Strengthening authentication through big data

The fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication (2FA) and multi-factor authentication (MFA) as a means to ensure online account security and prevent fraud has been a hot topic of discussion.

Technological advances, especially in the mobile industry, have created new possibilities, and manufacturers and vendors are offering various multi-factor solutions in the domain of biometrics, physical tokens, software tokens and mobile codes.

Yet, multi-factor authentication has its own set of challenges. For one thing, requiring users to respond to multi-factor authentication processes too often will make for a bothersome experience, and often leads to their total disablement by frustrated users. Moreover, many basic multi-factor authentication tokens can be circumvented by malicious users, which effectively renders them useless against hacks.

These complexities and flaws are proving to be an obstacle in the widespread integration of 2FA and MFA technologies, which in turn results in millions of insecure accounts that get hijacked and compromised on a yearly basis. In 2015 alone, nearly 200 million users lost their account credentials to malicious hackers.

So how can you enhance account security without disrupting the user experience? The answer might be found in big data and analytics, two trends that have proven their worth in many industries.

The idea is to unobtrusively gather information from several sources, including user behavior and device usage, to create a profile that is unique to the account owner and cannot be stolen or replicated by fraudulent users. The next steps would be to use the profile to detect activities that hint at malicious activity and only then initiate extra authentication steps to make sure the account hasn’t been hijacked or compromised.

This model has many strengths. It’s not something you lose, such as physical tokens; it doesn’t require extra memorization efforts; it can’t be stolen or replicated, such as passcodes, or even fingerprint and retina scans; and, above all, it’s not cumbersome and it doesn’t introduce extra complexities to the user experience.

This approach has become possible as a result of dramatic decreases in data storage costs and the explosion of cloud services, data collection technologies and advancements in web platforms and mobile technology. Several implementations of this concept are already showing promising signs.

TeleSign, an industry leader in the mobile identity industry, uses analytics and behavior-based authentication with its newly released Behavior ID platform, a software development kit (SDK) that enables web and mobile applications to measure and analyze a user’s behavioral biometrics in order to provide continuous authentication, even after the user has been verified with traditional security measures such as passwords.

Behavior ID’s mechanics involve collecting data on a user by evaluating their behavioral patterns across a range of touch points, including how a user types on the keyboard, how they hold their device, how hard they press a device screen, their mouse dynamics, user interface interaction, etc. The data is then used to establish a “digital fingerprint from the user’s behavior,” as Steve Jillings, CEO at TeleSign, explains. The profile is stored in TeleSign’s cloud platform and helps the system detect and block account takeover attempts. The goal, Jillings says, “is to increase the level of identity assurance… without adding friction.”

Behavior ID calculates a “similarity score” between the user’s current behavior and the historical, expected behavior. This helps streamline the experience for known good users, while raising the alarm on suspicious account access and providing the basis for challenging potentially bad or fraudulent users with re-verification, or two-factor authentication.

“A layered approach is the best way to authenticate users and secure online accounts from fraud,” says Jess Leroy, Senior Vice President of Product Management at TeleSign. “Behavioral biometrics enable us to take that a step further by adding even more levels of assurance without adding any friction to the end-user or requiring them to take any steps to initiate or own any specific device to use.”

Cybersecurity giant RSA’s Adaptive Authentication is another platform that uses an analytics-based approach. Adaptive Authentication analyzes and registers the devices users employ to access their accounts, which includes information such as operating system, browser type and version. It also profiles user behavior, which accounts for various activities that are typical for the user. It then feeds this data in a self-learning statistical machine learning engine, which uses it to evaluate in real time the risk of activities being carried out on the account.

This all takes place in the background, without requiring intervention on the user’s part. As long as users do not engage in abnormal behavior or do not access their account from a previously unknown or security-flagged location, they will not be interrupted.

If the risk score of an action surpasses the threshold set by the organization, the system makes decisions based on policies defined for that type of activity. This can include anything from silently warning the security department to prompting the user for additional authentication or blocking access altogether.

Analytics and big data have become an inseparable part of online businesses in recent years, and are helping companies increase revenue and improve user experience and customer service while lowering costs. This growing trend can also come into the service of cybersecurity and help balance security and convenience, and prevent fraud and improve identity security while avoiding all the complexities that traditional methods trail behind them.