January 10, 2017
There is little to no doubt that passwords are on their way out of use and relevance with more advanced solutions taking over the market. But no matter what comes next, the most advanced solutions that are increasingly gaining attention and traction are making one major change in ensuring cybersecurity – they introduce invisible, non-interrupting methods of continuous authentication.
The vast majority of authentication methods nowadays are focused on building gateways by either layering factors in attempts to figure out the best combination, or using one particular access-blocking method – XFA has been around for a long time and is firmly rooted across industries. Regardless, all those solutions share one hallmark – an interrupted experience with a personal device or service.
At the same time, customers expect things to happen in nothing less than an instant – financial technology startups taught customers that for services to be relevant, they should expect them to be delivered now or never. Therefore, the whole class of solutions tailored to fortify personal devices and personal accounts from access by improper parties is on a fast track to obsolescence.
Indeed, as fairly noted by Joshua Dziabiak, Co-founder and COO of The Zebra, Consumer’s expectations are increasingly aligned with companies that provide immediate, alternative solutions to everyday life tasks. People expect things to be instant – whether you’re talking about a package delivered from Amazon Prime or a ride appearing at a swipe of their fingertips via Uber.
Why should authentication be any different if the technology to ensure non-interruptive access to personal devices and accounts already exists (although, it does require a certain tuning)?
Any interruption of an online experience increases the chance of a customer growing tired and leaving it altogether. Just like with online shopping, when a customer is redirected off-site to make a payment, the chances are that there will be another abandoned cart. With authentication for access to personal accounts via mobile, the story is similar – it’s additional friction while using a service, however convenient the method is – whether it’s a fingerprint, OTP, PIN, etc.
Instead of interactive authentication, invisible continuous profiling of the user can allow companies to accumulate enough data to truly understand who is using the service based on past usage patterns. No-barrier use of any service undoubtedly smoothens the experience and allows businesses to gather insight on a user’s in-app or online behavior, thus improving the quality of the invisible authentication method.
Modern devices are equipped with all sorts of sensors and most applications are able to track user activity in and even out of the app by getting broader access to the phone’s nooks. Therefore, modern technology and software are ready for the generation of authentication solutions that ensure the person is who he is supposed to be without the need to ask that person to authenticate himself. Behavior-based profiling allows users to freely operate in their personal devices, use services in apps and browsers – all while security solutions are closely monitoring and evaluating whether the behavioral pattern matches the owners’ every time.
One of the examples of such type of solutions is Transmit Security, which automatically learns each and every one of the client’s users: this includes the devices each customer uses, login times, login locations, navigation patterns, in-app activity, and more. Most importantly, the system understands the authentication steps each customer takes and what the impact is on their experience by evaluating factors like: how long did it take to complete? What was the failure rate? What is the abandon rate?
As the company describes the concept of invisible authentication, based on the customer’s behavioral profile, the system makes decisions to minimize friction – it monitors customer activity inside applications and disables the need for interactive authentication as long as the customer remains within safe boundaries. Once the customer steps out of these boundaries, primary or secondary authentication processes are triggered.
Transmit Security is not the first initiative with invisible authentication use case. Bank in 2014, a company called Toopher (acquired by Salesforce in 2015) developed and deployed a two-factor invisible authentication solution for the faculty and staff of the University of Texas. At that time, the solution was focusing on location-based invisible authentication, which can be considered an earlier version of modern advanced invisible authentication solutions monitoring an array of behavioral patterns.
Toopher used the geolocation feature of the mobile device, learning where a user typically logged in to various sites. If a login came from a location that is not typical, a request was sent to the mobile to further authenticate prior to allowing the transaction. The system could also be used to authorize only specific transactions from a provider’s suite of services, or to authenticate the identity.
The widely-recognized BehavioSec is another interesting company that offers a non-conventional approach to security and authentication with the use of behaviometrics, or behavioral biometrics. As the company defines the term,behaviometrics is a measurable behavior used to recognize or verify the identity of a person. Behaviometrics focuses on behavioral patterns rather than physical attributes. By continuously comparing different aspects of the current input stream with a previously stored user profile, behaviometrics can detect anomalies in the user’s behavior within seconds and stop intrusions while they are happening. If the behavior matches, the users get to enjoy an uninterrupted experience with their devices and personal accounts.
The number of elements characterizing behavioral patterns that devices can capture have expanded considerably along with the precision of behavioral profiling. The core idea behind all those solutions remains the same though – to ensure stronger security for whatever operations without having to interrupt the experience.