Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

To Enter, Act Like Yourself

Behavior-based biometrics to ID you by the way you speak, type, move your mouse, and more

As businesses look for better ways to verify the identities of their users, the word "biometrics" often comes up. Then everyone at the table gets a mental image of retinal scanners and James Bond movies, followed by big dollar signs in their eyes. And often, the conversation moves in another direction.

Authentication vendors next week at the RSA conference in San Francisco will be aiming to change that mental image with new technologies that verify users' identities by their behavior, rather than an eye scan or a thumbprint. Behavior-based authentication can be cheaper and easier to use than traditional biometrics, they say.

"In the past, businesses had two choices: single-factor authentication, which meant basically a name and password; and tokens or biometrics, which meant a lot of hassle and administrative costs," says Jared Pfost, vice president of security and product strategy at BioPassword, a biometrics tool vendor. "What we see now is that there's a huge middle ground for software-based and behavioral authentication technology that costs less than the traditional tokens, but is much more secure than single-factor technology."

At the conference, vendors will be demonstrating authentication tools that can verify the users' identities by how they speak, type, or move their mice. Others will discuss alternative methods for two-factor authentication, such as adding new levels of personal questions. Still others, such as Corillian, will be unveiling ways to let users create unique ways to identify the authenticity of the Web sites they use via images, text and colors.

"As businesses and as vendors, we have to work with what the end users have," says Greg Hughes, chief security executive at Corillian. "The reality is that today, most users don't have fingerprint scanners. Maybe someday they will. But in the meantime, there are some pretty good technologies emerging that don't require additional hardware or equipment."

The rapid emergence of behavior-based and Q&A methods of authentication has been driven by new government and industry requirements for deployment of two-factor authentication, Hughes observes. The federal government's HSPD-12 mandate, along with the financial industry's FFIEC requirements, made two-factor authentication schemes mandatory for some organizations in 2006.

"It was a force-feeding frenzy," he says.

With the short time fuse and a strong need to control costs, many organizations have been looking toward software-based and behavioral methods of authentication, at least as a stopgap to full-blown physical biometrics. Corillian, which also does consulting on authentication technology, has seen companies use everything from smart cards to voice prints to simply asking the user's grandmother's name.

"I think the behavioral authentication methods have a lot of promise," he says. "I'm also interested in the out-of-band methods that require you to verify your identity by some avenue other than the Internet, such as a phone call."

BioPassword's products work via "keystroke authentication," which means they track the way the user types and then store it like a signature. If someone with a different keystroke signature tries to log onto the user's account, the system will raise a red flag and lock the pretender out.

Keystroke authentication might not be as reliable as retinal scans, but it's a heck of a lot less expensive and a lot more practical for companies that have a wide array of online customers, Pfost says.

"I think what's happening is that a lot of companies are doing a sort of risk assessment, though they may not really think of it that way," Pfost says. "They're evaluating the risk of penetration against the cost and usability of the authentication technology. And they're finding that there's a significant middle ground where the risk can be greatly reduced -- without incurring prohibitive costs."

The next step will be for companies to begin monitoring the behavior of end users after they have been authenticated," Hughes says. "What you want to do is monitor the user's activity for patterns of bad behavior that might indicate trouble," he says. "That's another way to reduce risk."

— Tim Wilson, Site Editor, Dark Reading

  • BioPassword Inc.
  • Corillian

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    State of SMB Insecurity by the Numbers
    Ericka Chickowski, Contributing Writer,  10/17/2019
    Tor Weaponized to Steal Bitcoin
    Dark Reading Staff 10/18/2019
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-22
    Information Leakage in PPPoE Packet Padding in AVM Fritz!Box 7490 with Firmware versions Fritz!OS 6.80 and 6.83 allows physically proximate attackers to view slices of previously transmitted packets or portions of memory via via unspecified vectors.
    PUBLISHED: 2019-10-22
    Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.
    PUBLISHED: 2019-10-22
    The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to Argument Injection via special characters in the username field. Upon successful exploitation, a remote unauthenticated user can create a local system user with sudo privileges, and use that user to login to the...
    PUBLISHED: 2019-10-22
    The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to an authentication bypass via an argument injection vulnerability involving special characters in the username field. Upon successful exploitation, a remote unauthenticated user can login into the device's admin ...
    PUBLISHED: 2019-10-22
    GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusi...