Behavioral biometrics: The future of authentication?

Industry leaders are designing programs that can verify users based on the way they type.

With passwords discredited and even two-factor authentication increasingly under attack from hackers and cybercriminals, security experts inside and outside the government are exploring the next generation of online identity verification technology: behavioral biometrics.

“The strongest authentication schemes will always make use of multiple factors, i.e. something I know, something I have and something I am,” said Stephen Cox, chief security architect at SecureAuth.

“We are striving as an industry to support multi-factor solutions that take care not to disrupt user experience,” he added, tacitly acknowledging that user resistance has been a major issue for stronger, and more elaborate, forms of ID authentication.

It’s not just that password-only logins are “obsolete,” Cox said, but rather than even two or multifactor authentication login systems tend to ignore the “later stages of the attack life cycle, once the attacker has gained an initial foothold and is attempting to move laterally” around the network.


“Unauthorized individuals may improperly obtain extended access to information system resources if a password [or other login factor] is compromised,” states the Defense Advanced Research Projects Agency, outlining its Active Authentication program, which is testing behavioral biometrics.

In other words, even multifactor authentication is useless after it’s been compromised, because it is only locking the front door.

“We are still too focused on protection of the traditional network perimeter and endpoint,” said Cox, meaning attackers can move freely and without fear inside the network once they’ve penetrated it.

“Attackers will get in, and organizations need to be able to detect and remove them as quickly as possible, before they’ve had the chance to complete their mission,” he added.

The solution may lie in a new type of verification software SecureAuth calls adaptive authentication, which can flag users after the initial login by analyzing factors such as how quickly and confidently the user types or how they move their mouse — and comparing them with a user profile linked to the login credentials.


If the system detects a sudden change in a user’s behavioral profile, it can automatically force them through additional security steps and alert the security team.

Behavioral biometrics, which have yielded success rates of up to 98 percent in SecureAuth’s preliminary tests, also have the benefit of subtlety. Cox indicated that with current technology, it is already possible to compile a biometric profile and use it to authenticate a user “without them knowing it happened.”

“The combinatorial approach of using multiple modalities for continuous user identification and authentication is expected to deliver a system that is accurate, robust, and transparent to the user’s normal computing experience,” DARPA explains.

The need for air-tight security will only become more critical as threat actors become more nuanced in their approaches to hacking. Cox spoke to a trend widely anticipated by the cybersecurity community wherein hackers will change their attack modalities from data exfiltration to data alteration. For example, a hacker might enter a bank system and alter the figures in his favor. Changes like these would be much more difficult to detect than classical data theft.

“These attacks would be very hard to detect and would require the inclusion of data integrity solutions into the security lifecycle. We can expect to see more types of threats like this in the coming decade,” Cox said. “Organizational capability around detection and incident response is not fully realized: they still have too many blind spots, too many places for attackers to hide.”


Until behavioral biometric technologies are fully deployed, the best solution for businesses may be to limit the amount of sensitive data they collect, Cox warned.

“There’s a mantra I’ve heard multiple times this year: ‘if you can’t protect it, don’t collect it,’ “ he said. “Organizations should consider whether the data that they are collecting is really necessary to business operations.”

Latest Podcasts