Behavioral Biometric Systems: Privacy-Friendly, Less Risky, More Compliant, and More Secure

Many organizations today depend on digital services and data to run daily operations and ensuring the privacy of critical data and information systems is now a key part of doing business. For example, many business owners rely on traditional biometrics to verify and confirm users’ identities when accessing digital assets. However, traditional biometrics create privacy problems if stolen. For example, traditional biometrics can be spoofed, which places your company at risk of being compromised. On the other hand, behavioral biometrics rely on data that isn’t reusable, while also offering continuous authentication.

Privacy Concerns of Traditional Biometrics

Most companies regard traditional biometrics as a secure method to protect data and systems. However, traditional biometric authentication has several important shortcomings. These include:

Risk of serious consequences from biometric data theft

Traditional biometric tools like facial recognition, iris scanning, and fingerprint scanning rely on storing biometric data that points directly to a person in the real world—this is data that can be reused elsewhere. As a result, organizations relying on these tools take on the risk that comes with collecting and storing this kind of data, and employees affected by a breach can be affected for life since fingerprints and faces are unique to their owner and can’t be changed. This risk alone has significantly slowed the adoption of traditional biometric technologies because business leadership and rank-and-file employees tend to be uncomfortable with the risks.

Risk of Compromise Due to Spoofing

Traditional biometric tools rely on physical characteristics; they store what amounts to an image of some part of the legitimate user’s body. Because they compare a presented physical structure (like a fingerprint) against a stored description or image of that physical structure, it is possible to compromise them by presenting an accurate copy of the original fingerprint or face. Doing this with fingerprints is trivial (there are many videos online offering 10-minute methods for compromising fingerprint scans), and while doing it with faces or irises is more difficult, it is certainly not impossible for a dedicated attacker with a clear motivation and target. Biometric spoofing results in unauthorized access to sensitive information and creates incentives for the theft of biometric data—exactly why users are most concerned about traditional biometrics.

Privacy Benefits of Behavioral Biometrics

Given these concerns, organizations are increasingly adopting newer behavioral biometric technologies, in place of traditional biometrics, for authentication. Behavioral-biometric solutions offer several key benefits.

Behavioral Biometrics are Privacy-Safe and Compromise-Resistant

Behavioral-biometric tools rely not on physical anatomy, but on the users’ behavior over time (seconds in human terms, but an eternity in computer terms) to identify them. The stored biometric profile does not represent the user’s physical traits, traits that could be duplicated and reused, but comprises a record of subtle movement patterns and tendencies. The data is numeric and non-descriptive and can’t be used to trace real-world identities. Since behavioral biometrics rely on machine learning, user profiles evolve as each user’s subtle behavioral patterns change with time. Behavioral-biometric data is thus of limited to no value to an attacker, even if compromised. It doesn’t clearly “describe” any real person. It is generally applicable only to the systems and tools a user regularly employs, rendering it meaningless elsewhere. Also, it is dynamic, rather than static, “expiring” relatively quickly compared to a traditional biometric quantity like a fingerprint.

Behavioral-biometric Systems Are Less Vulnerable than MFA

Multi-factor authentication (MFA) was once a game-changer in the world of authentication, but behavioral biometrics is the next game-changer. MFA provided an “out-of-band” way to confirm that a username and password combination was likely being entered by the authorized user rather than by someone possessing stolen credentials. That’s great. However, as MFA enhances security, it also impacts the user experience negatively, in significant ways. Temporary one-time password (TOTP) codes are cumbersome and tend to get lost (and lead to helpdesk complaints) when a device is replaced. Text message (SMS) codes are equally cumbersome because they rely on the antiquated and insecure SMS infrastructure for delivery. Hard tokens have to be small to be manageable but, as a result, they are also very easy to lose (or steal) or leave behind. Personal knowledge questions are privacy-intrusive and easy for attackers to find the correct answers to. In these cases, helpdesk load (best case) or potential privacy breaches (worst case) are very much part of the equation. None of these limitations applies to behavioral biometrics.

Behavioral-biometric Systems Offer Continuous Authentication

Because behavioral-biometric systems rely on subtle observations of how users behave as they do normal work, they do not require the user to take certain steps that interrupt their work—no placing fingerprints on scanners, no positioning faces for cameras, and no re-entry of codes from a screen. And since behavioral-biometric authentication is enabled by regular work and happens as work happens, authentication can occur at any time, any number of times in an hour or a day—or even continuously, as is the case with Plurilock DEFEND. The ability to authenticate a user’s authorization at every moment of the day is a powerful paradigm shift in identity and access management (IAM)—away from the need to trust something, whether that something is a password, a hard token, or a TOTP code, and away from the need to trust the integrity of a logon authentication event that may have happened minutes or even hours ago. Instead, behavioral biometrics pave the way toward true zero trust, in which systems don’t need to trust anything because they know whether the user currently working is authorized to do the work.

How Behavioral Biometrics Complement Compliance Requirements 

Behavioral biometrics provide novel capabilities, mitigations, and compensating controls for companies struggling with compliance, particularly in the post-COVID era. This goes well beyond compliance with draft standards like NIST on zero trust; for example, many organizations lost their physical security controls with the shift to online work and have struggled to reconstruct them. Because behavioral biometrics are both biometric-strong and continuous during work, they can serve as a compensating control for physical security requirements.

Other organizations have struggled to achieve compliance for legacy systems because these systems weren’t designed to interact with modern standards like OIDC or SAML and offer no clear path toward common compliance requirements like MFA. Because behavioral biometrics have no intrinsic need to know, understand, or interact with login workflows of any kind, and they operate continuously, they are often implemented as a background agent in a running environment—meaning that they can run alongside legacy software systems and provide ongoing MFA without the need for custom development or shoestring kludges, all while providing increased security relative to current MFA incumbents.

Conclusion

The cyber threat landscape is evolving almost as rapidly as the privacy and compliance landscape, and both of these present ongoing challenges that have proven difficult to solve with last-generation solutions and technology. Behavioral-biometric solutions like Plurilock DEFEND are the next-generation answer to these questions—offering significantly increased protection against compromise and breach risks while mitigating privacy, usability, productivity, and integration-cost concerns and paving the way toward a future in which zero trust is finally a reality.

 

 

See Plurilock in action