Guest post by Jensen Bjorn.
Most people are familiar with biometric security in terms of fingerprint scanning and facial recognition, as these are the most common forms of biometrics available today. While these physical attributes are difficult to replicate and bypass, they are still singular parameters or factors, which means that it’s only a matter of time before the average hacker can get through the basic biometric firewall.
Enter behavioral biometrics: sensors and algorithms calibrated towards consistently analyzing thousands of biometric parameters like your gait, typing habits, and the like, instead of just one-off notifications. Powered by advances in artificial intelligence (AI) and the Internet of Things, behavioral biometrics might just be the next big leap in mainstream digital identity authentication.
Info Security Magazine lists the features of behavioral biometrics available right now in leading banks: cutting-edge detection strategies can recognize hand-eye coordination, pressure, navigation, scrolling, and other movements to create a unique user profile. This allows banks to continuously ascertain whether online activity is expected, irregular, or certain characteristics are linked to malicious activity. At the user end, this translates to a reduction in unnecessary escalations, as they don't have to worry about being contacted by their bank if it is a false alarm. This ultimately provides both parties a fraud-free and seamless user experience.
Given their potential value to the world’s largest digital networks and vital industries, it should also be noted that behavioral biometrics are still somewhat in their early stages. While consistently analyzing the digital life cycle is a step in the right direction, ThreatPost indicates that there are many other improvements that behavioral biometrics are yet to disrupt. This includes collecting data on mouse movements, keystrokes, scroll feed, and preferred methods of input. When you consider the mobile smartphone’s capabilities, there’s also accelerometer and gyroscope data, as well as touchscreen interaction patterns. The more parameters and data to be analyzed and authenticated, the greater the individual and organizational security.
But at the same time, this can lead to yet another cybersecurity paradox: while more data means more parameters for detecting and stopping malicious activity, increased data collection can all too easily lead to greater vulnerability from all sides. Hackers are constantly sniffing around digital networks for weaknesses, and large-scale biometric databases make for highly profitable potential targets. If behavioral biometrics are to be applied in mainstream networks, the organizations that use them need to be able to ensure the security of their data through both defensive and offensive techniques—not to mention get their customer base to agree to being data-mined.
Privacy-preserving authentication protocols like NuID’s zero knowledge authentication could become an important piece to navigating this security vs. privacy tradeoff presented by behavioral or other biometrics. Today, biometric authentication has to be done entirely on the user’s device, like with Apple’s FaceID, or it involves centralized storage of biometric data. Further research will need to be done to see if the asymmetric cryptography used in zero knowledge authentication can be effectively applied to biometric data, allowing for “remote” biometric authentication without centralized storage of sensitive data. For now, biometrics can be safely used on the user’s device to then unlock a static key that is used in zero knowledge authentication.
Whether or not behavioral biometrics will benefit mainstream digital identity authentication on a mass scale remains to be seen. What’s sure is that this potentially disruptive technology is worth further exploration and experimentation.