy-to-use strong user authentication such as face, finger, or iris biometrics; strong signals for risk management (versus spoofable signals from virtual machines); strong recovery in case of loss of primary authenticator; and strong session management to avoid situations like the recent Facebook debacle during which session tokens were compromised. Behavioral biometrics is not a panacea but, when used in conjunction with the measures above, provides added benefits.
Coupling behavioral biometrics with strong proofing and authentication can deliver great benefits for a more frictionless user experience and can provide a solid foundation for security, while also respecting privacy.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.