BehavioSec’s CEO, Neil Costigan recently attended two leading identity strategy conferences where he participated in panel discussions focused on innovations and policy in digital identity solutions; One World Identity’s (OWI) KNOW Conference in Las Vegas and Money20/20 Europe in Amsterdam, Netherlands.
Since 2016 KNOW has been one of the top global events focused on identity in the digital world. The conference looks not only at underlying technologies helping establish “who” we are, but the security, commerce and other business implications of trends here as well. As part of that agenda, Neil participated in a panel discussion, titled “That Thing You Do: Behavioral Biometrics and Predictive Analytics.”
Our team enjoyed sharing BehavioSec’s perspective on protecting users’ online identity and authentication with OWI. Neil’s panel at KNOW was a great opportunity to catch up and join other experts focused on how behavioral biometrics dramatically reduces rates of account takeover fraud and password friction by digitally identifying users not according to a token or password they have, but instead based on their innate behaviors like typing patterns, touchscreen manipulation and device handling.
This new, additive layer of security for banks, retailers, fintech apps and other digital services sounds like science fiction to some, but BehavioSec’s behavioral biometrics platform has been supporting global organizations for years while rapidly adding new features and users. This was a great aspect of the panel; Neil’s remarks focused on which attributes make for the strongest authenticators, questions and concerns we’ve heard in the industry and other real-world anecdotes.
Neil expanded on this theme in his panel at Money 20/20 Europe “The Changing Nature of Attacks and Attackers,” where he discussed cybersecurity and risk management in an age where online commerce and trust are threatened by cybercrime threats continually bypassing traditional password authentication and anti-fraud measures.
Both panels stirred a lot of conversations. Here is my quick re-cap of take-aways for security and identity stakeholders:
Unfounded privacy fears are being dispelled
We live in privacy-conscious times, with many individuals being affected by data breaches in the headlines and unending debate over whether social media platforms and other businesses are committed to giving users control over their data. Privacy is a serious issue, but reflexive privacy fears around behavioral biometrics – where these may exist – are quickly dispelled by vendors’ and enterprises’ policies and transparency.
For example, at BehavioSec we are fundamentally committed to helping our enterprise customers protect their users’ data through secure authentication. As noted in our public FAQ, our software monitors digital inputs including cursor movements, touch and swipe gestures or the particular way an individual holds a device. This raw data is turned into statistical variances our platform uses for authentication processes and is not considered personally identifiable information (PII).
We are at an exciting time for behavioral biometrics
Every new wave of mobile devices, for example, comes with more embedded sensors, interfaces and processing power to help authentication platforms like BehavioSec’s gather and compare rich user behaviors from the moment someone opens an app or web site and attempts to log-in or make a transaction. As with any relatively new, fast-growing technology, businesses want to make sure they speak with peers and other sources that have tested or installed behavioral biometrics to gauge their experiences and avoid any surprises. This was an outstanding theme of the KNOW panel, which featured viewpoints on the technology from across the board.
A key observation from the Money 20/20 panel is that many of the Nordic / Benelux banks have quickly advanced their digital transformation efforts in tandem with their security capabilities. They’ve honed both the user experience and interface to remove needless journey friction and align more closely with the things people actually do to increase usage frequency and optimize the user experience. But while jargon like Artificial Intelligence (AI) and Machine Learning (ML) are frequently hyped, domain experience is nevertheless an important consideration when evaluating these technologies. AI is simply another buzzword unless a company can demonstrate how it’s been used, how effectively, and for how long.
Behavioral biometrics isn’t just for banks and brokerages
For obvious reasons, the global financial services industry is always the subject of both cybercriminals and defenders’ “latest and greatest.” Attackers follow the money and financial firms prioritize evaluating as many new anti-fraud and risk management innovations as they can, particularly in the midst of the financial world’s digital transformation to reach users primarily through apps and mobile devices.
Many in the FinServ industry appear to be taking a wait and see approach regarding the Revised Directive on Payment Services (PSD2), which comes into full effect this September. What was made clear at Money 20/20 is that from an overall security perspective, the requirement for strong customer authentication on electronic payments has already encouraged a more proactive security approach, one centered on predicting threat vectors rather than just plugging the dam, and likely to become the gold standard.
Behavioral biometric defenses like BehavioSec’s platform are already making remarkable progress in the relentless problem of malware and dark web shoppers methodically exploiting individuals’ chronically compromised password credentials for sensitive financial accounts. Yet given behavioral biometrics’ proven performance, accuracy and net business value, Neil’s panel at KNOW concluded there are many other diverse use cases around the corner. Consider the protection of internal corporate data resources likewise in the crosshairs of attackers armed with a stolen privileged user’s password. BehavioSec can behaviorally authenticate a trusted employee the same as authentic fintech users or shoppers.
Also discussed were the significant opportunities to protect cloud-delivered (SaaS) critical business applications. The “sharing” of passwords and account use with these applications usually presents both costly terms-of-service and corporate security policy violations. BehavioSec can directly inventory, profile and measure authorized users’ activity to detect when a dangerously shared credential threatens to open the door to abuse or theft of data.
I predict a lot of exciting developments in behavioral biometrics over the next year. If you attended either show or followed the headlines, share your thoughts with us via @BehavioSec or on LinkedIn.