Lengthy Learning Phases Challenge the Implementation of Continuous Behavioral Biometric Authentication

As threats continue to evolve, it is a natural reaction to look to innovative technologies to provide additional layers of security. A typical example would be the growing interest surrounding continuous authentication. Continuous authentication, as its name suggests, continually assesses whether or not the user has sufficient rights for access. It differs from using a single password or a single verification approach, in which an attacker that successfully passes this initial phase is free to do as they please, untested beyond this point. The continuous approach can, in theory, greatly enhance security for sensitive information and processes by making a single breach at the initial entry point insufficient for an attacker to gain access to the system; they must successfully spoof the check at every given interval, many times, which is, of course, far more difficult than passing a single password/entry. This technology’s importance is seen in many sectors, including applications like digital payments and logical access to enterprises, particularly driven by the growing trend of working from home. It generally focuses on cases that require the highest security levels.

Biometrics can be considered the gold standard in verification, being unique to a “correct” user of a system. With respect to continuous authentication, there existing solutions come in the form of wearables; for example, assessing heartbeat biometrics continually to assure the user is who they should be. These solutions have the drawback of requiring a dedicated hardware device per user and aren’t particularly applicable to smartphone-based applications for which logical access is of concern. Another approach is a fully software-based alternative. The use of behavioral biometrics, being the unique way that a person interacts with a device (e.g., typing patterns, rates, click patterns), is a fully software-based alternative, and is in line with a frictionless user experience, while enhancing security. Successful behavioral biometric authentication will detect if the wrong person is using an app or device just by the way they interact with it, doing so seamlessly and not requiring any additional manual checking or external hardware.

Behavioral biometrics are unlike more conventional biometrics in that they cannot be captured instantaneously, such as the case for fingerprints or facial scans. Behavioral biometrics are captured through use, and evolve and become more reliable in time through Machine Learning (ML) that assesses a user’s interactions with the app or device. There is a necessary “learning phase” in order for authentications to be made accurately. Moreover, a greater recorded amount of time using the device, creating a larger set of usage data, will continually improve this accuracy. So, the question is: at which point can we consider this “learning phase” to be completed (given that we know the biometrics will be minimally effective at the beginning)? Some learning phases for behavioral biometrics are reported to be as high as a number of months before reaching sufficient levels of reliability that will result in no false rejections or false acceptances. This can be a problem. It could be impractical for this technology to be implemented, given the significant amount of time before it becomes effective. Moreover, in some applications, the time available to be used in a learning phase is minimal, meaning it would be even more difficult for the algorithm to reach a stage of sufficient accuracy. In the example of the use of a banking app, a typical interaction is likely no more than a few minutes; if the learning phase requires a long time in terms of interaction, it becomes difficult to successfully implement this technology.

On paper, behavioral biometrics for continuous authentication is an excellent additional security measure. While alternatives may create barriers and conflict with a seamless user experience, behavioral biometrics can essentially be invisible from the user’s perspective. Successful implementations and effectiveness hinge strongly on  the user’s behavior being learned in a reasonable amount of time. This is a key consideration for those looking to incorporate this technology into their solution. Is it feasible, given usage times, for behavioral biometrics to be a practical feature? Also, is there the potential to share behavioral data points across apps and devices? If this were available, then learning times could be significantly reduced, such as where an app or platform could take usage data points from the use of a mobile device across its life span, irrespective of any particular app. However, for this potential way to make the process easier, we must look at the incentives of the device Original Equipment Manufacturer (OEM) and ask if they would want to share these data with third parties, and even if these data were captured by the OEM and available for sharing in the first place. The likelihood is that the biometric must be learned within the particular platform that it will be used on, so the learning phase will probably remain a challenge. There is always the possibility to incorporate a combination of other biometrics, such as facial recognition, alongside the behavioral biometrics, to allow a reliable depository of data to be built up, while upholding security in the shorter term.