The first online transaction took place nearly 50 years ago when students from Stanford sold a small amount of marijuana to their counterparts at MIT via Arpanet -- the precursor to the internet. It couldn’t have been long after that they had to worry about online security. And it’s been an issue ever since.
For an online security solution to be effective, it must authenticate whom you claim to be and authorize what you are allowed to access.
Probably the oldest way to prove one’s identity is to create a secret that is shared by only a few people. The shortest is a key phrase, such as “Swordfish!” But once a secret is shared, it isn’t a secret anymore. Storing secrets makes them vulnerable, a weakness that goes way back to the earliest documented case of password theft in the 1960s.
Because nobody can keep track of myriad passwords, users create “workarounds” that inevitably lead to oversimplifications (Password123) and over-sharing (leaving a password on the proverbial Post-It). Nearly three-quarters of the respondents to a new study we at UnifyID conducted said it was “difficult” to keep track of their passwords, and 82% claimed they never want to use passwords again. Password managers are among the best-known workarounds. But those are Band-Aids -- they aren’t solutions to the problem, and they add new vulnerability wrinkles.
No one with IT experience needs a long-winded explanation of passwords’ weaknesses and the painful consequences of data breaches that result from unauthorized system access. Resolving ongoing password issues is a significant drain on a corporate IT staff. Users contact help desks about 28 times per year (approximately 20% of all help desk calls) for password issues, costing upward of $179 per user every year, according to a Forrester report (via SecureIdNews). And based on a Verizon report, 81% of data breaches were due to stolen and/or weak passwords in 2016.
The financial costs for a breached organization pale in comparison to the damage done by data loss, company reputation and user dissatisfaction. The Equifax security breach cost the company an estimated $439 million and led to over 240 class-action lawsuits, while the Target hack led to profits plummeting 46% and the ouster of its CEO.
Two-factor authentication (2FA) and multi-factor authentication (MFA) attempt to shore up the weakness in passwords by adding an extra layer of security, requiring the user to enter another piece of information unique to them, such as a security code sent to their mobile phone via text. Although 2FA and MFA make it more difficult for attackers to impersonate a user, the system can also be cumbersome and create more friction for the user.
Biometrics also show some promise as a solution to password vulnerabilities. These systems, which rely on unique biometric factors like a user’s fingerprint, face, iris or voice, offer unique and exciting ways to capture user identity. Biometric authentication systems, however, have their problems, too.
First, biometric authentication systems require deliberate user behavior (i.e., press this, look into that). As with passwords, biometrics require training and adjustments to behavior. Having to pull out your smartphone to scan a fingerprint or your face every time you want to authenticate adds friction to the user experience.
Also, biometrics are not hard to compromise. A group of researchers was able to generate synthetic fingerprints that unlock up to 65% of phones. Other biometric factors don't fare much better. For example, an algorithm can mimic your voice with just snippets of audio.
Sometimes users cannot control when and how their data is accessed. That is, we all leave our fingerprints everywhere. Because plenty of people collect data without expertise, it’s too easy to share a recording of your fingerprint. That raises privacy considerations regarding collecting and storing intimately personal data. And while you can at least modify a password, it's extremely difficult to change a biometric ID when it's stolen.
Behavioral biometrics show great promise for the future of cybersecurity. They measure uniquely identifying and measurable patterns of user activities. A user is authenticated by what they do (i.e., how they walk or the places they go) rather than what they are (i.e., their fingerprint or face). And several companies -- including UnifyID, SecureAuth and BehavioSec -- have already begun to employ different aspects of this technology to keep people and businesses safe.
Machine learning algorithms passively gather a user’s smartphone sensor data, determining their walking gait, the way they sit or the Wi-Fi access points the device typically connects to. These algorithms also take into account anomalies or changes to user behavior, such as if a user is traveling and accesses different Wi-Fi connections or if the user sprains their ankle and their gait changes. In these cases, if the machine learning system finds its confidence in authenticating the user to be low, other authentication methods, such as a password, can be deployed.
Behavioral biometric systems have been especially popular in industries such as financial services, e-commerce, health care, automotive, travel and hospitality. For example, health insurance firm Aetna rolled out behavioral authentication last year to their customers, partners and employees, and many other organizations are incorporating these technologies. The common theme is a need for security combined with a need for a streamlined user experience. By spending less time and energy on authentication, both employees and customers can be happier and more productive.
Humans have long been considered the weakest link in security. We accidentally give away our passwords to nefarious parties, we forget to log out of our accounts on unknown devices, we access sensitive information on unsecured networks. However, behavioral biometrics, while not foolproof, leverage the behaviors that make us uniquely human to create a more secure authentication system.
