From a characteristic as an asset to a human as an asset
The exploration of biometrics for commercial use in most cases is usually limited to ‘traditional’ biometrics – fingerprints, facial recognition, voice, palm, vein pattern, hand geometry and iris. A vast array of companies has turned to biometric-based authentication as the technology is believed to provide necessary security level and convenience for the end user. In fact, the next generation biometrics market is expected to top $24 Billion by 2020, growing at a CAGR of 17.9% between 2015 and 2020.
And while the fingerprint frenzy takes place across industries, some of the smartest players (we will cover them further) are experimenting with what is expected to become the next generation of biometric authentication – behavioral biometrics, or, as a Nordic biometrics startup BehavioSec calls them, behaviometrics.
As the company defines the term, "behaviometrics is a measurable behavior used to recognize or verify the identity of a person. Behaviometrics focuses on behavioral patterns rather than physical attributes."
Neil Costigan, CEO of BehavioSec, broke down some elements of one’s behavior to bring an example of the things technology is looking at, “The way you use the device. Do you zoom across the screen with the mouse and then hover over a button? Which way do you circle the cursor? On mobile devices it would also be the depth of touch, how you move your finger across the screen, how much of your finger is on the screen, how hard you're pressing, the angle you hold the phone and so on.”
Behaviometrics solutions are able to create a highly accurate and precise picture of the user by examining a range of behavioral patterns, actively evaluating the user’s unique kinetic interaction signature with their mobile device, as notes another company operating in the field, Zighra.
“The strongest authentication schemes will always make use of multiple factors, i.e., something I know, something I have and something I am," said Stephen Cox, Chief Security Architect at SecureAuth, one of the leading companies in adaptive access control and management solutions.
As the Defense Advanced Research Projects Agency (DARPA) explains, the combinatorial approach of using multiple modalities for continuous user identification and authentication is expected to deliver a system that is accurate, robust, and transparent to the user’s normal computing experience. The authentication platform will be developed with open Application Programming Interfaces (APIs) to allow the integration of other software or hardware biometrics available in the future from other sources.
Ever-increasing accuracy powered by machine learning
The shift in the paradigm of biometric-powered security from one-time and static to ongoing authentication is not the only important part of the story. Another interesting hallmark of using behaviometrics is that powered with learning capabilities, they are able to continuously improve the accuracy, learn a wide variety of pattern elements of a particular user and everything in the background, dynamically improving the security layer. The longer solutions are able to monitor and enrich their database, the more secure protection they are able to provide and more accurately recognize the owner of the device.
Hence, as BehavioSec suggests, by continuously comparing different aspects of the current input stream with a previously stored user profile, behaviometrics can detect anomalies in the user’s behavior within seconds and stop intrusions while they are happening.
The whitepaper by BehavioSec called ‘Behavioral Biometrics: Balancing Security with Usability’ elaborates on the importance of learning elements, noting that behaviometrics continuously monitor the user during the whole working session to create an ongoing authentication process because a human behavioral pattern consists of a variety of different unique “semi-behaviors”; all mixed together into a larger and utterly unique profile.
And since every person's unique behaviometric pattern is formed not only by biometric features but is also influenced by more social and psychological means, it is just about impossible to copy or imitate somebody else’s behavior in front of the computer.
It's also important to note that further into years of development and deployments, behaviometrics will only become more secure and accurate because solutions will be able to triangulate behavior across connected devices. Given 28 billion connected devices forecasted by 2021, behaviometrics profiles will become richer and more accurate learning from a wider range of interactions of a particular user with a variety of devices.
Companies working with behaviometrics
Behaviometric authentication remained quite a niche market with limited solution providers still being considered partially experimental. In 2016, however, companies like Balabit, FSTBM, NetGuardians, SecureAuth, NuDetect, BioCatch and others mentioned before, may change the situation and bring behaviometrics into the mainstream given the scale of breaches, the substantial cost of security breaches and security-related tension.
But while localized efforts of the above-mentioned companies certainly facilitate a transition to the new era of security, it appears that some large tech companies are also looking and working intensively in the field. Microsoft, for example, has an impressive record of working with biometrics with a number of patents filed. In June this year, Microsoft and BioCatch announced the integration of additional Microsoft Azure capabilities into its behavioral biometrics technology, enhancing BioCatch’s ability to detect and fight financial fraud at some of the largest banks and e-commerce sites around the world.
Earlier, in March, Microsoft also announced that its latest version of Windows Defender Advanced Threat Protection, an anti-malware service, is powered by a combination of Windows behavioral sensors, cloud-based security analytics, threat intelligence, and by tapping into Microsoft’s intelligent security graph. This security graph provides big-data security analytics that look across aggregate behaviors to identify anomalies – informed by anonymous information from over 1 billion Windows devices, 2.5 trillion indexed URLs on the Web, 600 million reputation lookups online, and over 1 million suspicious files detonated every day.
The same month, Balabit, a contextual security technologies provider, announced the release of the new Blindspotter version that extends behavior analysis with biometrics. The new version of its User Behavior Analytics (UBA) solution features several new and unique machine learning algorithms that help security teams to quickly identify hijacked accounts or discover forbidden account sharing, thereby avoiding large-scale data breaches or compliance problems. With this latest version, Blindspotter is able to analyze keystroke and mouse movement patterns and identify cases when an account is used by someone else, other than the authenticated user.
Balabit also has Balabit Shell Control Box, a user monitoring appliance that controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions. The Blindspotter software sifts through the data collected by the Shell Control Box and looks for anything out of the ordinary. As reported by eWeek, in addition to spotting things like a user coming into the network from a strange IP address or at an unusual time of day, Blindspotter is able to analyze what's happening with each user to detect deviations from normal behavior.
Security solutions company TeleSign, which counts Salesforce, Evernote, Tinder and many other interesting companies among its customers, launched a new technology in April that enables web and mobile applications to use behavioral biometrics as an additional layer of security. TeleSign Behavior ID is designed to provide frictionless and continuous user authentication. Behavior ID delivers a “similarity score” and “confidence ratio” based on a set of behavioral biometric traits that are collected, analyzed and rated along the user journey, from initial account creation through ongoing access and usage of an account. Based on specific consumer logins and activity you choose to monitor, Behavior ID will rate the user’s current interactions against their profile and provide a recommended action to allow, challenge or block access to the account.
In May, another tech company, Google, was reported to step up with its Project Abacus, which is expected to make Android apps password-free by the end of 2016. Under the project, the company intends to allow users to automatically login by analyzing how they use their phones. Project Abacus involves analyzing patterns of phone usage and then calculates the probability, called "Trust Score" of the authenticity of a user's identity. As reported by IB Times, the tech giant hopes to develop and roll out a "Trust Score API" to developers by the end of 2016, which will then be tested to determine the effectiveness and security of the password-free login concept.
IBM is not lagging with behavioral biometrics either. At the end of October, the company announced new behavioral biometric analysis capabilities in its digital banking fraud prevention technology, Trusteer Pinpoint Detect, using patented analytics and machine learning for real-time cognitive fraud detection. The new behavioral biometric capabilities incorporate the use of machine learning to help understand how users interact with banking websites, creating gesture models based on patterns of mouse movements that become increasingly more accurate over time.
According to the official press release, the new behavioral biometric analysis features of IBM Trusteer Pinpoint Detect enable real-time risk assessment based on gesture modeling. When users access their online banking site, IBM Trusteer Pinpoint Detect is designed to collect user behavior, detect potential device spoofing, identify access with compromised credentials, and correlates various other device attributes. Through the addition of cognitive fraud detection, Trusteer Pinpoint Detect is designed to also provide real-time evaluation of behavioral biometric indicators.
Nationwide Building Society
As for financial institutions, the Nationwide Building Society is April was reported to have developed a prototype within a mobile banking app, which could provide an extra layer of behavioral biometrics security by recognizing unique patterns from people's natural interactions with their smartphone or tablet. That app has won a retail Banking Award later in May. The prototype was developed by Nationwide's "innovation team" in partnership with technology companies BehavioSec and Unisys. It gives people a certain percentage score. People would have to achieve a certain percentage likeness to the way they personally use their phone or tablet to get the go-ahead within the app.
Banks’ answer to Venmo and PayPal, Zelle was recently reported to be adding behavioral biometrics to increase its security. Early Warning and behavioral biometrics provider NuData Security has formed a strategic alliance to further protect the banks’ real-time money transfers.
Interestingly, Early Warning’s involvement with behaviometrics does not start with this partnership. In April last year, Early Warning formed a strategic alliance with BioCatch. Through that collaboration and Early Warning’s consortium model, financial services organizations gained and shared behavioral intelligence to improve the visibility of digital threats to reduce new account fraud and account takeover while simultaneously improving their users’ experience. Early Warning’s new offering transparently maps criminal behavior in the digital ecosystem, distinguishing the human from the non-human. It is used for new account enrollment as well as existing account logins and sessions.
Just this Thursday, the previously mentioned BioCatch announced that it has launched its next-gen platform to optimize the implementation and performance of behavioral biometrics online and on mobile at the enterprise level. BioCatch currently protects more than 1 billion transactions per month, helping to significantly reduce fraud and identity theft.
The previous set of companies applies behaviometrics to make a decision to enable access to system/device, etc. There is another set – companies providing behavioral analytics tools without tapping into accompanying security solution. Those are companies like Exabeam, ContinUse Biometrics, GuruCul, Interset, RedOwl, Fortscale and others. Paired with a security solutions provider, those companies are also on the path of powering a behaviometrics-based security solution.
Everything we do reveals a complex pattern, making behaviometrics the centerpiece of next-gen security solutions
Behaviometrics-based security solutions use the individual itself as its core asset, as BehavioSec puts it. “Everything we do on the phone, browser or computer reveals patterns. These are composed of a collection of semi-behaviors, determined by a combination of cognitive, physiological and mechanical factors, and are not prone to being spoofed or replicated by anyone. Behavioral biometrics identifies these patterns by collecting information, not on what the user is doing but rather how they are doing it.”
Behaviometrics-based security solutions have a range of strengths, recognized and offered by all companies working with them – those solutions are capable of learning, they are dynamic and continuous, they assess a complex human behavior based on hundreds of characteristic, they are adapting to changing behavior to remove any friction for the end user and they provide full transparency for an easy assessment and adjustment.
Indeed, results of a study that surveyed 600 security professionals across 15 industries in the US and published at the end of June suggests that 76% of companies have already implemented or plan to implement behavioral biometric: 22% are already using the technology and 54% plan to implement behavioral biometrics in 2016 or later. Moreover, 90% of respondents rate behavioral biometrics as an extremely or very valuable technology for increasing account security beyond password protection.