Check out the full video + transcript here.

In Sweden, behavioural biometrics firm BehavioSec has developed a system, which is already in use in Swedish banks, that focuses on how we behave on our computer or mobile.

“We can capture the rhythm of how users type – the speed between the keystrokes,” says chief executive Neil Costigan.

In collaboration with phone manufacturer Samsung, the firm has also developed a smartphone app which learns and then recognizes the way a phone user enters his or her PIN.

Even if someone else who knows your PIN tries to use your phone, they will not be allowed access, as they would also need to mimic your behaviour to fractions of a second, says BehavioSec.

“It is no longer sufficient to enter the correct password or PIN code, it has to be entered the correct way,” says Mr Costigan.

Read the full story here

Olov Renberg is co-founder and COO of Stockholm’s BehavioSec which can verify a person’s identity by the way he types in a password, the way he moves a mouse movements or even by his swipe on a smartphone. DARPA calls it continuous authentication — the system can tell if an unauthorized user is sitting at someone’s desk and typing into his computer.

Renberg said that dealing with London banks is far more complex than Scandinavian banks where his firm might have a single security officer to talk with. Working with a major City bank requires access to the right people and BehavioSec has a chaperone who is helping with introductions.

“We have gotten the attention of the right people; now we have to convince them this is the next thing.”

Read the whole Forbes article about the program

Are you wondering about the magnificent view from our London Office? It is all part of a program called Fintech Innovation Lab- modelled after a similar programme from New york

It is an Accenture-Supported Programme to Foster IT Innovation in Financial Services that Attracts Entrepreneurs to London

BehavioSec’s Behaviometric technology has been successfully integrated into the HID Identity Assurance 4TRESS Authentication Server, adding another layer of security to the HID Identity Assurance Fraud Detection System and strengthens one of the weakest links in today’s IT security solutions.

Benefits of BehavioSec Integration with 4TRESS Authentication Server

• Improved user-experience by using the behavioral “fingerprint” as an authentication mechanism for step-up authentication or transaction approval. The additional layer of security is added in a completely transparent manner from the user perspective. Users will not be asked to re-authenticate if the system is confident that a user is who he/she claims to be, based on behavior, device type, location and other user transparent parameters collected and analyzed by the HID Identity Assurance Fraud Detection System.
• Increased security by adding transparent behavioral analysis to each user interaction with the application or system. This makes the initial authentication more secure, but also provides protection on an on-going basis after the initial login. The lack of this capability is one of the weakest links in today’s security solutions.
• Strengthened audit capabilities by capturing deviations in user behavior. This can prove to be useful information in forensics studies around internal and external data breaches. The Behaviometric data can help assess whether a session was hijacked or if it was the authenticated user who has committed the fraud.

How It Works (Example)

Scenario 1: User Login

1. User logs into her banking application through her browser using a username and password.

2. A script is invoked through the banking application and user behavioral data points are collected.

• User does not need to install anything in the browser
• The script will automatically run without the user’s awareness
• User’s on-going keyboard pressing patterns, including speed, frequency and pressure, when interacting with computer applications and websites are used for analysis.

3. Banking application connects to 4TRESS and sends password and behavioral data.

4. 4TRESS passes the behavioral data to BehavioSec with a request for analysis of user behavior.

5. BehavioSec analyses the behavioral data and generates a risk score that is sent to 4TRESS. 4TRESS verifies the password and provides the risk score to the banking application.

6. Based on the risk score, the banking application may grant access to the user or ask the user to re-authenticate (step-up authentication) using a stronger authentication. For example, using a One Time Password (OTP) generated from a keychain token or an Out of Band (OOB) authentication using mobile phone or email.

Scenario 2: Session Monitoring:

1. The script that’s invoked in the banking application during initial login will continue to provide behavioral data to 4TRESS throughout the session and 4TRESS, integrated with BehavioSec, will continuously monitor the user’s activity pattern.

2. If the activity pattern deviates from the user’s regular profile, 4TRESS will immediately alert the banking application of potential breach. For example, a malicious user, after successfully hijacking an authenticated user’s session will not be able to make any successful transactions.

3. By analyzing how the user works with the keyboard (e.g., typing rhythm), mouse movements (e.g., acceleration time, click frequencies) and graphical interface interaction (e.g., using programs), it is possible to recognize and confirm the identity of a person. For example, on obtaining the right password, a malicious user would not be able to successfully authenticate with the banking application.

4. The user essentially does not need to perform any additional step beyond being herself. The combined integrated solution offers a new generation of information security feature simply by using the individual as its core asset without hindering user experience.

A Complementary Solution 
Identity and Access Management has traditionally been positioned as the front gate of IT Security. In order to pass the gate, a user must be able to bypass various hurdles to prove to the system “I am who I claim to be.” And yet, once your identity has been verified, the security shield almost disappears. As long as the system detects some kind of continuous activity, there are no other checks to certify you are still the same person. It would come as no surprise that need for security will continue to foster. However, as the need to higher security thresholds increase, users begin to be weighed down by the onerous process for identity verification.

What if there’s a solution that increases your security without you having to change anything? 
HID Identity Assurance’s 4TRESS Authentication Server together with BehavioSec’s Behaviometrics technology is the perfect solution pairing. BehavioSec’s Active Authentication adds another layer to the 4TRESS Authentication Server, transparently, without replacing established security practices. This solution not only benefits the financial sector for online banking but it also increases the auditability and traceability of the enterprise solutions.

More Details
For more information on HID Global, please visit http://www.hidglobal.com/partners/behaviosec.

For more information on the integration of BehavioSec technology with 4TRESS Authentication Server please contact us.

To read more about the joint offering please look at HID 4TRESS Authentication Server integration.

HID Global and BehavioSec Join Forces to Add New Layer of Protection to Fraud Detection System

News Highlights:
• HID Global’s 4TRESS Authentication Server and BehavioSec’s Behaviometrics technology together improve user experience without sacrificing security.
• Integrated 4TRESS and Behaviometrics solution increases security at the time of login.
• Offering employs behavioral “fingerprints” as an additional authentication mechanism.

IRVINE, Calif., January 29, 2013 – HID Global®, a worldwide leader in secure identity solutions, today announced it is partnering with BehavioSec, a leading behavioral biometrics company, to combine BehavioSec’s Behaviometrics technology with HID Global’s 4TRESSAuthentication Server. The joint offering brings a new layer of security to HID Global’s Fraud Detection System without sacrificing user convenience by employing behavioral “fingerprints” as an additional authentication mechanism.

Users today increasingly spend time identifying themselves to access digital resources, such as logging into company networks or banking online. However, once users log in and cross the first layer of the authentication security perimeter, the only factor that ensures they are the same person that logged in is time-based. As long as there is continuous activity, the application assumes the user is the same person and lets the user remain logged in, presenting a potential security risk.

The integrated 4TRESS Authentication Server and Behaviometrics solution addresses this risk by increasing security at the time of login. If a user’s password or OTP token is stolen but the credentials are not entered the way the user would enter them, login would be impossible. Once logged in, user behavior is continuously monitored to ensure that a third party has not intercepted or taken over the session.

“Recent security breaches have driven home the fact that the less layers of authentication your organization employs, the more vulnerable you are to attacks and exploitation,” said Hilding Arrehed, director of worldwide professional services and technology partner programs, Identity Assurance, with HID Global. “By combining BehavioSec’s groundbreaking technology with our 4TRESS Authentication Server,we can provide added value and security to our customers by increasing the auditability and traceability of activity online, without making it more difficult for the end user.”

BehavioSec’s Behaviometrics solutions can create digital fingerprints of users’ ongoing keyboard pressing patterns, including speed, frequency and pressure, when interacting with computer applications and websites. With significant accuracy, the system can detect deviations from a user’s normal behavior and whether an attacker takes control of a computer.

By integrating Behaviometrics into the 4TRESS Authentication Server Fraud Detection System, customers can now benefit from:
• Improved user experience by using the behavioral “fingerprint” as an authentication mechanism. If the system is confident that a user is who he/she claims to be based on behavior, device type, location and other user-transparent parameters collected and analyzed by the Fraud Detection System, the user will not need to re-authenticate.

• Increased security by adding transparent behavioral analysis to user interactions with the application or system. This makes the initial authentication more secure and provides ongoing protection after the initial login.

• Strengthened audit capabilities by capturing deviations in user behavior. This information can be useful for forensics studies around internal and external data breaches. It can also help assess whether a session was hijacked or the authenticated user committed the fraud.

“Compliance can be a complicated process for organizations, so we are always looking for simple ways to streamline our solutions,” said Olov Renberg, co-founder of BehavioSec. “By combining our Behaviometrics technology with HID Global’s 4TRESS offering, we can add a new layer of security in a transparent way to deliver a complete solution for risk-based authentication.”
About BehavioSec
BehavioSec offers solutions that enable a new layer of protection against identity theft. By continuously monitoring the user’s behavior in a session, BehavioSec’s technology identifies users by their keystroke rhythm, mouse/gesture movements and user patterns. BehavioSec’s products enable active authentication, preventing information theft by detecting intrusions while they are happening. For more information, visit www.behaviosec.com.

About HID Global Identity Assurance Solutions
HID Global’s Identity Assurance Solutions enable customers to prove and establish trust in a person’s identity when accessing resources on the network. The business’s strong authentication and smart card solutions are relied upon by more agencies, including the U.S. Department of Defense, than any other provider, and has issued more than 100 million credentials to enterprise, government and commerce customers. The Identity Assurance Solutions business (formerly ActivIdentity) is headquartered in Silicon Valley, California. For more information, visit www.actividentity.com.

About HID Global
HID Global is the trusted source for innovative products, services, solutions, and know-how related to the creation, use, and management of secure identities for millions of customers around the world. The company’s served markets include physical and logical access control, including strong authentication and credential management; card printing and personalization; visitor management systems; highly secure government and citizen ID; and identification RFID technologies used in animal ID and industry and logistics applications. Primary brands are ActivIdentity®, EasyLobby®, FARGO® and HID®. Headquartered in Irvine, California, HID Global has over 2,000 employees worldwide and operates international offices that support more than 100 countries. HID Global® is an ASSA ABLOY Group brand. For more information, visit www.hidglobal.com.

in PDF:  HID Global and BehavioSec Join Forces to Add New Layer of Protection to Fraud Detection System

“We found this to be a real poster company for innovation because BehavioSec has taken a core concept that has not been executed well and, through creative thinking and very good market understanding, built upon the concept. The result is keystroke dynamics done right and applied appropriately to very useful applications in the real world. BehavioSec has come up with an excellent technology that is not just a cool product looking for a problem to solve.”

BehavioAppGuard allows users to choose which Apps that they consider are sensitive to user and need additional layer of security.

Once an App is selected, you simply pick a PIN code or gesture pattern that will display to login to that application.
Your typing and swiping is made into a Behaviometric template by learning the way you enter the code by repeating it a few times in training.
Each time someone else tries to use your phone they will not be allowed access to the sensitive Apps even though they know your code or pattern, as it the would also need to exactly mimic your behavior

• The more you train your typing/swiping behavior in the app (BehavioAppGuard) the better it gets

• Longer codes and something you are accustomed to is better as muscle memory develops unique features that BehavioSec technology relies on.
• Consider this a showcase of BehavioSec technology as an application lock, which can use, transparently, in other apps such as mobile banking and payments
• Samsung Apps is a marketplace designed to provide a variety of mobile applications especially developed and carefully selected for Samsung Mobile Phones