Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

To Enter, Act Like Yourself

Behavior-based biometrics to ID you by the way you speak, type, move your mouse, and more

As businesses look for better ways to verify the identities of their users, the word "biometrics" often comes up. Then everyone at the table gets a mental image of retinal scanners and James Bond movies, followed by big dollar signs in their eyes. And often, the conversation moves in another direction.

Authentication vendors next week at the RSA conference in San Francisco will be aiming to change that mental image with new technologies that verify users' identities by their behavior, rather than an eye scan or a thumbprint. Behavior-based authentication can be cheaper and easier to use than traditional biometrics, they say.

"In the past, businesses had two choices: single-factor authentication, which meant basically a name and password; and tokens or biometrics, which meant a lot of hassle and administrative costs," says Jared Pfost, vice president of security and product strategy at BioPassword, a biometrics tool vendor. "What we see now is that there's a huge middle ground for software-based and behavioral authentication technology that costs less than the traditional tokens, but is much more secure than single-factor technology."

At the conference, vendors will be demonstrating authentication tools that can verify the users' identities by how they speak, type, or move their mice. Others will discuss alternative methods for two-factor authentication, such as adding new levels of personal questions. Still others, such as Corillian, will be unveiling ways to let users create unique ways to identify the authenticity of the Web sites they use via images, text and colors.

"As businesses and as vendors, we have to work with what the end users have," says Greg Hughes, chief security executive at Corillian. "The reality is that today, most users don't have fingerprint scanners. Maybe someday they will. But in the meantime, there are some pretty good technologies emerging that don't require additional hardware or equipment."

The rapid emergence of behavior-based and Q&A methods of authentication has been driven by new government and industry requirements for deployment of two-factor authentication, Hughes observes. The federal government's HSPD-12 mandate, along with the financial industry's FFIEC requirements, made two-factor authentication schemes mandatory for some organizations in 2006.

"It was a force-feeding frenzy," he says.

With the short time fuse and a strong need to control costs, many organizations have been looking toward software-based and behavioral methods of authentication, at least as a stopgap to full-blown physical biometrics. Corillian, which also does consulting on authentication technology, has seen companies use everything from smart cards to voice prints to simply asking the user's grandmother's name.

"I think the behavioral authentication methods have a lot of promise," he says. "I'm also interested in the out-of-band methods that require you to verify your identity by some avenue other than the Internet, such as a phone call."

BioPassword's products work via "keystroke authentication," which means they track the way the user types and then store it like a signature. If someone with a different keystroke signature tries to log onto the user's account, the system will raise a red flag and lock the pretender out.

Keystroke authentication might not be as reliable as retinal scans, but it's a heck of a lot less expensive and a lot more practical for companies that have a wide array of online customers, Pfost says.

"I think what's happening is that a lot of companies are doing a sort of risk assessment, though they may not really think of it that way," Pfost says. "They're evaluating the risk of penetration against the cost and usability of the authentication technology. And they're finding that there's a significant middle ground where the risk can be greatly reduced -- without incurring prohibitive costs."

The next step will be for companies to begin monitoring the behavior of end users after they have been authenticated," Hughes says. "What you want to do is monitor the user's activity for patterns of bad behavior that might indicate trouble," he says. "That's another way to reduce risk."

— Tim Wilson, Site Editor, Dark Reading

  • BioPassword Inc.
  • Corillian

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    FluBot Malware's Rapid Spread May Soon Hit US Phones
    Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
    Slideshows
    7 Modern-Day Cybersecurity Realities
    Steve Zurier, Contributing Writer,  4/30/2021
    Commentary
    How to Secure Employees' Home Wi-Fi Networks
    Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-31755
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
    CVE-2021-31756
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
    CVE-2021-31757
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
    CVE-2021-31758
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
    CVE-2021-31458
    PUBLISHED: 2021-05-07
    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...