Security Experts:

Passive Behavioral Authentication Startup UnifyID Emerges from Stealth

UnifyID Uses Machine Learning and Behavioral Characteristics to Authenticate Users

The problem with passwords is not the theory but the practice. The need for complex passwords for every different account, and common user reluctance to employ them is known as user friction. Because of this friction users choose weak memorable passwords and use them in multiple places, while websites cut corners in storing them securely. Any successful replacement for password authentication will need to solve this problem of user friction.

The current primary options are either biometrics or passive behavioral analytics -- or a combination of both. Each approach has its own characteristics. Biometrics (such as fingerprint, voice or facial scan) require a scanning device (usually a smartphone); but do not generally require continuous monitoring. This makes them suitable for relationships that are infrequent and not continuous -- such as payments and electronic banking. Indeed, in recent months MasterCard has announced facial recognition user authentication, while Barclays bank has opted for voice authentication.

Corporates are different -- employees tend to be logged on for hours at a time. Without the option for continuous monitoring or occasional rescanning, both passwords and biometrics merely authenticate the person who originally logged on, not the person who is currently using the device. In a corporate environment, storing employees' biometric data could also raise some privacy concerns. For this reason corporates are increasingly investigating passive behavioral analytics for continuous authentication of the person using the device.

So far, most behavioral analytics have been added to existing authentication products from existing authentication providers. These include relatively simple aspects such as IP address, geolocation, time, etc.

Today, however, new a vendor dedicated solely to user authentication by passive behavioral analytics has emerged from stealth mode. UnifyID uses machine learning to analyze a range of behavioral characteristics that currently combine to authenticate an individual with a claim of 99.999% accuracy, which it does by combining unique behavioral qualities from a number of different user actions. Even greater accuracy is possible by adding additional behaviors.

John Whaley, CEO of UnifyID, told SecurityWeek that there are around 100 different behaviors that could be used for authentication. Many of these can be detected by the sensors built into modern smartphones; including for example, how you walk (your gait). "We can detect a user," said Whaley, "with just four seconds of data collected from a smartphone in a pocket."

Of course, this single behavioral characteristic would not be enough to reliably authenticate an individual user. All behaviors come with 'noise'. In this instance the user could temporarily walk with a limp, or have new shoes causing a blister. However, Whaley found that using machine learning to reduce the noise and to combine multiple behavioral factors, the result is remarkably accurate. He calls this 'implicit authentication' to differentiate it from the explicit authentication of passwords or biometrics.

"We use the accelerometer, gyroscope, and magnetometer sensors on your phone in your pocket,"  Whaley explained to SecurityWeek. "The way you sit is actually very unique to you and depends on factors like the length of your femur, muscle memory, culture you grew up in, gender, etc. We use signal processing and sensor fusion to combine multiple signals into a set of attributes that expose the unique aspects of each individual."

Posture BiometricsPosture Biometrics Chart

Where the user is static at a desktop computer, one of the strongest behaviors is typing; not what is typed, but how it is typed. In fact, UnifyID originally grew from studies in this area. In 2014 Whaley and colleagues demonstrated that by capturing encrypted packets they could determine the timing of keystrokes and discover what was actually typed before it was encrypted.

"People were impressed by the demo," he writes in a new blog post, "but ultimately the interesting and challenging part was the fact that each individual had his or her own unique way of typing. In fact, after we saw you type around four sentences of text, we could uniquely identify you."

What is really attractive about this new approach to authentication is that it requires no effort from the user at all -- that is, it has zero user friction. Whaley told SecurityWeek that it would take about four weeks for a new employee to be 'onboarded' with his user profile (because it would include geo/timing aspects; such as where a user is likely to be at any given time or day of the week).

Nevertheless, the reality is that behavioral analytics requires the collection of personal data; and this is always a tricky concept. Whaley's approach is to be transparent and give the user as much control as possible. For example, if an individual user is unhappy about a specific personal trait being used, that user can remove that trait from the profile. Furthermore, if the user moves to a new company, he can personally eliminate his profile before he leaves.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.