By Susan Rebner, CEO of Cyleron
Customers are understandably demanding transactions in which they are safe and not at risk of identity theft, session hijacking or having their information breached. Online services from merchants, banks and others are becoming more universally complex by offering an increasing number of transaction services online.
For example, banks went from simply providing customers with a bank balance online to today where you can transfer money, pay bills and deposit checks from your phone, as well as access countless other services and products. These digital-driven organizations must provide customers with robust user authentication methods without significant inconveniences.
Faced with concerns like increasing regulatory requirements, protecting proprietary trade secrets, maintaining customer loyalty, and an increasing number of mobile transactions, some organizations are turning to behavioral biometrics as an optimal solution. Today many of us use thumbprint or facial recognition to unlock our phones, which is a form of biometrics, but the power of biometrics extends well beyond just these use cases.
This technology is something my company is working on, so I'm paying close attention to the behavioral biometrics and user authentication space.
Continuous user authentication via behavioral biometrics is typically passive in nature and therefore provides little-to-no inconvenience to the user. Typing behavior, for example, is something we do every single day, and the fact that it can help identify us from morning to night requires absolutely no change in our activities. This is not true of active methods, such as two-factor authentication, which often necessitate typing in an extra code of some sort.
People dislike the process of constantly generating new, hard-to-remember passwords that they then have to remember and keep track of. Employees constantly lose tokens that employers ask them to carry around in order to authenticate. Even two-factor authentication methods are being cleverly hacked by cybercriminals. Biometrics provide an additional dimension to define a user’s identity by way of behavioral and physiological markers while continuously authenticating the user. These markers can include keyboard and mouse movements, application tracking, fingerprints, facial recognition, finger size, device movement and plenty more. Based on the user's previously developed behavior (the more you use it, the more it’s trained to your specific behavior), these technologies can quickly identify any anomalies.
With artificial intelligence (AI) and machine learning (ML) enhancements in behavioral biometrics, it has become a force to be reckoned with for hackers and cybercriminals. Hackers have more access to our personal information, via social media and online activity, than they ever have before. It is arguably much more difficult, however, to modify individual distinguishing and unique characteristics. Hackers have not found a way to hack the biological traits of humans, as of yet.
The likely attack surface will, therefore, be the underlying software itself that interprets these human-specific attributes. The ML models, deep neural networks and so on at play must be protected at the codebase level with security directly baked into the programming. That said, the overall technology framework is significantly more secure than one which simply requires stolen credentials to access sensitive information, as is the case with the majority of systems in use today. Behavioral markers cannot be fished or ransomed nearly as easily as the aforementioned, which means greater security and privacy for everyone.
Cybercriminals have found clever ways to trick users into handing over their user credentials, even when using two-factor authentication. For example, phishing attacks are at an all-time high. Once a cybercriminal has the credentials, they can bypass the firewall of a system and begin stealing sensitive data. Behavioral biometrics will add an additional level of formidable protection to endpoint security.
The 2019 Verizon Data Breach Investigations Report, which was built upon the analysis of 41,686 security incidents, indicated user credentials are increasingly a target of cybercriminals:
- There's been an increase in hacking cloud-based email servers via the use of stolen credentials.
- Denial of service (DoS) and use of stolen credentials on banking applications remain common.
- Twenty-nine percent of breaches involved stolen user credentials, and 71 percent of breaches were financially motivated.
Behavioral biometrics are already having a groundbreaking impact on the cybersecurity landscape. More specifically, I believe continuous user authentication will soon be a requirement for any serious cybersecurity program. Ultimately, the key to a secure digital world, whether personally or professionally, is taking a multilayered approach. Continuous user authentication by way of unique, individual behavioral markers should be considered one of the most important of those layers.
Susan Rebner is the CEO of Cyleron, an artificial intelligence enabled cybersecurity software and solutions company.