September 23, 2019

The Cost Of Biometric Versus Behavioral Authentication

We have discussed before how Biometric Authentication Not As Safe As You Think but it turns out that it can also be rather expensive if you rely solely on that for digital identity authentication.

Biometric Authentication Isn't As Secure As You Would Hope

It turns out that a fingerprint is more secure than a 4-digit password but less secure than a 5-digit password.  StackExchange examines this statistic:

“According to Apple, Touch ID the probability of a fingerprint matching is 1:50000 while the probability of guessing a four digit passcode is 1:10000. Statistically speaking, this would make Touch ID five times more secure. But the answer isn't that simple. Reconstructing a fingerprint is far easier than reconstructing a passcode. Although a fingerprint is unique, you are basically walking around with the security key on you at all times. I see have a fingerprint is like have the four digits of a passcode, just not in the right order (is this the right thinking though?).”

And according to a Forbes article titled “Apple's iPhone FaceID Hacked In Less Than 120 Seconds”:

“Security researchers attending the annual Black Hat hacker convention in Las Vegas have managed to bypass the iPhone FaceID user authentication in just 120 seconds.”

Even a voice print can be spoofed according to a Wall Street Journal article titled “Fraudsters Used AI to Mimic CEO’s Voice in Unusual Cybercrime Case” which reported:

“Criminals used artificial intelligence-based software to impersonate a chief executive’s voice and demand a fraudulent transfer of €220,000 ($243,000) in March in what cybercrime experts described as an unusual case of artificial intelligence being used in hacking.”

So, if your fingerprint, face scan and voice isn’t secure, is there something else truly personal that is?

Behavioral Authentication Comes Of Age

It turns out that companies are fast realizing that biometric-based authentication isn’t as secure as originally thought and are now looking to behavior-based authentication. In fact, behavioral security is being put to use effectively today according to an ITPortal.com article titled “Static vs behavioural: what’s the future of biometric authentication?

“With concerns being raised as to whether static biometrics is as invincible to attack as once assumed, behavioural authentication is quickly emerging as a more secure alternative and certain industries have started to take notice.

For example, the banking sector is embracing behavioural biometrics as a way to combat the massive financial crimes market, where fraud and money laundering are estimated to cost the global economy approximately $2.1 trillion per year.

In its simplest form, financial institutions can use behavioural analysis to quickly detect potentially suspicious login attempts by looking at the time and location where users log in to their mobile banking apps. That way, unusual transactions – such as someone trying to transfer a large sum of money in the middle of the night from the other side of the world – can be immediately flagged and blocked until additional verification has taken place.”

If you aren’t familiar with what behavioral authentication is, findbiometrics.com describes it as:

“Behavioral biometrics are a relatively new modality in the biometrics landscape, with clear applications in enterprise security, online banking, and mobile commerce. Generally, a behavioral biometrics system matches a user’s behavior against a profile built from hundreds of physiological, cognitive, and contextual traits. The result is two-fold: a user can be passively and continuously authenticated simply by behaving normally online; and service providers implementing behavioral systems can detect malware and other cyber-threats designed to mimic human behavior.”

That just leaves one last question to discuss:

Q: What is better than behavioral authentication?

A: Continuous behavioral authentication.

Continuous Behavioral Authentication Is Best

We have discussed at length on how prevention is superior to remediation, so it should come as no surprise that we believe the only way to mitigate digital identity fraud is to implement a continuous behavioral authentication solution which will prevent anyone from using credentials not their own, even if they came upon a legitimately initiated session where the legitimate user walked away leaving the session open.

Acceptto’s eGuardian engine continuously creates, and monitors user behavior profiles based on the user interaction with the It’sMe authenticator. Every time an activity occurs, actionable intelligence is gathered and used to optimize the user profile. eGuardian is capable of autonomously and continually learning new policies and adapting existing ones. While policies can still be manually defined and contribute to the computation, our Biobehavioral AIML approach automatically finds the optimal policy for each transaction. eGuardian leverages a mixture of AI & ML, expert systems and SMEs to classify, detect, and model behavior, and assign real-time risk scores to continuously validate your identity prior to, during and post-authentication.

Download the Intellyx’s whitepaper titled  App Authentication Evolves in a World of Compromised Credentials today and then check out what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy registering for a free demo today.

Download Intellyx Whitepaper

identity Access Management two factor authentication continuous behavioral authentication