Behavioral Biometrics: People-Friendly Zero Trust

Behavioral biometrics bring a better user experience to authentication

COVID-19 may very well redefine our work, our homes, our very lives for the foreseeable future. As we near the end of 2020, 75% of employees now work from home (WFH), compared to just 25% for the prior year, with 84% of U.S. companies likely to continue their broader WFH adoption after the pandemic. Subsequently, there’s a greater blurring of the line between device usage for personal and professional needs with 53% of employees using personal laptops and computers for business.

DevOps Connect:DevSecOps @ RSAC 2022

When not on the job, we now use our devices more than ever to shop, bank, socialize and otherwise just get through the day. The first seven months of 2020 saw $434.5 billion in online purchases, with the pandemic driving an extra $93.9 billion since March. In the financial services sector, nearly 50% of consumers now use their primary bank’s mobile app more often, or for the first time, up from 29% in early April.

However, this greater reliance coupled with the dissolving line between work and home device usage is also increasing individual and organizational risk. Six of every 10 employees believe their company hasn’t provided the tools needed to fully safeguard their personal devices used on their company’s behalf for work. At the same time, 63% of cybersecurity pros report a rise in cyberattacks since the pandemic. Ransomware attacks alone have spiked 72% during this period.

Clearly, we were not prepared for the unsettling events of 2020—and these are challenging times that have forced us to better consider safety, security and business continuity readiness. Converging security, privacy and productivity pressures demand new approaches to protection—such as zero-trust strategies that reconsider traditional security controls with an eye toward how we use devices and data today.

Through zero trust, companies elevate authentication far beyond mere passwords and establish a culture of “never trust, always verify.” Security teams must assume that there are constantly both external and internal threats seeking to “enter the gate” by any means possible. The “principle-of-least-privilege” remains a key component of zero trust, restricting employees, contractors, partners, etc., to solely the access needed to do their jobs.

Importantly, effective zero-trust strategies focus on returning defense layers, not just adding more new layers. For example, requiring users to carry tokens or answer more ubiquitous challenge-response “CAPTCHA” notifications (“Click every picture with traffic lights in it.”) are meant to thwart fraudsters. But they also degrade interfaces and the user experience. Similarly, many businesses rotate through questions such as “What’s your favorite movie?” and “What was the name of your elementary school?” These tests are based on what users know. But they are not enough and in fact are rapidly emerging as antiquated, as cybercriminals have repeatedly proven that they can overcome such knowledge-based defenses to compromise accounts, devices, systems and networks—and in some cases, have managed to capture the answers to these standardized questions and use them for subsequent attacks.

Reflexively adding more, or repetitive, authentication layers results in unnecessary friction, as employees and customers take multiple, tedious authentication steps which are frequently inefficient, too. For example, how often have you clicked on every traffic light in the picture, only to have the CAPTCHA make you do it all over again? No one enjoys doing this. People want a simple, streamlined experience, especially on their mobile devices, where their banking, shopping and other engagements are both convenient and secure.

Instead, organizations should stop relying upon outdated, ineffective tools and tactics and frame their zero-trust strategies on an alternative, very human-oriented approach called behavioral biometrics. Unlike possession or knowledge-based controls, behavioral biometrics tools are about “inherence,” or the unique attributes and personality of the individual. When swinging a tennis racket, playing a musical instrument, tossing a ball, flipping through a book, etc., everyone interacts with “things” in their own, unique manner based on their personal style/preferences, speed, pressure, dexterity and so on.

Behavioral biometrics tools enable security teams to leverage these uniquely human attributes to invisibly, unobtrusively and more reliably authenticate users by tracking how they physically interact with machines/devices through their digital identities. Behavioral biometrics solutions store how users hold smartphones in their hands, and how they type on keyboards, move their mice and press fingers on touchscreens. Individual and unique behavioral profiles of employees, customers and other users are built and used to confirm their digital identities with unambiguous accuracy, helping organizations block the activity of those who do not match the known, verified profiles.

What’s more, behavioral biometrics delivers the frictionless experience that users seek and that digital transformation projects are working toward. Instead of jumping through ubiquitous authorization hoops and loops of inputting passwords, one-time passcodes, recalling personal answers verbatim, fumbling for a token and fast-clicking a CAPTCHA, they are required to do … nothing. Nothing, that is, except what they want to do—which is to work, shop, bank and talk, seamlessly.

It’s safe to say that most of us look forward to turning the calendar page from 2020 and eventually, returning to a fully realized, balanced human life experience. But our society, especially our digital one, will be forever changed.  Hopefully, we have learned valuable lessons, including how to offer safe and seamless digital experiences. Zero trust offers this, but only if we think beyond the familiar world of passwords, codes, questions, tokens and CAPTCHAs. Behavioral biometrics brings the next evolutionary, people-friendly approach to authenticate, well … people!

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. This ... Read More
Palo Alto Networks