Consumers are increasingly dependent on mobile devices. However, current authentication methods like password entry can be frustrating and dif?cult to remember, especially when a user has a few devices, leading them to create and reuse shorter passwords and pins.
This is according to Kayvan Alikhani, senior director of technology at RSA, the Security Division of EMC. Alikhani explains that cost-effective technologies now built into mobile devices, such as the camera, speaker, accelerometer and fingerprint sensors, can enhance authentication with behaviour metrics based on the activities of the user, enabling a more secure experience.
"Behaviour metrics is a technology that is used to observe the user behaviour such as gestures, device held-angles, typing and tapping, face or voice print, keystroke analysis, heartbeat analysis within specific environment and on specific devices to establish a repeatable pattern."
This pattern, he adds, can be recorded by your phone to be used for authentication purposes in determining whether the user is who they claim to be.
"It's projected that the number of Internet-connected devices per person will average five by 2017. Between work and personal e-mail, online banking portals, shopping, social media and a never-ending stream of applications, users are juggling password authentication for dozens of different systems and it's not easy," reveals Alikhani.
This leads users to adopt poor authentication practices to help them cope, making it easier for thieves and mischief-makers to obtain unauthorised access to supposedly protected systems, he adds.
Johann van der Merwe, director and lead security architect at Telic Consulting, says behaviour metrics can be an effective measure of mobile authentication. However, they should not be used as a sole method of device certification.
"Behaviour analysis can be used for a means of continued identity verification. The user behaviour on the phone can be matched [via complex algorithms] to what is expected and a risk score of accuracy is then calculated.
"If the risk score reaches a predefined threshold then the user can be challenged for an additional authentication factor such as a fingerprint biometric or one-time pin," advises Van der Merwe.
He says there is a slight difference between behavioural metrics and biometrics.
"Behavioural metrics measure different aspect of 'who you are'. Biometrics tend to be more unique in comparison to, for example, how you type on a keyboard. They are the measurement and analysis of people's physical and behavioural characteristics," he elaborates.
Continued and rapid increase of online applications and services results in an increase in the demand for more than one form of authentication, he adds.
Risks
Among the risks associated with behavioural metrics is a lack of understanding of the implications of false positives and false negatives, notes Van der Merwe.
"Users may not know how to properly deal with false positives and false negatives. The result is either giving unauthorised access to the wrong person or denying legitimate access to the owner.
"For this reason behavioural should always be combined with more traditional authenticators," he observes.
Alikhani says if behaviour is monitored at a mobile operating system (device) level and across applications, then, over time, it can be used as part of the device authentication/unlock process.
However, if usage or behaviour is only being monitored and analysed on a single-mobile-app level, then the accuracy rate may be lowered.
"Most single-mobile-apps are optimised to reduce user interaction as much as possible [least number of taps], if the app is not used often by the user, the level of accuracy is lowered as it's much more difficult to establish a repeatable and reliable user behavioural pattern," he explains.
He points out behaviour metrics have to establish a repeatable pattern on mobile devices and it's been tough to establish long-term patterns of usage, as users often change their mobile devices frequently (once every year or even sooner).
"Unfortunately, at this point in time, the outcome of RSA tests on some of the behavioural metrics-based solutions (solutions can that solely rely on user's behaviour on a single device) has shown unacceptable levels of False Accept Rate (FAR) and False Reject Rate (FRR).
Therefore, to improve quality and security, RSA recommends blending behaviour based authentication with multi-factor authentication, concludes Alikhani.
Share