A new approach to verifying user identity

Sometimes it helps to think differently


Published/updated: January 2015

By Tony Lock

We all know that trying to authenticate our users when they access the companyís IT systems faces one major challenge that has so far outstripped the ability of nearly all security technologies. Thatís user acceptance. More accurately it is the refusal of most workers to Ďput up withí any security solution they see as getting in their way. This applies no matter how important the system is to your business or how sensitive the data it holds.

If your user thinks the authentication mechanism is clumsy, takes too long or involves them having to do more than type a six-letter password that they donít have to change more than once a month, they complain. Even worse, they look for ways to get around it. This is why, for example, the use of multifactor authentication solutions has not been as rapid as most of us would have liked.

To tackle this problem over the years IT vendors have looked at many different approaches to make signing into systems more secure without raising the hackles of your user community.

Biometrics have been around for some time and, to be fair, the take up of fingerprint authentication has been growing quite quickly in the consumer space, but for a number of reasons it hasnít really set the business world on fire. So what other options are there?

Well a few vendors have started to look at the problem a little differently, using identity verification techniques based on looking at user behaviour. An approach that has been developing rapidly in recent years is based on capturing a pattern of how users, or indeed customers, interact with the devices they use. This could include the way they type, the speed they type at, words they typically mistype, how they navigate their desktop, which shortcuts they employ, and so on. The idea is that if an imposter gets past the traditional login process (e.g. with stolen credentials), a pattern mismatch will be detected extremely quickly and appropriate action taken Ė lock out, admin alerts, etc.

A company I recently met with, BehavioSec, has extended this approach to work not just on traditional PCs with keyboards, but to also to take in how a user works on tablets and smartphones where touch technologies are in play. It claims that its solutions have now matured to the degree where you can achieve very, very high rates of authentication accuracy, with remarkably low Ďfalse-negativesí. More importantly, the users are unaware of the added security being employed when they work normally, thus overcoming the user resistance challenge.

BehavioSec tells me that it typically requires monitoring 6 to 10 sessions of a user working with an application to get a good pattern match. This is clearly a non-trivial requirement compared to the traditional creation of an account and password, but the benefits thereafter, in terms of both enhanced security and user satisfaction, could well be valuable enough to justify the up-front time and effort.

The password isnít dead yet, alas, but itís encouraging to see new approaches and solutions emerging to help you strike the right balance between security and usability.




Featured Content