Zack Zando, Senior IAM Consultant, SecureITsource, Inc.
When was the last time you walked into a bank to make a transaction? Whether it was depositing a check, transferring funds, sending money to a friend – it’s likely that the way you handled those transactions have changed within the last few years. With mobile banking applications, walking into a bank and interfacing with a teller is no longer a necessity in most cases. As it relates to identity, we are mostly just authenticating with our device, in many cases with as little as just a username and password.
Authenticating the user can become a struggle for a financial institution, because what the user wants – quick and easy while remaining safe, and what the institution wants – robust security controls that often compromise user experience, are light years apart. It seems that we have this clash between user experience and security, both of which are top priorities for institutions with competing mobile products with an ever-increasing user base. A security breach means a damage in reputation, something which could be impossible to recover from. For millennial users, convenience seems to take precedence over anything else, so financial institutions need to ensure convenience, ease of use, while remaining secure.
So what do these institutions do to help thwart fraud over mobile banking applications? Authentication with a username and password alone is now a thing of the past, at least let’s pretend that most institutions have put this in their rear view by now (they haven’t, unfortunately). We have the next obvious contender –Multi-Factor authentication. MFA enhances security by taking something you know (username/password) + something you have (cell phone) + something you are (retina scan/voice recognition/fingerprint).
MFA doesn’t seem so bad from a user experience perspective, and seems to check all the boxes from a security standpoint, right? Well, just like a password – the user now must keep their eyes, face, and thumbs safe from the world. Okay, I’m kidding, things haven’t gotten that bad, but the problem with these biometrics is that they don’t change, they’re static. At least if your password or your phone gets stolen, you can get new ones – but what about when someone copies your fingerprint? This happens all the time, and there is even dedicated software that can capture fingerprints from high-resolution photos – just google “hacker fakes German minister’s fingerprints”. Within 24 hours, even Apple’s TouchID was hacked (by the same hacker) by just using a fingerprint left on the screen. In fact, these systems are significantly flawed because hackers can not only replicate the owner’s fingerprints, but they can even add their own, blocking the device from its owner. Okay, so what now? Enter Behavioral Biometrics.
Behavioral Biometrics is a cutting-edge technology that analyzes user behavior to help verify a user’s identity without impacting a daily routine. What do we mean by behavior, exactly? Well, the way that a user interacts with a device, from key strokes, finger placement, swipe length, swipe velocity, device orientation – is unique from say, how their twin sibling might accomplish those same tasks. Yes, it’s true – deep learning has given us the ability to know who you are by how you type, talk, or swipe. Unlike many types of physical biometrics, behavioral biometrics can be gathered with existing hardware, needing only software for analysis. This makes behavioral biometrics less costly to implement for institutions, and since it’s transparent to the user, it’s a win-win implementation. Behavioral Biometrics is unmatched because authentication is passive, and “always on” – providing the end user with something they have never seen in the past, and something they will never consciously deal with – Security that is ultra-convenient.