By David Vergara, Head of Product Marketing at VASCO Data Security
Before there were ‘preppers’ there were the sign holders, who would boldly proclaim, “The End is Near” on street corners, in football stadiums, and in fact anywhere large crowds gathered. Today, experts in the security industry have been heralding a similar message: the death of static passwords is near. Is this a surprise? Not really. Passwords should definitely disappear, because they are static, easy to be hacked or stolen, hard to remember and often reused from one site to another, which means they are enlarging the impact of breaches.
However, if something disappears, something should take its place. The question arises what will stand in lieu of the passwords. In short, we predict a technology that minimizes friction and maximizes security: biometric authentication.
At a high level biometric authentication reflects technologies like fingerprint scans, voice recognition and selfie authentication to secure a business’ applications and services. In other words, biometrics use physical and behavioural aspects of each individual as the basis of secure authentication.
Appropriately, in the healthcare industry, providers in the four-state Novant Health Network can link a patient’s biometric data at enrolment (e.g. fingerprints, iris recognition, veins — in the finger or palm — and face) to his or her medical record to produce a unique signature that can later be used to rapidly call up their medical records. The Biometrics Research Group has made the significance of this technology clear. They predict that such technologies will produce over $US9 billion of revenue by 2018 for the biometrics industry.
Analysts, too, are paying attention to this evolution. In fact, Mercator Advisory Group, a trusted advisor to the payments and banking industries globally, recently issued a report entitled “Biometrics: A New Wrinkle Changes the Authentication Landscape,” that advocates the need for software-based solutions like multi-modal biometric authentication to drive innovation as well as security.
Mercator further suggests that, in time, the concept of “persistent identity” where authentication no longer is solely about a single challenge event such as a fingerprint scan but evolves into a passive trust value uniquely associated with an individual. This “trust value” will be continually updated based on factors including location, sound, face recognition and, significantly, “a range of behavioural inputs.” With all these data points, it would make sense that the initial evolutionary path for passwords will be to work alongside biometrics to increase security for “riskier” transactions.
So, how does behavioural authentication work?
Behavioural Authentication analyses end user activity from login to logout, consistently looking at unique behaviours that allow verified end users access through their natural behaviour. It does this by constantly monitoring and analysing keystrokes, mouse movements, finger pressure, swipe patterns and more, comparing this activity with a unique user model to score a match. A low score, reflecting significant changes in the user behaviour, serves as a red flag that some security policy action may be required.
Indeed, the behavioural inputs check the way you interact with your device; how you hold and use your mouse, make keystrokes, how quickly you move line-to-line or from page to page. These actions, analysed and learned, over time, are interpolated through algorithms to establish a unique pattern of each user to determine if it is the same user requesting access or potential fraud. When the behaviour of the user (or machine) trying to log in does not match the established user model, the technology can “step up” authentication, which can include an additional biometric authentication measure or security question, for example.
The technology stays up to date with user behaviours through continuous machine learning and session-based intelligence. The algorithm is continually refreshed to ensure the absolute fewest false positives and it gets smarter over time, constructing the most accurate picture of each user’s behaviour with each new data point collected. This technology also helps distinguish human from non-human behaviour. For example, bots have very predictable and unique patterns when it comes to key flight and key press enabling quick detection of these non-human interactions.
Right now, you are probably thinking that on paper that all sounds good, but what about in practice? For example, are there banks that are using these kinds of bleeding-edge behavioural authentication tools today? The answer is… yes!
- A large subsidiary of a UK bank has incorporated machine-learning software, integrated with the bank’s mobile app and online banking site, to monitor and capture metrics on 500 different bank customer online and mobile behaviours. These include everything from the angle at which a user holds their phone to the amount of pressure used when a customer taps on a screen and even the cadence of keyboard strokes. All this data is compiled to build out a unique biometric profile for each customer, comparing it against each time a user logs onto an app or online banking site.
- A subsidiary of a Middle East bank has likewise introduced an integrated mobile identity verification solution based on behavioural biometrics. The selected technology continuously monitors every in-app activity based on a unique personal usage profile within the mobile device. This includes things like finger size, touch pressure and strike area, giving the bank the ability to identify, in real-time, whether the card owner is actually the individual accessing and using the app. An executive vice president at the bank suggests that, for them, passive forms of biometrics like behavioural authentication were appealing “because they’re far more natural, seamless and far less intrusive for users than things like facial recognition and iris scans which mostly require them to stop and take an action.”
In summary, many believe that the death of the password will become a reality soon — one interesting factoid provided in the news article where Bill Gates predicted the demise of the traditional password. However, the pragmatic evolution of the password will first make it a supplement to a more layered security approach, leveraging biometrics and other contextual data. From this point, you can count the days before it is officially kicked to the curb.