At a time when conventional data security measures are constrained by limitations like too much dependence on user discretion and user acceptance, passive biometrics can potentially offer a balance of security and user acceptance. Conventional security mechanisms like passwords and SMS codes are only as strong as the user makes them. It has been found that many users tend to set weak passwords because it is easy to remember them. That defeats the main purpose of password- or security-code-based mechanisms. Passive biometrics does not require the user to actively provide credentials, passively collecting user data in forms such as of face, voice and iris recognition techniques. Although passive biometrics as an IT security mechanism is still finding its niche, it is safe to say that it offers a nice balance of user convenience and data security.
What Is Passive Biometrics?
To define biometrics, the marketing director of the biometrics firm EyeVerify, Tinna Hung explains, “Biometrics rely on something you are, rather than something you know.”
In the case of passive biometrics, one needs not actively take part in the verification or identification process, and sometimes the process does not even require notification of the user; the authentication simply takes place during the course of normal user activities. In these cases, the subject isn’t required to act directly or physically. When the system runs without even the knowledge of the user, it provides the highest level of authentication.
The technologically automated system basically measures the behavioral or physiological characteristics of a human being, with or without the user's knowledge. To get a better idea of what passive biometrics entails, we can look at some comparative examples of this system to contrast with active biometric systems. For example, any fingerprint or hand geometry technology would be considered active biometrics, as well as signature recognition and retina scanning. This is because the user must put their hand on or look into a scanning device for recognition. However, passive biometrics includes voice, facial or iris recognition systems. (To learn more about biometrics, see New Advances in Biometrics: A More Secure Password.)
How Passive Biometrics Work
An excellent explanation of how passive biometrics work is given by Ryan Wilk, the customer success director of NuData. In his words, “We’re looking at how the user is actually interacting: how they’re typing, how they’re moving their mouse or phone, where they are using their phone, their accelerometer readings. … As single data points unto themselves they’re not terribly useful, but when you start to bring them together and merge them into a profile of who that user is, you start to build out something that’s really profound and really unique, and something that’s extremely difficult to spoof.”
Passive biometrics provides the opportunity for organizations to verify the identity of their customers depending on their natural behaviors in technological interactions. The continuous process of this non-intrusive solution remains invisible to the users, since it doesn’t require any enrollment or permission to work in the background; it doesn't ask the customers to perform any additional actions during their normal operations. Real-time analysis of behavioral data provides accurate assessments to the companies for separating intruders from the authentic clients. Since personally identifiable information (PII) is not recorded, hackers never get a hand on confidential data to interfere with user identification. Passive biometrics is a revolutionary advancement in the journey of identity verification, which has the ability to wipe out any chance of fraudulence from the core of the organization’s authentication framework and can add a new level of confidence in the entire life cycle of the account.
Why Is It Important?
Technology always gives birth to new systems and security barriers to protect the entire network from malicious activities. But, can it prevent brilliant hackers and fraudsters from finding loopholes in the system forever? No. However, when they don’t have any knowledge about an ongoing process, how will they be able to pass the verification test? If they don’t know about a background system, they won’t take any precautions in the first place. This is where passive biometrics differs from other verification methodologies. And so the importance lies here too. No fraudulence can take place when the reason for using fraud is uprooted at the beginning.
How Passive Biometrics Help Data Security
The requirement for more sophisticated and satisfactory security systems has been rising in the air for a long time. The demand is now impelling security networks toward biometrics, and especially the passive technology, where the users don’t need to be informed about the process of identification, depending on behavioral characteristics. (For more on the data used in passive biometrics, see How Big Data Can Secure User Authentication.)
Hung explained, “A well-implemented biometric solution will fit naturally into the regular flow of user behavior.” Passive biometrics holds the key advantage of creating a profile of how the person is using the machine, and not just a profile of the machine itself. As Wilk explains, the passive approach opens the book for understanding the user at “almost a subconscious level.”
Another passive approach, created by the company BioCatch, works by recording and analyzing activities of the users that they don’t even realize they’re doing. Physical traits such as fingerprint measurement over a touch screen, the active hand (left or right) using the mouse, or the tremor frequency of the user’s hand holding the device provide an exact combination of data for acute identification of a unique customer. Additionally, cognitive traits like the method of someone’s web scrolling behavior (arrow keys, mouse wheel, page up and down, etc.) or the technique of holding the device (horizontal or vertical, the tilt angle of the device, etc.) also help to strengthen the authentication of the system.
According to Oren Kedem, the vice president of product management in BioCatch, they also use “invisible challenges” for the users, where the operation shows a barely noticeable change in the normal behavior of the user. For example, the application might alter a few pixels of the cursor in a different direction, or slightly change the speed of the page scroll to test the unique response of the users. Their responses to these incidents are incredibly unique, which is impossible to replicate.
As Kedem says, “We don’t just track what you do, we also influence what you do. ... We ask you a question without you being asked and you give us an answer [without] you knowing. It’s a secret that can’t be stolen like a password or a token.”
The system is programmed in such a way to automatically detect and prevent keylogging botnets that record and replay the movements of the target. This is because the imitation of a user response is next to impossible in the case of invisible challenges, which keep changing within the app.
What's Its Impact on Real-World Security Issues?
Financial and banking services all over the world have started to rely on this new system. Biometric security providers like EyeVerify and Daon are collaborating with the financial organizations. EyeVerify is working with Digital Insight to authenticate biometric security systems in mobile banking facilities, and they are about to launch their Eyeprint ID as a mobile app.
In 2014, the biometric technology implemented by Daon secured 10.7 million users of USAA Federal Savings Bank in the process of a seamless mobile banking experience. In this case, USAA’s lead security adviser Richard Davey commented, “The concerns arising from the ever-present threat of phishing, malware and information exposure from outside [data] breaches means that authentication and access controls will always be threatened. Technologies like biometrics mitigate those threats while facilitating beautiful end-user experiences.”
Passive voice biometric identity verification records a user enrollment by submitting a unique voiceprint through conversation during initial registration. This initial conversation requires being continued for 45 seconds to harness the recognizing data. Then the recorded voiceprint identifies the user by comparing the next voiceprint obtained in the next conversation they make to the contact center.
This bank implemented the new security technology for their employees, and after that, in their market in San Antonio, Texas, followed by California and eventually they launched it full scale in January 2015. The resulting response was outstanding. Three weeks after implementation, around 100,000 customers enrolled for biometric authentication, and within ten months, the number of responding customers increased to over one million.
Are Traditional Methods Useful Anymore?
A 90-day survey analysis performed by Nudata Security in 2015 revealed 112% growth in web attacks to get passwords and usernames, up from 2014. What is the cause behind the hackers gaining advancement over traditional security systems? Let’s think about it a bit more thoroughly.
What we all do is compromise the strength of our passwords in order to remember them easily. Yes, here lies the culprit. There was a time when one person managed only two or three accounts online, and it was not too hard to remember critical passwords for a small number of cases. So the process was relevant to protect the person’s identity at that time.
But now, the picture has significantly changed. We all hold a lot of accounts, so many that sometimes we can't even keep track of them all. Now, is it possible to remember a password made up of random numbers, symbols and letters for each and every account? Definitely not. So what we do is to compromise the security precautions by keeping a pattern for all of our passwords with some known information, or we keep forgetting the random choices of strong passwords and then have to recover them all the time.
Now, the indirect way of keeping a person’s identity safe is providing the solution for both the user satisfaction and security, since we don’t need to make any choice to keep our system safe and remember it. Hackers are also having trouble learning how to determine where the security system is implemented. Therefore, their previous ways of gaining access to others' accounts are not working well anymore.
What Is the Future?
According to Grissen and Hung, biometric systems will not remain in the optional stage, but will reign over the entire network of security systems on the issues of “security versus convenience,” in the near future.
The technology is growing more accurate and is becoming easier to install into homegrown web and mobile applications. New algorithms are in the works to implement additional telemetry for augmentation of the behavioral profiles like device orientation over a wide range of devices.
Consolidation between the SIEM (security information and event management) and the UEBA (user and entity behavior analytics) market segments is the future for the growth in every aspect of businesses, as we can see in the case of the SIEM vendors, Splunk’s acquisition of Caspida. They are planning for further avenues to provide a more effective experience to their customers in their SIEM implementations, adding the long history of existing data with that. The different forms of behavior analysis are proving to be a mandatory addition to mitigate the security problem and to win the long-term cold war against the fraudsters.
In the end, we can say that the future is bringing a lot of hard times for fraudsters, since they are going to be knocked down by the combined attack of knowledge verification and behavioral analysis in security procedures. In 2016, Deputy Treasury Secretary Sarah Bloom Raskin stated, “System design is evolving to deal with the authentication challenge presented by stolen or easily compromised passwords: the next generation of online identity verification looks to combine what customers know and have, with what they do, or behavioral biometrics.”