This document discusses behavioral biometrics and how it can be used to balance security and usability. It describes how behavioral biometrics works by analyzing a user's interactions such as touch pressure and angle when using a device. This data is then used to continuously authenticate users. The document outlines two main solutions - one for desktop that monitors mouse and keyboard input, and one for web and mobile that adds small code to analyze interactions without requiring a client install. Potential applications discussed include use in enterprises, for social media platforms to prevent account hijacking, and for mobile devices to add biometric locks without extra hardware. Demos of behavioral biometric solutions for web and mobile are also referenced.

1. Behavioral Biometrics
Balancing Security with Usability
Neil Costigan

2. Aiming to solve
 We aim to increase IT &
mobile security in a cost-
effective, transparent, and user
friendly fashion.
 “The idea -- and I think this is a
good one -- is that the
computer can continuously
authenticate people, and not
just authenticate them once
when they first start using their
computers.”
- Bruce Schneier
Schneier on Security A blog covering security and security technology.

3. BehavioSec. Overview.
 Swedish IT-Start-up. Luleå (R&D) & Stockholm (Commercial)
 Backed by Conor Ventures (Finland) and consortium of regional
agencies.
 Patented technology.
 Sales agents in US & Germany
 Product exists with high value paying customers TODAY.
Core position is
 Behaviour biometric for financial institution's web & mobile apps.
 Actively being pursued by handset manufacturers for differentiator.
 Success with US DARPA for desktop security add-on
Recent news
 Gartner „cool vendor 2012‟
 Finnovate „best in show‟ SF May 2012

4. So what are we looking at ?
How the user interacts with device, browser or computer

5. How does it work
Touch
Key
Angle
Sequence
Touch
Pressure
Key
Flight
Key
Press Touch
Swipe
Touch
Quotient
”Press” ”Flight” ”Sequence”

6. Two distinct solutions
 Desktop
 Akin to an anti-virus solution.
 Sits transparently behind desktop
 Monitors ALL interaction. Both mouse and keyboard.
 Taking action if it detects abnormal behaviour.
 DARPA DoD desktop
 Web & Mobile. Help detect online fraud.
 No client install. Small code added to web forms or Apps
 Processed server side. (internal or cloud)
 Transparent customer experience.
 Adds to RISK scoring on a transaction.
 Allows for Forensics.

7. DARPA
 US Defense Advanced Research Projects Agency
 Fund „Moon shots‟
 Next generation DoD workstation security
 Active Authentication
 Transparent. Out of the hands of the end-user.
 Today US DoD. Tomorrow mainstream.
 A tool for all enterprise security desktops &
professionals
 We have success with multi-year research contact.

8. BehavioWeb & Mobile
 Suitable for all web & mobile access where
identity and user verification is valuable
 Banking & Payment industry tend to be early
adopter's
 Social Media has urgent need
 Access portals (email, SharePoint's, cloud,
etc)
 Government & Education
 Future is embedded into devices &
infrastructure so handset manufactures are
long term target

9. Web Architecture
Back Office
Client
BehavioStat
Web
Services
Timing
JSON
Database
Web Business Management
Server Logic Dashboard
Management

10. Mobile biometric security for
enterprise
“The need to provide a workable user experience that is consistent across
multiple endpoints (including PCs, tablets and smartphones) has become
one of the key considerations for any enterprise authentication
implementation, including those using biometric identification methods.”
- Ant Allen. Gartner. Predicts 2012: A Maturing Competitive Landscape Brings New identity and access Management (IAM) Opportunities. Nov
2011.
“Strategic Planning Assumptions
By 2015, 30% of users accessing enterprise networks or high-value Web
applications from smartphones or tablets will use biometric authentication.”

11. For social media&cloud services
Enhance social media platforms such as Facebook,
Linkedin etc. or cloud services (email, skydrives) with
transparent usable security.
 To prevent account hijacking (ie facerape).
 To strengthen the brand as a safe place to play.
 To increase usage of mobile clients as safe access
devices regardless of their vulnerabilities.
 To enable the social media platform to be a trusted
source of identity for higher value services such as
banking and payments.

12. Technical problem ?
 Currently the de-facto authentication to all social media
platforms or cloud services is via user/password.
 The username usually being email and a password
being selected by the user.
 Typically no „hard password‟ rules.
 While this is in the lower spectrum of authentication
techniques it has the benefit of being perceived as user
friendly and is good for reflex typing.

13. Technical solution..
By transparently, and with little overhead, analyze the
customers‟ interaction with the social media site or mobile
client then using this behavior to help continuously, and in
real-time, verify their identity.
 Use of client side JavaScript or a mobile SDK enables
the capture of user interaction.
 Server-side analysis compares to the users historic
behavioral fingerprint.
 Augments or replaces captcha, device identity and geo-
location.
 Safe biometrics.

14. Benefits
 Without making security over complex and less user
friendly the social media platform can increase user trust
while protecting the trusted brand.
 Utilize this trusted authentication to upsell identity
services to high-value 3rd parties such as financial
institutions, payments, gaming, who have traditionally
shyed away voicing security and fraud concerns.
 Improved targetability for ad-networks.

15. Mobile biometric security for
enterprise
“The need to provide a workable user experience that is consistent across
multiple endpoints (including PCs, tablets and smartphones) has become
one of the key considerations for any enterprise authentication
implementation, including those using biometric identification methods.”
- Ant Allen. Gartner. Predicts 2012: A Maturing Competitive Landscape Brings New identity and access Management (IAM) Opportunities. Nov
2011.
“Strategic Planning Assumptions
By 2015, 30% of users accessing enterprise networks or high-value Web
applications from smartphones or tablets will use biometric authentication.”

16. Match-in-net for mobile apps
App Fields
Backend Score  SDK for App developers to
get Behaviometric data from
iPhone or Android.
 Rich behaviour monitoring if
platform allows (Android).
 Keystroke timings from
native keyboard.
 Integrated to BehavioWeb
for back-end risk based
authentication.

17. Match-on-device for smart phones
 Extended
authentication methods
for BYOD.
 Secure mobile devices.
 A Biometric lock without
extra hardware.
 Looks at how the user
types or swipes a PIN
code.
 Allows or denies
access to phone or
specific applications

18. Demos - Web
Available online :http://cloud.behaviosec.com/BehavioWebDemo
Sample Application:
 Scenario simulates a transaction that contains commonly
used fields such as name, email and password.
 Added behavioural biometrics
 Can see scores in real-time and management console
http://cloud.behaviosec.com/BehavioWebDashboard/

19. Demos - Mobile
http://www.behaviosec.com/mobile-demonstration-video/
Apps in all app stores (Apple, Google, WindowsMobile)
Example : Available in Samsung App store:
Behavio AppGuard
 BYOD for sensitive apps
 Add biometrics to app access
 Typing or swiping authentication
 Five tries before locking the app
 30 second cool down