Just as the number of ways to transact online grows, so too, do the types of devices we use to connect to our transactional accounts, writes Simon Armstrong, VP of Products at authentication and mobile app security provider, Entersekt.
While providing strong device identity and customer authentication must remain the top priority when securing accounts and data, advances in biometric identification are helping organisations provide a better customer experience.
Most devices rely on some physiological means to identify users. These are usually fingerprints, facial recognition, or in some advanced cases retina scanning. These are strong or static biometric signatures. But we also have unique ways of interacting with our devices and these behavioural biometrics are providing some useful new ways to help secure data and account access.
By collecting data on how users typically interact with their digital devices, such as the pressure they apply to the touchpad, the speed with which they type, how they hold their device, and when and how the device ordinarily connects to the internet, organisations gain valuable insight into user behaviour.
Behavioural biometrics allow us to, at a minimum, detect patterns of interaction that indicate a bot is masquerading as a user, which is really useful because that’s a whole category of risk and potential fraud vectors that we can rule out straight away. Then you can take it one level deeper, and you can predict how likely it is that it’s a known human and that they’re showing the same behavioral patterns that you’ve seen in the past.
Entersekt biometrics partner NuData Security has found that with just 10 successful logins over three months companies will have an accurate profile of how a user typically interacts with their device. Any deviation from that profile will trigger an alert in the system to flag potential automation, spoofing, interception and manipulation of communications by malware, and other anomalies. Based on an organisation’s business rules, such an alert could for example trigger step-up authentication, prompting the user to confirm the transaction via various channels such as Entersekt’s in-app solution.
Behavioral biometrics and other similar risk indicators help us to know more about a transaction and make better decisions about what kind of authentication to deploy in any particular environment. So, for example, someone trying to just log into an account might require different levels of security than someone looking to make a payment.
This is key when it comes to keeping user friction low. When I’m in my house, I don’t lock each door as I leave the room because once I’ve gained front door access to my house, I want to be able to move freely through the house. We’re always trying to design processes where the user experience is as slick as possible without compromising on security.
Biometrics are great, just not on their own
While we are enthusiastic about the potential of behavioural biometrics when it comes to lowering user friction, they can’t be used in isolation.
When a company requires strong authentication of users for sensitive transactions, it is not enough to rely on risk indicators like behavioural biometrics as there is no 100% reliable way to link usage patterns to an individual. These risk indicators give us enough information about the user to define what strong methods of authentication to deploy. For strong authentication we would need to combine at least two of the three possible factors we rely on.
They are knowledge (something the user knows- a PIN), possession (something the user has- a mobile phone), and inherence (something the user is -fingerprint, retinal pattern). A limiting factor of behavioural biometrics is that we see subtle changes in the way a user behaves over time and this level of change makes it unreliable as a strong factor of authentication.
Looking ahead, the field of biometrics will increase as we adopt more devices. This is particularly the case in the growing field of wearable technology.
It’s become increasingly common to have your heart rate constantly read off your wrist by a smartwatch or fitness tracker. So there’s every likelihood that someone might develop an identity or a biometric signature that’s linked to your vital statistics. In the same way that voice recognition is becoming commonplace, having verbal security is going to be a given.
Although these still wouldn’t be good enough for strong authentication on their own, we would certainly work with companies using new ways to identify users and help amalgamate all of the new technologies. This is a constantly evolving field and we can similarly expect multi-factor authentication to shift and change to accommodate that in the next few years.