Authentication Is What You Do As Much As Who You Are
We’re all entirely familiar with the idea of a password. We should, we have between 6-10 that we not only use but use multiple times a day, across 90 different sites that we navigate. And because our brain craves simplicity, we typically use the same password for all those sites. We make them easy to remember and with that, easy to crack leading to data breaches that fill news headlines. Passwords, to put it bluntly, are the enemy of security.
Authentication—proving the identity of whomever is accessing a digital service, the answer to our password dilemma—has certainly come a long way. In the first iterations of authentication, back in the 90s, there was predominantly two methods of authentication to get access to a web portal or page: a code that was randomly generated and supplied on a paper along with other codes or a code generator device that created one time passwords (OTPs). This era of token delivery wasn’t overly intuitive: often people forgot the generator or the paper with the codes at home and became frustrated.
Then came the feature phone which allowed for a major update on that problem: tokens and OTPs could be delivered on the phone by way of SMS or even an app that generated codes or even login. Certainly better as almost everyone carries their phone with them at all times. But as recent FBI alerts show, SMS OTPs are far from safe and can be spoofed by the known exploit of SIM swapping in which the attacker convinces a mobile network (or bribes an employee) to port a target’s mobile number, allowing them to receive 2FA security codes sent via SMS text.
Now with the smart phone, we can now escape such vulnerabilities by using our biometric data to authenticate, a vastly superior form of authentication that is very robust and truly personal. Two forms are considered the norm now, fingerprint data and increasingly, facial recognition.
Soon there may be more. Behavioral biometrics is a burgeoning field of authentication that analyzes traits and micro-habits like voice, keystrokes when typing, navigational patterns, engagement patterns etc. Take for instance behavioral keylogging. if a person logs in but their typing seems amiss, the system would fail to positively authenticate the person.
A major advantage of this form of authentication is in its dynamic nature. passwords, PINs or fingerprints have static data or static templates stored at the point of enrolment and therefore have a fixed, static state. With dynamic data points, behavioral profiles are adjusted continuously rendering any stolen data useless.
AI and the new biometrics
While behavioral biometrics have these advantages—especially when linked to AI engines and other awareness features—there are some downsides to consider. One of them is a privacy factor. With static templates of such things as fingerprints, the registration of the template and its consent is known. But behavioral biometrics are happening in the background due to their inherent dynamic nature. They’re hidden from users as they track, compare and collate behaviors. As such they represent a privacy challenge that, like GDPR, will need to be consented to. Behavioral biometrics may be more technologically advanced for sure but it’s also—by its nature—a more invasive one due to its dynamic algorithms pulling from various data points.
This is exactly why a robust security backbone is essential for authentication in general and more so for ones using behavioral biometrics as this data is a vast set of data points. For behavioral biometrics—or any biometrics for that matter—to be trusted and adopted, this will be prerequisite.
Want to know more about Clavister EasyAccess and how it will help you create strong biometric authentication? Click here