Security and Privacy? With Active Behavioural Biometrics it is Possible.
Having the privilege to choose is generally a positive thing. However, when being presented with too many options to choose from, making the optimal selection becomes a challenging task.
With the immense selection of mobile based user verification technologies targeted at the financial industry, constructing the identity management puzzle is one of the key elements that will eventually not only affect the security robustness of the organization, but also the end-user’s satisfaction and experience.
Behavioural biometrics being the latest trending topic, have been in the spotlight for the last few months and provides financial institutions an opportunity to step up their security level, while maintaining their users’ privacy as well as holding up to the regulations.
In this article, Roy Dalal, CEO of Verifyoo, will attempt to shed light on the different types of use cases that financial institutions need to consider and the mobile-based product categories that are applicable to each one of the use-cases.
The product categories can be divided into:
Passwords are still the go-to solution in many cases, mainly because they support server-side verification which is required in high risk transactions.
2.-Device Based Biometrics:
Device based biometrics such as fingerprints or facial recognition provide frictionless experience but have some major drawbacks such as being dependent on specific hardware, being bound to the device and not supporting server-side verification.
Possession factors that do not require the user to memorize passwords and are not hardware dependent are usually used as a second factor or when authorizing transactions.
Behavioural biometrics try to eat the cake and keep it whole: using inherent factors that cannot be transferred, while maintaining user privacy.
While passive behavioural biometrics (continuous authentication) can ramp up the security without adding any friction to the user, active behavioural biometrics can be a significant game-changer as they can address security gaps that have not be properly solved or are not even addressed at all.
The types of use-cases for mobile-based verification can be roughly divided into four categories, with an ascending risk level:
The user has access to his/her device and wishes to perform an activity that only affects local resources on that specific device or resources that are not necessarily connected to the financial entity (E.g., email account).
Typical use-cases are viewing missed calls, sending an email, etc.
With these types of use-cases, the focus is on the user experience and on reducing the friction as much as possible, therefore using the lock pattern or the built-in mobile biometric capabilities such as fingerprint or facial recognition, is perfectly sufficient.
The user has access to his/her device and wishes to perform a low-risk activity that affects external resources. The best example is when a user wishes to view their bank account or even wire a very small amount of money.
For the medium risk scenarios, the built-in biometric sensors do the trick and should be sufficient to prevent unauthorized access or fraudulent transaction that are not of very high risk.
Passive behavioural biometrics (continuous authentication) can be deployed as well, to enhance the level of security by adding an invisible layer on top of the session.
The user has access to his/her device and wishes to perform a high-risk activity that affects external resources. For example: wire an amount of 50k USD.
For the 3rd risk level, the built in biometric sensors are not sufficient because they are only verified locally on the device and do not support server-side verification. As an example, we can consider an authorized user that provided his/her spouse access to the device via the built-in biometrics, but this does not necessarily mean that they should have full access to the authorized user’s bank account. That is why in most cases, financial entities still require using a password in these types of high risk operations.
This is where innovative companies like Verifyoo come into play, offering an active behavioural-biometric verification solution that provides that inherent factor, while maintaining user privacy, thus supporting server-side verification that can handle these types of high risk use-cases.
As in the medium risk level, continuous authentication can be deployed as an additional security enhancer.
The user does not have access to his/her device and wishes to perform a high-risk activity that affects external resources. For example: performing account recovery when changing to a new device after having forgotten the original password.
One of the biggest pains of financial institutions is dealing with these types of high-risk use-cases where users have no access to their enroled device, acting as the weakest link and attracting malicious users when attempting to perform account takeover.
Existing solutions include knowledge-based questions (E.g., name of your first dog) that can be easily by-passed via social engineering, calling the helpdesk (which is expensive to maintain and highly frustrating for the users) or even waiting days or weeks for a new password to arrive in the mail (yes, physical mail, not email).
Within these use-cases is where solutions such as Verifyoo really shine, being completely agnostic to the device supporting server-side verification. The user can simply pick up a new device and reclaim their account within seconds.
In these types of use-cases, continuous authentication is inapplicable since it is bound to a specific device, thus relying solely on the active behavioural biometrics.
The account recovery mechanism is and will continue to be one of the toughest pitfalls and security threats to deal with. What good is a sophisticated user verification system if all that is needed to crack it is the name of your dog, or the name of the city where you were born? Personal details that are easily obtainable via social engineering.
Active behavioural biometrics solutions such as Verifyoo, aim to close the circuit and plug this gap once and for all.
The author of this article is Mr. Roy Dalal, CEO of Verifyoo, a company on a mission to provide the highest level of user verification while maintaining user privacy.
Roy has previously served as the security lead of a large Enterprise Cyber Security firm as well as having designed and developed operational systems for the IDF.