Behavioral and biometric mobile authentication will end passwords
|David Vergara in Security Friday, September 15, 2017|
How mobile biometric and behavioral authentication methods will soon overtake the standard password as technology improves.
According to Robert Svensson in his book "From Hacking to Report Writing: An Introduction to Security and Penetration," the first computer system to use passwords was built by researchers at the Massachusetts Institute of Technology (MIT) in the 1960's. Shortly thereafter, the computer's passwords were compromised when a researcher exploited a function in the system, enabling him to print out a list of all his colleagues' passwords and then use them to secure a share of his colleagues' allotted usage time.
In the fifty-plus years since, passwords have become routine for users (i.e. routinely needing to be changed up and just as routinely compromised). Even among the IT cognoscenti, they are a constant source of divisiveness, and those in the know have hoped for some time that something better would eventually come along to replace them.
As recently as August 2017, Bill Burr - the author of an eight-page guide on best practices for secure passwords that was eventually evangelized by the US National Institute of Standards and Technology (NIST) - admitted that his guidance on password requirements, which addressed everything from email accounts to login pages, was wrong. "In the end, the guidelines were probably too complicated for a lot of folks to understand very well and the truth is, it was barking up the wrong tree."
Nevertheless, the drumbeat from various pundits (and others) in the security industry to finally rid the industry of passwords, continues. No surprise, really, on all the reasons why passwords should just go away:
- They're static
- They're easily hacked/stolen
- They're hard to remember
- They're often re-used from one site to another, maximizing the impact of breaches.
So, if passwords are going away, it's logical to ask what will take their place? In short, a security technology that minimizes friction. For the purposes of this discussion, it's behavioral authentication.
Think of behavioral authentication as the 21st century equivalent of the way that crimes were (and still in most cases are) solved - both in books and in real-life. We all know that fingerprints are unique to an individual; however, an even more dependable and revealing exemplar (and one especially well-suited to today's digital acumen) of who a user is and what they're doing online may be how a user interacts with his (or her) keyboard (e.g. cadence, key strokes, mouse movements, so on).
And before you dismiss the significance of this technology, the Biometrics Research Group predicts that such technologies will produce over $US9 billion of revenue by 2018 for the biometrics industry.
Additionally, Mercator Advisory Group, a trusted advisor to the payments and banking industries globally, recently issued a report entitled "Biometrics: A New Wrinkle Changes the Authentication Landscape," that suggests the need for software-based solutions like multi-modal biometric authentication to drive innovation as well as security.
Mercator further suggests that, in time, the concept of "persistent identity" will dominate. This will be where authentication no longer is solely about a single challenge event such as a fingerprint scan, but evolves into a passive trust value that's uniquely associated with an individual. This "trust value" will be continually updated based on factors including location, sound, face recognition and, significantly, "a range of behavioral inputs."
So, what are these behavioral inputs?
Simply put, they're the way you interact with your device; how you hold and use your mouse, make keystrokes, how quickly you move line-to-line or from page to page. These actions, analyzed and learned over time, are interpolated through algorithms to establish a unique pattern of each user to determine if it's the same user requesting access or potential fraud. When the behavior of the user trying to log in does not match the established user model, the technology can "step up" authentication, which can include an additional biometric authentication measure or security question, for example.
Right now, you're probably thinking that on paper that all sounds good, but what about in practice? For example, are there banks that are using these kinds of bleeding-edge behavioral authentication tools today? In fact, yes there are:
- A large subsidiary of a UK bank has incorporated machine-learning software, integrated with the bank's mobile app and online banking site, to monitor and capture metrics on 500 different bank customers' online and mobile behaviors. These include everything from literally the angle at which a user holds their phone to the amount of pressure used when a customer taps on a screen, and even the cadence of keyboard strokes. All this data is compiled to build out a unique biometric profile for each customer, comparing it against each time a user logs onto an app or online banking site.
- A subsidiary of a Middle East bank has likewise introduced an integrated mobile identity verification solution based on behavioral biometrics. The selected technology continuously monitors every in-app activity based on a unique personal usage profile within the mobile device. This includes things like finger size, touch pressure and strike area, giving the bank the ability to identify, in real-time, whether the card owner is actually the individual accessing and using the app. An executive vice president at the bank suggests that, for them, passive forms of biometrics like behavioral authentication were appealing "because they're far more natural, seamless and far less intrusive for users than things like facial recognition and iris scans, which mostly require them to stop and take an action."
In summary, many believe that the death of the password will become a reality soon - one interesting factoid provided in this news article from 2004 is Bill Gates' prediction of the demise of the traditional password - here in 2017. However, the pragmatic evolution of the password will first make it a supplement to a more layered security approach, leveraging biometrics and other contextual data. From this point, you can count the days before it's officially kicked to the curb. Really.
Read more: https://www.vasco.com
The necessary steps to secure your environment for all of the components that are involved in a z Systems cloud infrastructure that uses IBM z/VM and Linux on z Systems.
Learn the best ways to organize your app development projects, and keep code straight, clients happy, and breathe a easier through launches.
Write and run code every step of the way, using Android Studio to create apps that integrate with other apps, download and display pictures from the web, play sounds, and more. Each chapter and app has been designed and tested to provide the knowledge and experience you need to get started in Android development.
How to create a profitable, sustainable business developing and marketing mobile apps.
This content is made possible by a guest author, or sponsor; it is not written by and does not necessarily reflect the views of App Developer Magazine's editorial staff.