Authentication factors are often categorized as something you know, something you have, and something you are. Passwords are the obvious example of something a user knows. In an ideal world, passwords would be something only the user knows, but because password databases are wont to leak, and because users can’t be relied on to choose secure passwords in the first place, many web services insist on a second factor of authentication, often of the “something you have” category in the form of a mobile device, or, increasingly common, “something you are” in the form of a fingerprint or other biometric factor.
All of these are better than a simple password, but they have a limitation. They are static factors of authentication. When a user authenticates, they authenticate for the length of a session. If, three minutes after a user logs onto his bank with two-factor authentication, he gets up to go the bathroom without logging out, his account is open to whoever happens to walk by his computer.
Behavioral biometrics are different. They are continuous factors of authentication based on “something you do”. To consider one example: your phone knows more about you than any other piece of technology. It knows how you hold it, how you move it, how you interact with the screen, and how you type on the keyboard. Over time, these signals add up to a unique behavioral signature. Your phone could recognize you from your behavior.
In a discussion of behavioral biometrics, Jamie Carter enthuses that:
“Your face or finger might get you into your phone to do a spot of internet banking, but is it still you using the handset five minutes later? The banks need constant reassurance of your identification, which is why they’re turning to a new technology that monitors the way you use your phone, whatever the model. This is behavioral biometrics, and it’s devastatingly simple.”
A simpler example is a behavioral signature built from keyboard use. Individuals have unique patterns of keypresses and gaps between keypresses that a web service could track to continually determine if the user is who the service thinks it is.
Several companies exist to provide behavioral biometrics solutions, including Behaviosec, which offers an easily integrated continuous authentication solution for web and apps. Behavioral biometrics are being used by several banks and we can expect to see their popularity increase over the next few years.
All this seems pretty good, behavioral biometrics are a promising approach to online security, but there is a problem with behavioral biometrics that’s closely related to its major benefit. Behavioral patterns are not unique to each service and they are repeatable. Imagine a PC infected with malware the job of which is to build a behavioral profile of the machine’s user. That profile can then be analyzed and “fake” behavior created in software to mimic it. A process like this would be fairly trivial with behavioral biometrics based on keyboard use, for example. Behavior can’t be changed in the same way a password can.
And, of course, behavioral biometrics are like manna from heaven for companies that profit from tracking users around the web.
Behavioral biometrics is an interesting solution to the conundrum of online authentication, but over the next few years, I anticipate that we’ll be having some serious discussions about its suitability for general web authentication and its privacy implications.
Image: Flickr/CJ Isherwood