When it comes to digital authentication, Passwords have been the most widely used method for a long time. While using passwords is simple, they are not considered the most secure form of authentication. To secure digital access better, one must consider other forms of authentication. These different forms of authentication can be used in conjunction with passwords or as a replacement for passwords.
When choosing the right type of authentication, one should consider the security needs of an organisation as well as ease of use.
Knowledge-based (Things you know)
Requires users to demonstrate their knowledge of a predefined secret information. E.g. Username and Password combination, security questions.
Knowledge based authentication is susceptible to simple hacking approaches which target individuals, as well as complex hacking techniques which target organisations. It is widely considered a weak form of authentication.
Inherence-based (What you are)
Authentication happens with the help of metrics intrinsically owned by the individuals. E.g. Biometric authentication such as Fingerprint, Iris, and Keystroke patterns.
Inherence is considered a strong type of authentication since the authentication medium can’t be stolen or leaked.
Possession-based (Things you have)
Requires users to demonstrate their possession of particular hardware. E.g. FIDO2, Push Authentication
Since a user needs to demonstrate possession of a particular piece of hardware, there’s a risk of the user’s device being lost or stolen.
Possession-based authentication is suitable for most use cases when combined with other authentication methods.
Types of Biometric authentication
Biometric authentication can be categorised into two types: Physiological and Behavioral
Physiological Biometric Authentication
Physiological Biometric authentication has a lot of different types, such as Fingerprint, Voice, Keystroke etc. Choosing the correct type of authentication is a trade-off between ease of use, accuracy (thereby security) and accessibility.
Some physiological factors are not just used for the authentication but also for identifying users. Because of this, users don’t have to provide a username for authentication based on the use case.
Some of the popular examples of Physiological Biometrics are as follows:
Fingerprint Recognition is one of the most popular Biometric Authentication techniques. It is very easy to use, and most of the user base will already know how it works. This technique uses unique traits in a user’s fingerprints to identify or authenticate a user.
Hence, it acts as a viable way to achieve a good level of security without compromising on ease of use.
Facial Recognition is a widely used biometric authentication method which uses unique traits in a user’s face to grant access.
Devices need to capture images or videos of users with a good enough quality.
An Iris is a circular structure in the eye that regulates the amount of light that can enter the retina. Iris Recognition uses a video of one’s iris to analyse unique and complex patterns.
Even though Iris Recognition works by capturing and processing a video, it needs a specialised camera.
Things to consider
- Not all devices support fingerprint recognition just yet, and the availability of hardware support must be considered. However, the number of supported devices has increased over the years.
- Fingerprint Recognition tends to have less accuracy when the user’s fingers are wet, dirty, injured etc. These things should be considered beforehand and should not lead to a complete lockout of a user from authentication. Mission-critical applications should allow the use of a secondary form of authentication.
Things to consider
- Even though most devices can capture images and videos, the image or video quality needs to be good enough to ensure reasonable accuracy.
- Algorithms are being improved to increase the accuracy of Facial Recognition. However, Image-based Facial recognition still is prone to spoofing, wherein a malicious user may use photographs of legitimate users for authentication. Using video-based facial recognition with liveness detection helps overcome this with a good level of assurance.
- Since Facial Recognition involves collecting user images, there is a concern about privacy. When implementing Facial Recognition authentication, one should be aware of their user base’s location and the related rules.
Things to consider
- Since Iris Recognition requires specialised cameras, usually high-cost, Iris recognition is generally supported only on high-end devices. To set up Iris Recognition, one should ensure that all users have capable devices or allow alternative authentication methods.
- Iris Recognition has shown to be less accurate in some instances when the users are using contact lenses or glasses. Removal of contact lenses or glasses for authentication impacts the user experience.
Behavioural biometric authentication
Behavioural biometrics involves analysing how a user interacts to differentiate between a legitimate user and a malicious user.
Behavioural biometric works by continuously collecting and analysing behavioural patterns. These patterns are used to profile a user’s behaviour. Once there is enough data to build an initial profile on subsequent uses, the system compares current user usage patterns with historical patterns and generates a risk score. When there are significant differences in the usage patterns, the risk score will be high and can be used to raise a red flag and take necessary actions.
Some scenarios where Behavioural biometrics can be helpful:
A user is logged in to their workstation. The workstation contains confidential files that can be useful to bad actors. Using Behavioural biometrics, a risk score can be calculated.
Legitimate users are accustomed to the workstation and know the different folders, desktop shortcuts, etc.
However, malicious users will try and navigate each folder step by step to go through the user’s workstation.
This behaviour change will change the risk score.
Malicious account registration
Many organisations allow users to sign up on their website and create accounts. Identity theft is a threat which has been on the rise over the last few years.
Using Behavioural biometrics, it can be possible to identify whether a new user signing up is legitimate or malicious. If the user is legitimate, they will tend to fill in their details smoothly since they already know them. A malicious user may take short gaps to look up and fill in the details while filling in things like an address.
Benefits of implementing Behavioral biometrics
- Most authentication methods involve a specific action from the user during login. But once the user logs in, session hijacking is still possible. Behavioural Biometrics provides protection which goes beyond logins and allows for Continuous Authentication, and sits very well with the principles of the Zero Trust strategy
- Unlike other forms of authentication, Behavioural Biometrics works in the background and doesn’t expect any specific actions by the user for authentication. Because of this, it maintains the same user experience while increasing security.
- Unlike things like passwords, pins, smart cards etc. Behavioural patterns such as keystrokes and mouse usage are not something that can be stolen and mimicked easily.
- Since Behavioral biometrics uses devices like keyboards and mouse, they don’t need any additional hardware.
Things to consider
- Behavioural Biometrics works by comparing current patterns with historical patterns and needs time to collect data and build a profile. Its accuracy increases over time with more data collected but it might not be helpful from Day 1.
- Users don’t always stick to their normal behaviour for many reasons, which might result in a non-optimal risk score even though the user is legitimate. While implementing Behavioural Biometrics, one should set a suitable threshold for risk scores considering the criticality of applications and take necessary actions accordingly. If stern actions such as logging the user out are taken for subtle changes in risk score, it may lead to a bad user experience.
With improvements in technology, the accuracy of Biometrics is increasing, and in some cases, the cost of implementation is reducing. New ways of Biometric authentications are being researched, which are less intrusive but still accurate. With the current advancements and things to come, Biometrics offers an excellent alternative to passwords and can help in your journey towards a Passwordless infrastructure.
How SecurDI can help
As with many things in Cyber Security, there is no single solution that meets all needs regarding authentication. Many factors must be considered while designing an authentication system that improves security and maintains usability. Our experts at SecurDI can help you in your Passwordless and Zero Trust journey and help you find the right balance between security, ease of use and cost of implementation.
Authored by Anish N Shetty