Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Passive Behavioral Authentication Startup UnifyID Emerges from Stealth

UnifyID Uses Machine Learning and Behavioral Characteristics to Authenticate Users

UnifyID Uses Machine Learning and Behavioral Characteristics to Authenticate Users

The problem with passwords is not the theory but the practice. The need for complex passwords for every different account, and common user reluctance to employ them is known as user friction. Because of this friction users choose weak memorable passwords and use them in multiple places, while websites cut corners in storing them securely. Any successful replacement for password authentication will need to solve this problem of user friction.

The current primary options are either biometrics or passive behavioral analytics — or a combination of both. Each approach has its own characteristics. Biometrics (such as fingerprint, voice or facial scan) require a scanning device (usually a smartphone); but do not generally require continuous monitoring. This makes them suitable for relationships that are infrequent and not continuous — such as payments and electronic banking. Indeed, in recent months MasterCard has announced facial recognition user authentication, while Barclays bank has opted for voice authentication.

Corporates are different — employees tend to be logged on for hours at a time. Without the option for continuous monitoring or occasional rescanning, both passwords and biometrics merely authenticate the person who originally logged on, not the person who is currently using the device. In a corporate environment, storing employees’ biometric data could also raise some privacy concerns. For this reason corporates are increasingly investigating passive behavioral analytics for continuous authentication of the person using the device.

So far, most behavioral analytics have been added to existing authentication products from existing authentication providers. These include relatively simple aspects such as IP address, geolocation, time, etc.

Today, however, new a vendor dedicated solely to user authentication by passive behavioral analytics has emerged from stealth mode. UnifyID uses machine learning to analyze a range of behavioral characteristics that currently combine to authenticate an individual with a claim of 99.999% accuracy, which it does by combining unique behavioral qualities from a number of different user actions. Even greater accuracy is possible by adding additional behaviors.

John Whaley, CEO of UnifyID, told SecurityWeek that there are around 100 different behaviors that could be used for authentication. Many of these can be detected by the sensors built into modern smartphones; including for example, how you walk (your gait). “We can detect a user,” said Whaley, “with just four seconds of data collected from a smartphone in a pocket.”

Of course, this single behavioral characteristic would not be enough to reliably authenticate an individual user. All behaviors come with ‘noise’. In this instance the user could temporarily walk with a limp, or have new shoes causing a blister. However, Whaley found that using machine learning to reduce the noise and to combine multiple behavioral factors, the result is remarkably accurate. He calls this ‘implicit authentication’ to differentiate it from the explicit authentication of passwords or biometrics.

Advertisement. Scroll to continue reading.

“We use the accelerometer, gyroscope, and magnetometer sensors on your phone in your pocket,”  Whaley explained to SecurityWeek. “The way you sit is actually very unique to you and depends on factors like the length of your femur, muscle memory, culture you grew up in, gender, etc. We use signal processing and sensor fusion to combine multiple signals into a set of attributes that expose the unique aspects of each individual.”

Posture BiometricsPosture Biometrics Chart

Where the user is static at a desktop computer, one of the strongest behaviors is typing; not what is typed, but how it is typed. In fact, UnifyID originally grew from studies in this area. In 2014 Whaley and colleagues demonstrated that by capturing encrypted packets they could determine the timing of keystrokes and discover what was actually typed before it was encrypted.

“People were impressed by the demo,” he writes in a new blog post, “but ultimately the interesting and challenging part was the fact that each individual had his or her own unique way of typing. In fact, after we saw you type around four sentences of text, we could uniquely identify you.”

What is really attractive about this new approach to authentication is that it requires no effort from the user at all — that is, it has zero user friction. Whaley told SecurityWeek that it would take about four weeks for a new employee to be ‘onboarded’ with his user profile (because it would include geo/timing aspects; such as where a user is likely to be at any given time or day of the week).

Nevertheless, the reality is that behavioral analytics requires the collection of personal data; and this is always a tricky concept. Whaley’s approach is to be transparent and give the user as much control as possible. For example, if an individual user is unhappy about a specific personal trait being used, that user can remove that trait from the profile. Furthermore, if the user moves to a new company, he can personally eliminate his profile before he leaves.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...