There’s a vision of a future where employees and customers don’t even have to enter a password and if they do it can be a simple one – password1234. These people envision a world of adaptive authentication. These systems take multiple attributes — IP address, geo-location of mobile device, time of accessing data, etc. – and then make a decision on whether or not to enable access.
Adding a layer that would measure individuals keystrokes or mouse movements would make adaptive authentication potentially even more powerful. These behavioral biometrics can also address the problem that once an individual is logged on, enterprises need to make sure that the authorized individual is still the one accessing information.
SecureAuth Corp. has introduced behavioral biometrics to its flagship access control system, giving customers another tool to make sure only those authorized can access information, says Stephen Cox, chief security architect at the company. The keystroke and gesture biometrics record a user’s behavior in the background and then can be used to determine access and also be checked at various point during a session to validate an identity.
“Then if something looks fishy we can ask to step up the authentication or kill the session,” Cox adds. Step-up authentication options include text messages, phone call or use of a mobile app.
Enrollment in the system happens in the background during 10 login sessions but it can also be set up to do continuous learning, Cox says. After that the system has enough information to create a profile and make decisions. For keystrokes the system measure the timing of the pressing and depressing of the keys as well as flight time between keys. Gesture biometrics with the mouse measures acceleration and deceleration of the movement as well as if you click right on a button or circle it first.
The system also works on mobile devices using the accelerometer and gyroscope on the mobile devices as well as the keyboard and other movements, Cox explains. “We have 98% accuracy even with four digit PINs,” he adds.
Financial services companies have been using these types of gesture biometrics for customers but SecureAuth is looking to bring it to the enterprise for employee access, Cox says.
Along with using behavioral biometric technology to determine risk, SecureAuth IdP also uses device recognition, IP reputation, directory lookup, geo-location and geo-velocity.
Other product features include:
- A tailored login process/authentication workflow: Depending on needs, organizations can adjust security requirements for different groups of users – for example, system admins may have more stringent authentication requirements than the sales or finance teams
- Improved usability and overall efficiency: Both now and in the future, IdP only requires multi-factor authentication when risk factors are present, such as a mismatched behavioral profile
- Multiple authentication methods to match use cases: SecureAuth IdP offers more than 20 authentication methods ranging from SMS, telephony, and e-mail one-time passwords (OTPs) to push notifications
- Single sign-on convenience: SecureAuth IdP supports any device, any identity type, any VPN, any identity store and any application
- Self-service features, leading to reduced costs: Users manage their own accounts, and can reset their personal profiles without having call the IT help desk