This document discusses behavioral biometrics and how it can be used to balance security and usability. It describes how behavioral biometrics works by analyzing a user's interactions such as touch pressure and angle when using a device. This data is then used to continuously authenticate users. The document outlines two main solutions - one for desktop that monitors mouse and keyboard input, and one for web and mobile that adds small code to analyze interactions without requiring a client install. Potential applications discussed include use in enterprises, for social media platforms to prevent account hijacking, and for mobile devices to add biometric locks without extra hardware. Demos of behavioral biometric solutions for web and mobile are also referenced.
2. Aiming to solve
We aim to increase IT &
mobile security in a cost-
effective, transparent, and user
friendly fashion.
“The idea -- and I think this is a
good one -- is that the
computer can continuously
authenticate people, and not
just authenticate them once
when they first start using their
computers.”
- Bruce Schneier
Schneier on Security A blog covering security and security technology.
3. BehavioSec. Overview.
Swedish IT-Start-up. Luleå (R&D) & Stockholm (Commercial)
Backed by Conor Ventures (Finland) and consortium of regional
agencies.
Patented technology.
Sales agents in US & Germany
Product exists with high value paying customers TODAY.
Core position is
Behaviour biometric for financial institution's web & mobile apps.
Actively being pursued by handset manufacturers for differentiator.
Success with US DARPA for desktop security add-on
Recent news
Gartner „cool vendor 2012‟
Finnovate „best in show‟ SF May 2012
4. So what are we looking at ?
How the user interacts with device, browser or computer
5. How does it work
Touch
Key
Angle
Sequence
Touch
Pressure
Key
Flight
Key
Press Touch
Swipe
Touch
Quotient
”Press” ”Flight” ”Sequence”
6. Two distinct solutions
Desktop
Akin to an anti-virus solution.
Sits transparently behind desktop
Monitors ALL interaction. Both mouse and keyboard.
Taking action if it detects abnormal behaviour.
DARPA DoD desktop
Web & Mobile. Help detect online fraud.
No client install. Small code added to web forms or Apps
Processed server side. (internal or cloud)
Transparent customer experience.
Adds to RISK scoring on a transaction.
Allows for Forensics.
7. DARPA
US Defense Advanced Research Projects Agency
Fund „Moon shots‟
Next generation DoD workstation security
Active Authentication
Transparent. Out of the hands of the end-user.
Today US DoD. Tomorrow mainstream.
A tool for all enterprise security desktops &
professionals
We have success with multi-year research contact.
8. BehavioWeb & Mobile
Suitable for all web & mobile access where
identity and user verification is valuable
Banking & Payment industry tend to be early
adopter's
Social Media has urgent need
Access portals (email, SharePoint's, cloud,
etc)
Government & Education
Future is embedded into devices &
infrastructure so handset manufactures are
long term target
9. Web Architecture
Back Office
Client
BehavioStat
Web
Services
Timing
JSON
Database
Web Business Management
Server Logic Dashboard
Management
10. Mobile biometric security for
enterprise
“The need to provide a workable user experience that is consistent across
multiple endpoints (including PCs, tablets and smartphones) has become
one of the key considerations for any enterprise authentication
implementation, including those using biometric identification methods.”
- Ant Allen. Gartner. Predicts 2012: A Maturing Competitive Landscape Brings New identity and access Management (IAM) Opportunities. Nov
2011.
“Strategic Planning Assumptions
By 2015, 30% of users accessing enterprise networks or high-value Web
applications from smartphones or tablets will use biometric authentication.”
11. For social media&cloud services
Enhance social media platforms such as Facebook,
Linkedin etc. or cloud services (email, skydrives) with
transparent usable security.
To prevent account hijacking (ie facerape).
To strengthen the brand as a safe place to play.
To increase usage of mobile clients as safe access
devices regardless of their vulnerabilities.
To enable the social media platform to be a trusted
source of identity for higher value services such as
banking and payments.
12. Technical problem ?
Currently the de-facto authentication to all social media
platforms or cloud services is via user/password.
The username usually being email and a password
being selected by the user.
Typically no „hard password‟ rules.
While this is in the lower spectrum of authentication
techniques it has the benefit of being perceived as user
friendly and is good for reflex typing.
13. Technical solution..
By transparently, and with little overhead, analyze the
customers‟ interaction with the social media site or mobile
client then using this behavior to help continuously, and in
real-time, verify their identity.
Use of client side JavaScript or a mobile SDK enables
the capture of user interaction.
Server-side analysis compares to the users historic
behavioral fingerprint.
Augments or replaces captcha, device identity and geo-
location.
Safe biometrics.
14. Benefits
Without making security over complex and less user
friendly the social media platform can increase user trust
while protecting the trusted brand.
Utilize this trusted authentication to upsell identity
services to high-value 3rd parties such as financial
institutions, payments, gaming, who have traditionally
shyed away voicing security and fraud concerns.
Improved targetability for ad-networks.
15. Mobile biometric security for
enterprise
“The need to provide a workable user experience that is consistent across
multiple endpoints (including PCs, tablets and smartphones) has become
one of the key considerations for any enterprise authentication
implementation, including those using biometric identification methods.”
- Ant Allen. Gartner. Predicts 2012: A Maturing Competitive Landscape Brings New identity and access Management (IAM) Opportunities. Nov
2011.
“Strategic Planning Assumptions
By 2015, 30% of users accessing enterprise networks or high-value Web
applications from smartphones or tablets will use biometric authentication.”
16. Match-in-net for mobile apps
App Fields
Backend Score SDK for App developers to
get Behaviometric data from
iPhone or Android.
Rich behaviour monitoring if
platform allows (Android).
Keystroke timings from
native keyboard.
Integrated to BehavioWeb
for back-end risk based
authentication.
17. Match-on-device for smart phones
Extended
authentication methods
for BYOD.
Secure mobile devices.
A Biometric lock without
extra hardware.
Looks at how the user
types or swipes a PIN
code.
Allows or denies
access to phone or
specific applications
18. Demos - Web
Available online :http://cloud.behaviosec.com/BehavioWebDemo
Sample Application:
Scenario simulates a transaction that contains commonly
used fields such as name, email and password.
Added behavioural biometrics
Can see scores in real-time and management console
http://cloud.behaviosec.com/BehavioWebDashboard/
19. Demos - Mobile
http://www.behaviosec.com/mobile-demonstration-video/
Apps in all app stores (Apple, Google, WindowsMobile)
Example : Available in Samsung App store:
Behavio AppGuard
BYOD for sensitive apps
Add biometrics to app access
Typing or swiping authentication
Five tries before locking the app
30 second cool down
Notas do Editor
Mission blah blah
Forlogica notes:really stared in 2011 when we first raised cash.1 EU/US patent3 US PTOOur target market is not vertical specific.We've got interest in finance, enterprise, Defense.consumer web & healthcare make sense too.Crosses all areas. But We've got campaigns to focus on the needs and compliance requirements of finance & defensebut the product offering crosses them all.
Both these have potential for logicaA new tool for the security away enterpeiseWeb&mobile are archectited for Cloud services
We have advanced prototype of such a desktp product.Next steps would be large scale trials give data to further fine tune algotithms tighter integration to windows, integration to network & security management and systems roaming profiles via cloud and/or smart card.