Understanding Behavioral Biometrics

August 27, 2016

Here at SecureAuth, we talk a lot about adaptive authentication and its role in an innovative security program. As you probably know by now, adaptive authentication offers layered security that pulls off the ultimate balancing act: intelligent access protection and a convenient, appealing user experience.

While authentication is obviously the goal with these technologies, the adaptive part is just as important. In an era where burdensome or complicated security steps will alienate most users, adaptive technologies work with the user rather than disrupting their workflow. Maybe it’s a buyer trying to access his or her own account information or an employee looking up customer data. Whatever they’re doing, a variety of behind-the-scenes processes calculates their validity and takes dynamic action, rather than stopping them and asking them to complete yet another step to authenticate their identity. Using techniques like device recognition, geo-velocity, geo-location or IP reputation, adaptive authentication contextualizes those elements for accurate user identification.

But while those may be the best-known techniques, they aren’t the only ones. Behavioral biometrics is becoming an important and integral new part of authentication solutions – precisely because they involve user behavior that is almost impossible for a hacker to duplicate.

After all, hackers can steal login credentials; a device that's already been logged in can be used by someone else. But attackers can’t usually mimic a user’s identity down to their typing behavior and mouse movement. That’s where behavioral biometrics come in, by working with user traits so subtle that the human eye would have a hard time observing them. This technology records those nuances and microbehaviors and compares them to subsequent logins to validate their identities.

No doubt you’re familiar with physical biometrics, such as a fingerprint swipe on your phone. Retina scans and voice comparisons are other common biometrics, which essentially authenticate users by measuring their biological characteristics. Again, these are factors that are almost impossible for a malicious actor to fake or duplicate.

Behavioral biometrics, though, work with behavioral patterns rather than biological attributes. The concept is built on the same foundation in that the user acts as the core asset – something difficult for a hacker to imitate. Each user is an individual with their own ways of interacting with computers, and those unique elements become the authentication criteria.

Turning Individuality into Innovative Security

Granted, it’s not something that we’re often conscious of, but we all have unique patterns and idiosyncrasies in how we use the tools at our disposal. Consider the speed and rhythm as we type on the keyboard or the ways we click and move our mouse. We may pause regularly at certain points, favor the top numeric keys over the side number pad or prefer certain controls over others. The way we access programs, move between apps or interact with graphic icons and visual indicators are distinctive too. Even subtle social and psychological cues like our use of language are highly individual.

Of course, most of us aren’t aware as these as we use our smartphones and laptops each day. And were we to observe our coworkers, for instance, we probably wouldn’t be able to describe most of their patterns either. But while these nuances may be too subtle for human observation, behavioral biometric technologies can perceive them just fine. And they can measure, analyze and record these unique characteristics and turn them into a pattern, one that can be compared when the user logs back in, to approve or deny their authentication.

Imagine an insider threat, for example. Maybe an employee obtains coworker credentials or sits down at a workstation computer where a valid user has already logged in. With behavioral biometrics, the technology will analyze the input patterns of the new user and compare them to the stored behaviometric patterns of the valid employee. Both similarities and differences will be recognized and factored into an algorithm that calculates the possibility of it being the correct user. And because it’s highly unlikely the malicious employee can imitate the real user’s keyboard rhythm and mouse movements, the technology will perceive and shut down the threat.

There’s a certain irony here, in that the randomness of human behavior has traditionally been a security vulnerability IT teams have had to anticipate in designing controls to reduce risk. Every customer, employee, administrator and user has their own set of preferences, patterns and nuances when they sit down at computer or type on their smartphone. Now, thanks to behavioral biometrics, security practitioners have found a way to turn our unique behaviors into a powerful weapon in stopping attacks.

Want to learn more about behavioral biometrics? You can get started here.

  • Product: IdP

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!