Why Always On Authentication is the Future of Online Security
Using a thumbprint or an iris scan to open a door is no longer something only seen in science fiction movies. Biometric security in the shape of fingerprint scanners and facial recognition is widely used, be it in police stations, military bases, banks or anywhere else that high security is paramount. It’s also common on smartphones, giving users an easy way to unlock their devices without entering a password.
But for all the added convenience these security features add, we’re only just beginning to scratch the surface of what biometrics can really do. There’s a much deeper level of biometrics that’s starting to emerge now.
The real game-changer in the future of biometric security will be what’s known as behavioral biometrics, the analysis of patterns in human activity — the keystrokes a person makes, their speech patterns and even how they hold a particular device.
“When a consumer wants to get onboarded to a new product or service, there are different aspects that can be used from a behavioral perspective to allow them to authenticate that account,” explained Sanjay Gupta, vice president and global head of product and corporate development at Mitek Systems.
Gupta said there are anywhere from 50 to 100 different sensors on any one device that can capture an individual’s behavior. But there’s more to behavioral biometrics than just interacting with a single device: There’s also the behavior people encapsulate in their daily lives. For instance, most people don’t travel far, normally staying within a five- to 10-mile radius of where they live, he noted.
People also live their lives in very predictable ways. They go to drop off their kids and then they head to work, Gupta explained. They typically visit the same stores and often buy the same things. “That’s all a part of your behavior as well,” he stressed.
Currently, behavioral traits are normally used to tell the difference between a real human and a bot. But they have a much bigger potential to enable what Gupta terms continuous authentication, where various device metrics can be used to determine, again and again, if it is the exact same person.
Continuous authentication can use unique behavioral traits to create individual security profiles that users can then port across multiple services, eliminating the need for a consumer to constantly sign up every time they want to start using a new application, for example. So, the behavioral profile of a user who has previously created a bank account could be used when that person rents a car. Potentially, they could be logged in instantly, without entering so much as their name or their email address.
More like this: The Rise of the ‘Device Biometric’
“In the future, we’ll be able to use those behavioral attributes, combined with their physical attributes, to determine that someone is a live person across their journey to different accounts — and even for something like account recovery,” Gupta said.
He conceded that while such a scenario is still probably far in the future, as every device tends to have unique sensors, “if you had a centralized database of each user’s behavior, this kind of portability could happen.”
Gupta explained how most early biometric security tools used what are known as “active liveness” tests, asking a user to blink or nod their head, for example. But these active tests add friction, and they can easily be spoofed.
On the other hand, if passive face liveness (the ability to detect the person is live, with a single photo) is combined with behavioral traits, this is a much more powerful indicator that the person is alive and is the authorized user on the account.
“The future lies in passive detection, which is imperceptible to end users,” Gupta said.
Behavioral biometrics doesn’t just make life easier, though — it can also prevent bot attacks. Gupta said one popular scam he sees time and again is when tickets for a big event go on sale for the first time. When that happens, scammers use bots to buy up as many tickets as possible for that event, then resell them on another platform at a profit. With behavioral biometrics, it would be easier to detect such transactions without inconveniencing actual legitimate buyers.
Gupta believes it’s inevitable that biometrics will become more widespread, as it offers increased security and convenience. While many have voiced fears about their biometric data being misused or falling into the wrong hands, he noted that most consumers will ultimately adopt the technology for faster access to the services they use.
“The main issue today is that the efficacy of behavioral biometrics as a solution is not quite there yet to uniquely identify an individual,” Gupta said. “But elements of it are.”
The consumer experience will be seamless when we can fully leverage behavioral biometrics, he said.