My first post discussed why using more factors or identifiers for authentication is better, but is relying on more factors also a smarter approach? Identity proxies like passwords can be stolen, and so can ID cards. But, try stealing behavior. Yes, behavior – and I’m not talking about annoying mannerisms like laughing at your own jokes, but rather your routine habits, such as typing.
My second post touched on the conceptual security benefits offered by the incorporation of behavioral biometrics. Let’s now dive into some particular examples of how fusion can alternatively limit or enhance the utility of behavioral biometrics in creating a more robust access control system.
The Challenge: Smarter Systems Require Smarter Fusion
Consider typing on a micro-second scale: while, to the human ear, everyone sounds the same when they type, on a micro-second scale there are quite a bit of unique and measurable differences between individuals. These are differences that a computer can be taught to detect, but which are nearly impossible for another human to detect or replicate. Incorporating this kind of distinctive and hard-to-steal identifier into an authentication system would be smart. Right?
However, access control systems need to be able to recognize and account for those 3 major factors mentioned in my first post that conventional fusion methods usually fail to address:
- Environmental Factors
For example, keystroke matchers – they should work with all sorts of typing right? Not so much! It may make intuitive sense to design and train a keystroke matcher based on a set of coherent, full-length English language sentences (and yes, language does matter due to specific character-to-character timings which form the basis for conventional keyboard matchers!). However, daily life and normal use cases for typing interfere with this planned concept of operations, in ways that correspond to the three issues noted above.
Common Points of Failure in “non-Intelligent” Fusion Schemes
- Accuracy – Taken at a high level, numerous factors can impact the accuracy of a single keystroke matcher; language, unique user traits, correlations and environmental factors detailed below, as well as others. A smart fusion system must be able to recognize the accuracy of a keystroke matcher and understand how that accuracy compares to other available identity information (whether other biometric modalities or identity proxies).
- Correlations – A computer user naturally shifts between keyboard and other input control mechanisms, such as a mouse or touchpad. A person using a mouse is unlikely to simultaneously generate a high volume of keyboard data. Therefore, a smart fusion system needs to consider whether and in what ratio keyboard data is generated compared to other input mechanisms. The user’s simultaneous engagement with other behavioral sensors may impact the reliability and utility we can derive from keystroke data during a given period.
- Environmental Factors – It’s obvious that users aren’t always using their system to compose emails or the next great novel; often enough, they’re using the keyboard to fill out forms for a new credit card, complete financial work-ups in Excel, or even play the occasional video game. Keystroke matchers weren’t designed to analyze all these varied types of activities with perfect accuracy, so a smart fusion system needs to know when to take the matcher seriously and when not to take it seriously, based on the parameters of the operational environment – i.e. what program is open when typing occurs.
My fourth and final post will detail exactly how Novetta approaches this problem with respect to a behavioral keystroke matcher, providing a discreet example of how fusion can be made smarter and more aware of crucial user and environmental aspects. Multiplying this “intelligent” fusion effort across components of a multi-factor authentication system offers unique opportunities to enhance the overall performance of access control systems.
Blog Series: Improving Multi-Modal Authentication