In our first post of this series we covered how the “more is better” approach can benefit access control systems, but developing a robust multi-factor authentication or access control system, say for continuous authentication, requires overcoming certain limitations in fusing identity data.
Let’s set practical matters aside for a moment. Developing a robust multi-factor authentication or access control systems requires us to address some problematic conceptual issues – issues that provide ample opportunities and vehicles for improving security in access control systems.
The use of behavioral biometrics can help surmount these two primary security challenges, but successful implementation requires – you guessed it – intelligent fusion.
Security Challenge #1: Replacing proxies of the user with real aspects of the user.
How do we replace what, in the past, were proxies of the user, with real aspects of the user? Traditionally, authentication is thought of in the form of three questions:
- What do you have? (key, access card)
- What do you know? (Password, answer to security question)
- What physical feature are you? (fingerprint, iris, face)
Answers to this last question cover what you are in the sense of what you look like, but traditional biometric modalities fall short of providing a full response to what we are (admittedly a complex question). So, we took the liberty to modernize the traditional approach and pose a fourth question: What do you do? Enter behavioral biometrics.
Why Behavioral Biometrics?
The advantage of behavioral biometrics is that the user doesn’t need to remember anything, and doesn’t need to interrupt what they are doing to authenticate (e.g. present a fingerprint). Their very activity is their authentication. In the case of operating a computer system, the activity matchers are fairly obvious, including keyboard-based and mouse-based approaches that run continuously and report the authentication scores to the system.
Security Challenge #2: Maximizing value from available identity data.
Secondly, how do we bolster behavioral biometrics? At times, behavioral matchers can misbehave. Performance can be inconsistent, specifically when matchers return unusually low scores for an authorized user. And so, we ask what at first may seem like an odd question – Can activity that, while itself does not constitute a biometric modality, enhance the accuracy of matchers? (Hint: If the answer were “no” I wouldn’t be so excited about my job!) Why yes, yes it can.
Why Behavioral Biometrics?
In the realm of multimodal authentication, the viability of fusing an assortment of biometric identifiers to authenticate a user over time – for example let’s just consider computer-based behavioral biometrics such as keyboard activity, mouse activity, file access habits, etc. – has already been established, but room for improvement still exists. And it exists not just with respect to the design of matchers, but also in considering how a multifactor system can incorporate key user activity and environmental factors into the overall data fusion process, in order to enhance overall identity fidelity and ensure optimal access control.
Stay tuned for my third and fourth posts, which will detail exactly how Novetta approached this problem and the mechanisms we identified to create a smarter, more robust fusion process that supports the inclusion of behavioral biometrics in multi-factor authentication systems.