Biometric Authentication Needs to Be Made Foolproof

Analyst recommends use of behavioral biometrics for identifications in financial sector

If you were a builder, why would you buy a cushy SUV when you could buy a heavy duty pickup truck--something that did everything you wanted it to do, and did it better?

Financial institutions should be asking themselves that question as they shop for that second authentication level mandated by the Federal Financial Institution Examination Council (FFIEC), and by the Electronic Signatures in Global and National Commerce Act of 2000, says Josh Kessler, a TowerGroup analyst. There are plenty of solutions around--tokens, smart cards, and various biometrics-based methods--but cost aside, they all have various defects, including inconvenience and security flaws.

Tokens, for instance, offer good security, but as a practical matter they can be lost, and take up a lot of space on a keychain. Smart cards, likewise losable, need keyboards with smart card readers that somebody is going to have to pay for.

And iris and fingerprint-based biometric systems may supplement the "something you know" password-based system now in use with the "something you are" model, but have a serious security flaw, since such systems pre-suppose a central database of identifiers that can be hacked into, opening consumers--and businesses--to having all their assets stolen from all their accounts, instead of from just one.

Kessler's suggestion for an alternative? Behavioral biometrics, which substitutes "the way you do something" for "something you are."

"I've been trying to come up with a way someone could defeat it, and the best I could find is that if you were running a really high-end phishing attack, and implement behavioral biometrics in the site where you're capturing the data, you could possibly do it," he says. "But you would have to know which system the bank is using, for comparison. That's the only way I could come up with, and I think it's sort of far-fetched."

For the purposes of consumer-oriented, computer-based authentication, behavioral biometrics measures how someone types--speed, rhythm, and the duration of the keystrokes. A new user types in his or her password several times when they're setting up their account, and the system takes an average of various characteristics. For corporate purposes related to authorized use, a new user can sign his or her signature several times, and the system measures things like pen pressure and pen speed, thus making that signature impossible to forge as far as the authentication system goes.

In either case, explains Kessler, the result isn't just virtually irreproducible, but also trouble-free to the user, which relieves one of the anxieties of bankers and other operators of online payments sites--that making users take an extra step to authenticate themselves will seem so onerous that the authentication process will somehow alienate the users, costing the bank a customer.

Rather Safe Than Sorry

Studies floating about the payments business today indicate that this is probably a needless worry; most people, according to these studies, would rather feel safe than be sorry. But these studies are apparently of marginal comfort, at best, to bankers accustomed to being on the defensive when it comes to customer retention.

For these executives--and their numbers are legion--behavioral biometrics seems to be an ideal solution. But the technique has some very sound security advantages as well. Not only does it provide a very useful security layer for internal corporate authentication; for retail uses, behavioral biometrics vastly minimizes the likelihood of success for the mass of phishing, pharming and keylogging attacks that have multiplied across the Internet in the past year.

These attacks have--at least so far--all relied on a simple password- based security model and the gullibility of customers. But at least as importantly, they've relied on the predictability of bank security systems. Since most systems were relatively simple and roughly similar, getting a customer's account information was enough to defeat the bank's defenses.

This content continues onto the next page...