Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

To Enter, Act Like Yourself

Behavior-based biometrics to ID you by the way you speak, type, move your mouse, and more

As businesses look for better ways to verify the identities of their users, the word "biometrics" often comes up. Then everyone at the table gets a mental image of retinal scanners and James Bond movies, followed by big dollar signs in their eyes. And often, the conversation moves in another direction.

Authentication vendors next week at the RSA conference in San Francisco will be aiming to change that mental image with new technologies that verify users' identities by their behavior, rather than an eye scan or a thumbprint. Behavior-based authentication can be cheaper and easier to use than traditional biometrics, they say.

"In the past, businesses had two choices: single-factor authentication, which meant basically a name and password; and tokens or biometrics, which meant a lot of hassle and administrative costs," says Jared Pfost, vice president of security and product strategy at BioPassword, a biometrics tool vendor. "What we see now is that there's a huge middle ground for software-based and behavioral authentication technology that costs less than the traditional tokens, but is much more secure than single-factor technology."

At the conference, vendors will be demonstrating authentication tools that can verify the users' identities by how they speak, type, or move their mice. Others will discuss alternative methods for two-factor authentication, such as adding new levels of personal questions. Still others, such as Corillian, will be unveiling ways to let users create unique ways to identify the authenticity of the Web sites they use via images, text and colors.

"As businesses and as vendors, we have to work with what the end users have," says Greg Hughes, chief security executive at Corillian. "The reality is that today, most users don't have fingerprint scanners. Maybe someday they will. But in the meantime, there are some pretty good technologies emerging that don't require additional hardware or equipment."

The rapid emergence of behavior-based and Q&A methods of authentication has been driven by new government and industry requirements for deployment of two-factor authentication, Hughes observes. The federal government's HSPD-12 mandate, along with the financial industry's FFIEC requirements, made two-factor authentication schemes mandatory for some organizations in 2006.

"It was a force-feeding frenzy," he says.

With the short time fuse and a strong need to control costs, many organizations have been looking toward software-based and behavioral methods of authentication, at least as a stopgap to full-blown physical biometrics. Corillian, which also does consulting on authentication technology, has seen companies use everything from smart cards to voice prints to simply asking the user's grandmother's name.

"I think the behavioral authentication methods have a lot of promise," he says. "I'm also interested in the out-of-band methods that require you to verify your identity by some avenue other than the Internet, such as a phone call."

BioPassword's products work via "keystroke authentication," which means they track the way the user types and then store it like a signature. If someone with a different keystroke signature tries to log onto the user's account, the system will raise a red flag and lock the pretender out.

Keystroke authentication might not be as reliable as retinal scans, but it's a heck of a lot less expensive and a lot more practical for companies that have a wide array of online customers, Pfost says.

"I think what's happening is that a lot of companies are doing a sort of risk assessment, though they may not really think of it that way," Pfost says. "They're evaluating the risk of penetration against the cost and usability of the authentication technology. And they're finding that there's a significant middle ground where the risk can be greatly reduced -- without incurring prohibitive costs."

The next step will be for companies to begin monitoring the behavior of end users after they have been authenticated," Hughes says. "What you want to do is monitor the user's activity for patterns of bad behavior that might indicate trouble," he says. "That's another way to reduce risk."

— Tim Wilson, Site Editor, Dark Reading

  • BioPassword Inc.
  • Corillian

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Where Businesses Waste Endpoint Security Budgets
    Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
    US Mayors Commit to Just Saying No to Ransomware
    Robert Lemos, Contributing Writer,  7/16/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-07-20
    An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
    PUBLISHED: 2019-07-20
    An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
    PUBLISHED: 2019-07-20
    An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
    PUBLISHED: 2019-07-19
    An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
    PUBLISHED: 2019-07-19
    A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.