peshkova - Fotolia

Get started Bring yourself up to speed with our introductory content.

The enterprise potential of behavioral biometrics

Biometric authentication has quickly evolved to include behavioral identifiers. Expert Michael Cobb explores the benefits of behavioral biometric technology for enterprises.

The convenience of frictionless user authentication that Biometric verification offers is one of the main reasons...

so many OEMs are beginning to incorporate various biometric authentication options into their devices. People are becoming quite familiar using their fingerprints or faces to unlock their computers and mobile devises, and it's a lot more user-friendly than having to remember and type in a password or PIN

Physiological characteristics like fingerprints, face, hand and retina represent just one type of biometric identifier, though. The other is behavioral characteristics, which are related to the pattern of behavior of a person, such as typing rhythm, gait, gestures and voice. It's nearly impossible to copy or imitate somebody else's behavior well enough to fool behavioral biometrics verification, as everyone's mannerisms and body language traits are shaped by social and psychological factors, which make them unique.

The advantages of behavioral biometrics

A big advantage of behavioral biometrics is that the identifiers can be discreetly monitored in real time to provide continuous authentication, instead of a single one off authentication check during login. For example, a user's keystroke length, typing speed, error patterns and mouse movements can all be used to create a unique template that distinguishes their typing from some else's. This can be used to continuously authenticate users in real time based on their mouse movements and keystrokes.

It's nearly impossible to copy or imitate somebody else's behavior well enough to fool behavioral biometrics verification, as everyone's mannerisms and body language traits are shaped by social and psychological factors which make them unique.

Enterprises with many users who regularly access sensitive data, such as customer support staff, can certainly benefit from this additional type of authentication to help detect when the correct person is not operating a device. A banking app could lock access to an account or prompt for a second factor of authentication if it detects irregular keyboard, mouse or touch interactions.

Analyzing body movements such as gait can be used to identify people from a distance; gait is hard to disguise because a person's build and muscles essentially limit their variation of motion, and could be used to ensure only authorized people, such as security guards, are present in a restricted area.

Behavioral biometrics: Disadvantages

While behavioral characteristics can provide continuous verification of a user, they are not so practical when it comes to the actual login process. A fingerprint reader only needs to take one reading to allow or deny access, whereas a user would have to type for a period of time before enough data had been captured to make a check. This delay in logging on is not what vendors or users are looking for.

There are also concerns over stolen biometric data, such as what occurred in the Office of Personnel Management data breach, though it's a threat that the security industry doesn't yet fully understand. However, it should prove difficult for an attacker to automate the abuse of stolen biometric data in the same way they can passwords, and behavioral biometric data more so than physiological data like fingerprints.

One disadvantage with all forms of biometric identification is there is an element of interpretation. It is easy for a computer system to check whether the password submitted is the same as the password stored in its database, but the check in biometrics is more "like" than "equal to." The matching algorithm has to make a decision based on an acceptance threshold that determines how close to a template the input needs to be for it to be considered a match. This can lead to false negatives, which would prevent valid users from authenticating successfully, while false positives would allow unauthorized users to authenticate successfully -- the last thing purchasers want in an authentication product. The threshold needs to be set to ensure the right level of protection for the classification of the assets being safeguarded; some systems allow different thresholds for different types of users.

Behavioral biometrics can provide an additional layer of security and further strengthen defenses around highly sensitive data by monitoring in real time the way users interact with their devices. There are online fraud detection solutions coming onto the market that use behavioral biometrics to stop account takeover fraud and other fraudulent transactions, as well as malware such as RAT-in-the-browser. BehavioSec's product authenticates individuals in real time through behaviors like keystroke dynamics, touch and mouse motion, and compares those behaviors to previous interactions from the same user. It creates a session ticket and a confidence score so risk engines can add additional security steps if required. The system continually redefines a user's behavior profile by learning from every interaction to reduce false positives. Other products include NuData Security's NuDetect and BioCatch's Behavioral Authentication. SecureAuth Corporation in partnership with BehavioSec is releasing an API platform that will allow enterprises to develop custom continuous, passive authentication capabilities for their own IT infrastructures.

Next Steps

Read about how Apple is looking to bring Touch ID biometrics to the cloud

Learn how user behavioral analytics tools can thwart security attacks

Discover why the popularity of biometric authentication is set to spike

This was last published in January 2016

Dig Deeper on Web authentication and access control