Signature Move: Using Behavioral Biometrics for Continuous Authentication

A consistent, individual signature marks the essence of human movement and touch: Fred Astaire never danced like Gene Kelly. Joe DiMaggio didn’t swing the bat like Ted Williams. Jimi Hendrix strummed a guitar in a way so that you just knew it was him playing and not Jimmy Page.

Similarly, in everyday life, we apply our own, distinct signatures when we sign a check or shake someone’s hand—and even physically connect in ways we never think about, such as peeling a banana, turning the page of a book or cracking open an egg. In these and countless other cases, there are differences both obvious and subtle as influenced by personal style/preferences, speed, pressure, dexterity, etc.

This applies, of course, to how we interact with our computers and mobile devices, and the digital world. We create a consistent, personalized profile every time we engage online—one which no one else can physically replicate. This truth propels  adoption of a new approach to security already making a difference in the industry: behavioral biometrics.

Behavioral biometrics technologies represent a critical advancement because they enable enterprises to invisibly and unobtrusively authenticate users by validating the manner in which they physically interact online. They “know” how individual users hold mobile devices in their hands, and how they type on keyboards and move their cursor and the mouse and press their fingers on the touchscreen. In addition, the solutions track physical time and location data. With this, they analyze behavior to block suspicious activities and/or direct targeted monitoring without impacting productivity and the user experience. Because it is impossible for malware to accurately impersonate this extent of physical activity, the solutions will “see” a threat presence typing differently, for instance, and immediately respond.

Behavioral biometrics tools take a much more fluid, adaptive approach to risk compared to traditional perimeter products. Unlike facial/thumbprint scanners, they can’t be “fooled” with fake imagery. They also monitor users from the time they connect until they are finished—in contrast to one-time controls such as passwords and tokens, which do not recognize and stop malicious actions after the login process. In an age when the digitization of everything is rapidly accelerating advancements in mobility and the cloud, the solutions bring much promise that, finally, a cybersecurity safeguard has come forward that is as compellingly creative and proficient as the enterprise devices, systems and assets it is designed to protect.

Given this, investment in the solutions is expected to soar: The behavioral biometrics market is projected to grow to nearly $2.6 billion by 2023, up from $675.6 million last year, according to a forecast from MarketsAndMarkets. For enterprises, the following benefits should drive, at the least, initial interest in the innovation, if not eventual, high demand:

Password pain removal. Compromised passwords and other login credentials are too often the path of least resistance in data breaches. Not only do users select and reuse poor passwords, the daily cascade of data breaches means there is healthy trafficking in exposed credentials across the cybercrime underground, where attackers can efficiently acquire thousands of credential combinations to methodically probe sensitive infrastructures until access is granted.

To make matters worse, password oversight burdens IT administrators with endless help desk user requests for resets, the retrieval of forgotten passwords, etc. Through behavioral biometrics, password “pain”—in terms of both the inherent vulnerabilities and drain on help desk resources—is dramatically reduced. What’s more, behavioral biometrics requires no additional user training, hardware or action required from IT, eliminating such expenses for enterprises.

A successful transformation. Seven of 10 organizations either have a digital transformation strategy in place, or are pursuing one, according to a survey from Tech Pro Research. Yet, how can a business call itself “transformational” when it still asks staffers to memorize a dozen passwords and/or carry several tokens around with them? Today’s professionals are inclined to seek a frictionless cyber environment, one in which security-related barriers to role-based tasks do not exist. From their perspective, even a single minute devoted to some authentication procedure amounts to “downtime.” Behavioral biometrics brings the immediate freedom of use they’re looking for. Ultimately, an organization’s ability to recruit and retain talent is at stake here, as 62% of employees say that a company’s reputation as a digital leader “greatly” influences their decision to work there.

A trustworthy customer experience. Retailers, banks, restaurants and practically every other consumer-facing business—not to mention mobile app-driven companies such as Uber and SeatGeek—are increasingly leveraging the cloud and mobility to create favorable customer experiences. In the cashless, virtual universe, customers significantly value an organization’s ability to protect their personal information, such as credit card accounts, phone numbers and home addresses. Again, behavioral biometrics fosters frictionless yet highly secure patterns of engagement here. If combined with traditional authentication methods, companies may find that customers will view this as an added layer of defense, thus enhancing the trust factor.

Regulatory relief. Compliance mandates are focusing on privacy more than ever. Enacted in the European Union earlier this year, for example, Payment Services Directive 2 (PSD2) requires payment service providers to ensure strong customer authentication with two factors from two different categories, with one of those categories being “inherence,” or the unique attributes of an individual. According to the European Banking Authority (EBA), behavioral biometrics meets key PSD2 requirements. This validation will likely influence further payment industry standards.

As indicated, the vast majority of organizations are committing to digital transformations. Typically, these initiatives are rooted in “What if?” aspirations which emerge as realities. In the case of behavioral biometrics, “what if?” discussions take on a more profound, human-framed nature— the very “instrument” to authenticate the users happens to be the users themselves. In an era when hackers have proven themselves as the most cunning of adversaries, they may find that this is one “signature” they can’t outfox—and that’s a transforming thought, indeed.

Neil Costigan

Avatar photo

Neil Costigan

Dr. Neil Costigan is CEO of BehavioSec and leads the company strategy to deliver innovative behavioral biometric technology, protecting consumer transactions, payments and financial firms from fraud and theft. For more than 25 years, Neil has facilitated the growth and success of several venture-backed startups and global technology corporations spanning the U.S and E.U. A cryptographer by training, his career expanded to include software development, executive leadership and entrepreneurship. He holds an extensive portfolio of patents and serves as Principal Investigator for BehavioSec’s U.S. DOD DARPA projects. Prior to BehavioSec, Neil was VP for R&D at Smart Card manufacturer Gemplus (now Gemalto) and Co-founder/CTO at PKI specialists Celo Communications (Celo).

neil-costigan has 2 posts and counting.See all posts by neil-costigan