Goodbye Passwords. Hello Behavioral & Biometric Authentication
Before there were ‘preppers’ there were the sign holders, who would boldly proclaim, "The End is Near" on street corners, in football stadiums, and in fact anywhere large crowds gathered.Today, there are pundits (and others) in the security industry heralding a similar message, the end, or to really put a fine point on it, the death of static passwords is near. No surprise, really, on all the reasons why passwords should just go away:
- They’re static
- They’re easily hacked/stolen
- They’re hard to remember
- They’re often re-used from one site to another, maximizing the impact of breaches.
So, if passwords are going away, it’s logical to ask what will take their place?
In short, security technology that minimizes friction and for the purposes of this discussion, behavioral authentication.
At a high level biometric authentication reflects technologies like fingerprint scans, voice recognition and selfie authentication to secure a business’ applications and services. In other words, biometrics use physical and behavioral aspects of each individual as the basis of secure authentication.
Appropriately, in the healthcare industry, providers in the four-state Novant Health Network can link a patient’s biometric data at enrollment (e.g. fingerprints, iris recognition, veins — in the finger or palm — and face) to his or her medical record to produce a unique signature that can later be used to rapidly call up their medical records.
And before you diminish the significance of this technology, the Biometrics Research Group predicts that such technologies will produce over $US9 billion of revenue by 2018 for the biometrics industry.
Analysts, too, are paying attention to this evolution. In fact, Mercator Advisory Group, a trusted advisor to the payments and banking industries globally, recently issued a report entitled "Biometrics: A New Wrinkle Changes the Authentication Landscape," that suggests the need for software-based solutions like multi-modal biometric authentication to drive innovation as well as security.
Mercator further suggests that, in time, the concept of "persistent identity" where authentication no longer is solely about a single challenge event such as a fingerprint scan but evolves into a passive trust value uniquely associated with an individual. This "trust value" will be continually updated based on factors including location, sound, face recognition and, significantly, "a range of behavioral inputs." With all these data points, it would make sense that the initial evolutionary path for passwords will be to work alongside biometrics to increase security for "riskier" transactions.
So, what are these behavioral inputs?
Simply put, they’re the way you interact with your device; how you hold and use your mouse, make keystrokes, how quickly you move line-to-line or from page to page. These actions, analyzed and learned, over time, are interpolated through algorithms to establish a unique pattern of each user to determine if it’s the same user requesting access or potential fraud (behavioral authentication).
When the behavior of the user (or machine) trying to log in does not match the established user model, the technology can "step up" authentication, which can include an additional biometric authentication measure or security question, for example.
Right now, you’re probably thinking that on paper that all sounds good, but what about in practice? For example, are there banks that are using these kinds of bleeding-edge behavioral authentication tools today? Although VASCO has just entered this market via a partnership with BehavioSec, the broader answer is… yes!
- A large subsidiary of a UK bank, has incorporated machine-learning software, integrated with the bank’s mobile app and online banking site, to monitor and capture metrics on 500 different bank customer online and mobile behaviors. These include everything from literally the angle at which a user holds their phone to the amount of pressure used when a customer taps on a screen and even the cadence of keyboard strokes. All this data is compiled to build out a unique biometric profile for each customer, comparing it against each time a user logs onto an app or online banking site.
- A subsidiary of a Middle East bank, has likewise introduced an integrated mobile identity verification solution based on behavioral biometrics. The selected technology continuously monitors every in-app activity based on a unique personal usage profile within the mobile device. This includes things like finger size, touch pressure and strike area, giving the bank the ability to identify, in real-time, whether the card owner is actually the individual accessing and using the app. An executive vice president at the bank, suggests that, for them, passive forms of biometrics like behavioral authentication were appealing "because they’re far more natural, seamless and far less intrusive for users than things like facial recognition and iris scans which mostly require them to stop and take an action."
In summary, many believe that the death of the password will become a reality soon -- one interesting factoid provided in this news article from 2004 where Bill Gates predicted the demise of the traditional password — here in 2017. However, the pragmatic evolution of the password will first make it a supplement to a more layered security approach, leveraging biometrics and other contextual data. From this point, you can count the days before passwords are officially kicked to the curb.