Behavior biometrics now factor in authentication
Biometrics are, in many ways, the holy grail of authentication. We're confident enough in them to put people in prison or even execute them based on a fingerprint or DNA match. But should we let them access data?
The answer, as perhaps it should be in the administration of justice, is that we should use multiple factors to identify users. In the context of others, biometrics are an excellent addition.
SecureAuth follows this philosophy by supporting more than 20 authentication options with the new addition of behavioral biometrics, the use of timing patterns in the user's keystrokes and mouse movements. The identity management system builds a profile of this behavior for the user and then monitors authentication requests using it, along with other factors. This new version, SecureAuth IdP 9.0, will be available worldwide in April according to the company.
SecureAuth claims that theirs is the first implementation of behavioral biometrics by an identity management company, but it has existed in academic research for some time. This February 1990 paper in Communications of the ACM by Rick Joyce and Gopal Gupta covers the essentials of it.
A SecureAuth-equipped service looks at how you type your username and password. If the pattern doesn't match what they have for you close enough then the system may look at other factors or issue a challenge question, depending on policy set by the site administrators.
Initially I had trouble believing the behavioral biometrics could be all that accurate, but of course they don't have to be 100% or anything like it. We're not putting a man on trial for his life here, we're controlling access to an account, although perhaps an important one like a bank or an electronic health record.
If you use online banking you've probably already seen some of these other factors in play: log in from a computer you haven't used before (or use anonymous browsing) and the system will note that things are different and challenge you for additional factors. If you were to log in from Thailand an hour after you logged in from Florida that would also be a good clue that something was wrong, and perhaps even reason to lock the account down. This kind of identity analysis, called risk-based authentication, has been around a long time.
SecureAuth employs "continuous authentication" by which they continue to check factors like geolocation throughout the application, not just on the login screen.
It's this use of many factors that I find most interesting and impressive, but they do one more thing that makes sense. They say that they store as little of this profile information as they have to and they store it all encrypted and, most importantly, they store it all on their customer systems (e.g. the bank's), not on their own.
Some people will, no doubt, be disturbed at all this information being used to identify them, but it's a self-defeating concern. If you want to use an online bank or some similarly sensitive service you have to expect the service to do all it can to protect your account. If you don't like it go back to tellers and deposit slips and put up with bankers' hours.