Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

To Enter, Act Like Yourself

Behavior-based biometrics to ID you by the way you speak, type, move your mouse, and more

As businesses look for better ways to verify the identities of their users, the word "biometrics" often comes up. Then everyone at the table gets a mental image of retinal scanners and James Bond movies, followed by big dollar signs in their eyes. And often, the conversation moves in another direction.

Authentication vendors next week at the RSA conference in San Francisco will be aiming to change that mental image with new technologies that verify users' identities by their behavior, rather than an eye scan or a thumbprint. Behavior-based authentication can be cheaper and easier to use than traditional biometrics, they say.

"In the past, businesses had two choices: single-factor authentication, which meant basically a name and password; and tokens or biometrics, which meant a lot of hassle and administrative costs," says Jared Pfost, vice president of security and product strategy at BioPassword, a biometrics tool vendor. "What we see now is that there's a huge middle ground for software-based and behavioral authentication technology that costs less than the traditional tokens, but is much more secure than single-factor technology."

At the conference, vendors will be demonstrating authentication tools that can verify the users' identities by how they speak, type, or move their mice. Others will discuss alternative methods for two-factor authentication, such as adding new levels of personal questions. Still others, such as Corillian, will be unveiling ways to let users create unique ways to identify the authenticity of the Web sites they use via images, text and colors.

"As businesses and as vendors, we have to work with what the end users have," says Greg Hughes, chief security executive at Corillian. "The reality is that today, most users don't have fingerprint scanners. Maybe someday they will. But in the meantime, there are some pretty good technologies emerging that don't require additional hardware or equipment."

The rapid emergence of behavior-based and Q&A methods of authentication has been driven by new government and industry requirements for deployment of two-factor authentication, Hughes observes. The federal government's HSPD-12 mandate, along with the financial industry's FFIEC requirements, made two-factor authentication schemes mandatory for some organizations in 2006.

"It was a force-feeding frenzy," he says.

With the short time fuse and a strong need to control costs, many organizations have been looking toward software-based and behavioral methods of authentication, at least as a stopgap to full-blown physical biometrics. Corillian, which also does consulting on authentication technology, has seen companies use everything from smart cards to voice prints to simply asking the user's grandmother's name.

"I think the behavioral authentication methods have a lot of promise," he says. "I'm also interested in the out-of-band methods that require you to verify your identity by some avenue other than the Internet, such as a phone call."

BioPassword's products work via "keystroke authentication," which means they track the way the user types and then store it like a signature. If someone with a different keystroke signature tries to log onto the user's account, the system will raise a red flag and lock the pretender out.

Keystroke authentication might not be as reliable as retinal scans, but it's a heck of a lot less expensive and a lot more practical for companies that have a wide array of online customers, Pfost says.

"I think what's happening is that a lot of companies are doing a sort of risk assessment, though they may not really think of it that way," Pfost says. "They're evaluating the risk of penetration against the cost and usability of the authentication technology. And they're finding that there's a significant middle ground where the risk can be greatly reduced -- without incurring prohibitive costs."

The next step will be for companies to begin monitoring the behavior of end users after they have been authenticated," Hughes says. "What you want to do is monitor the user's activity for patterns of bad behavior that might indicate trouble," he says. "That's another way to reduce risk."

— Tim Wilson, Site Editor, Dark Reading

  • BioPassword Inc.
  • Corillian

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    What the FedEx Logo Taught Me About Cybersecurity
    Matt Shea, Head of Federal @ MixMode,  6/4/2021
    A View From Inside a Deception
    Sara Peters, Senior Editor at Dark Reading,  6/2/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-06-13
    The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
    PUBLISHED: 2021-06-12
    Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
    PUBLISHED: 2021-06-12
    In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
    PUBLISHED: 2021-06-12
    In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
    PUBLISHED: 2021-06-12
    It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.