Think about the last time you logged into a website or mobile app. Chances are, that site or app asked you to enter a combination of challenges to ensure you are who you say you are, such as username, email address, password and perhaps even a randomly generated PIN. All of that effort is performed to ensure it’s really you on the other side of the connection.
What happened after you logged in and performed your intended tasks? If you’re like most people, you either closed a browser tab or hit the home button on your mobile device to move on to something else. And the app or site likely responded in one of two ways: It either logged you out automatically after an idle timeout period lapsed (typical of high security financial apps) or it let you stay in an authenticated state for an extended period – perhaps for days or even weeks (typical of social media and communication apps).
Neither is ideal. In both cases, a compromise is being made. On one hand, you have companies for whom user engagement is king (e.g. anything ad-supported) hoping to avoid authentication-related tasks as they fear creating barriers to user engagement. They’re more likely to “cheat” a little by assigning liberal authentication policies that won’t be burdensome. However, in doing so, they increase the risk that your account data (or worse) is compromised should your device be stolen or remotely hacked.
Conversely, you have organizations for whom fraud avoidance is of primary concern (e.g. financial institutions). They tend to be more concerned about the risks of account takeover (a bad actor getting into an account) and will often ask a user to authenticate frequently, enforce extra barriers like two-factor authentication, and enforce short login timeouts — all in an effort to ensure that fraudsters don’t access your account. While they may achieve a higher degree of account security, they do it at the cost of a diminished user experience.
The major challenge with this one-time authentication model is that each organization is forced to perform the unenviable task of selecting a user-pain threshold somewhere along the continuum between providing high security with a high annoyance-factor and low security with a low annoyance factor.
There is a solution to this dilemma however, and it involves thinking about what you’re ideally trying to achieve with authentication. Perhaps the ultimate panacea for authentication is to ensure a person is exactly who they claim to be at all times, without requiring that person to take any action to prove it. If that sounds unattainable to you, you’re in good company. However, there is a technology set that can help get your organization closer to that panacea, and it involves a concept known as continuous authentication.
As its name implies, continuous authentication should verify that your customers are who they appear to be on an ongoing basis, not just at one moment in time. Of course, in order to achieve this effectively, you must have a way of performing that authentication without having to constantly interrupt your customers! That unique ability is afforded by a technology called behavioral biometrics. Behavioral biometrics utilizes machine learning to continuously and silently profile a customer’s behavior based upon the natural interactions they have with your app or website. Malware like bots, fraudsters with stolen login credentials and even those wielding remote access tools and sophisticated social engineering scams all stick out like a sore thumb when viewed through the lens of behavioral biometrics. Yet, what makes behavioral biometrics most compelling for the UX-conscious is the technology’s ability to do all that without any modification to the flow of an app or website.
Continuous authentication delivered through behavioral biometrics opens up a world where organizations can break from the one-time authentication continuum, improving both security and user experience simultaneously. Organizations with the strictest security postures are free to consider relaxing user-experience-diminishing barriers such as enforcing extreme password complexity, reliance on one-time passwords, step-up authentication, transaction parking and short session timeouts. Conversely, organizations who fear losing customer engagement can add a strong layer of additional security that is entirely transparent and frictionless.
To learn more about how BehavioSec can help your organization decrease fraud risk and improve user experience with behavioral biometrics, please reach out and we’d be happy to setup a live demo and discuss your organization’s unique needs.