It has become difficult to define the virtual external borders of a company: the Internet of Things, exchange with customers, partners and suppliers, and cloud services expand and blur the boundaries. Potential attackers lurk everywhere. However, for risk assessment the location of the attacker is no longer key. He may be inside the IT infrastructure or outside of firewalls and other protective devices.
Digital identity: Who am I and, if so, how many?
Who is the user and how does he behave? Is it a human being, a robot, a server or a smart device? The identity of a user and its verification – i.e. authentication – is more important than ever for IT security. While interaction used to take place at the bank counter, it now takes place electronically. This is why we need the digital identity (s. figure). As the backbone of digital life, it has a specific function – but also transfers valuable data and permissions to more or less trustworthy players. No wonder, digital identities – of which many of us have a high number – are often stolen and traded. Therefore, digital identities deserve attention within the larger IT security picture.
Usability versus security
As identity theft cannot be prevented, abuse must be limited. This is done with strong authentication: mTAN, one-time password tokens or new identity cards are useful. Adaptive security methods such as continuous authentication, misuse detection and alarming the legitimate identity owner are also working. These methods respond to changing environments, thus offering security benefits. At the same time, they reduce usability, which is why their acceptance is poor. The emerging biometric authentication is user-friendly and therefore seems to be the ideal solution. However, fingerprint sensors, iris scanners and face recognition software can also be cracked – and they make highly sensitive biometric data electronically accessible. As a result, the data can be copied, which is particularly unpleasant for users. Behavior analytics comes in as an alternative as, compared to biometric data, it captures more dynamic aspects of our identity.
Show me how you type, and I know who you are
Place (geolocation), device and time are already common elements of «Behavioral Analytics»: Does the user log in on a familiar device at the normal time of day or week? If someone logs in in New York and in Zurich at the same time, it can hardly be the same person. How people enter information and use a particular device can be recorded and analyzed too: How does the user type on the keyboard or the screen? By using one or all his fingers? How big are his fingertips, how strong is his touch? Does he move the smartphone? Do the mouse clicks take place in the usual combination, speed and order (click stream)? The navigation behavior within an application provides additional information: Which contents and actions does the user choose when? Does he always look at the price trend of his investments first in e-banking? Does he navigate straight to the payment application to execute transactions?
Tailored to risk tolerance and habits
Based on anomalies, behavior analytics software continuously calculates a risk score, which measures and defines the risk of a false identity. To get to know the user and calculate risk values, the software needs a training phase. For this, the behavioral aspects can be configured individually. With geolocation, it is possible to assign risk-specific tags to individual countries. Behavioral aspects can be weighted differently and measured at different tolerance values (thresholds). They take into account the risk tolerance of the application provider and the user as well as the user's requirements or habits. For a business traveller and frequent flyer, a lower weighting or higher tolerance with regard to geolocation makes sense.
Avoiding extra work and trouble
An increased risk score may raise the required security level as needed and trigger additional measures. For example, if the user wants to transfer a higher amount of money to an unfamiliar recipient, additional authentication steps are automatically generated, with measures ranging from a session stop to the notification of the legitimate user. This, in turn, generates costs. Avoiding «false positives», i.e. false suspicions, thus becomes an important task of the behavior analytics system and its configuration options.
Practical applications: fast and secure access
User behavior analytics is widely used in e-banking and mobile banking. Aspects such as geolocation, device, time and typing behavior are analyzed. The user is continuously monitored even after logging in. Customer portals today already allow password-free login based on bahavior analytics. Only more important transactions trigger additional authentication factors. In both cases, security shall be increased without compromising usability. Finally, user behavior analytics is used to identify the legitimate mobile device owners. The high number of sensors and parameters of these devices support these applications.
User behavior analytics is used in many ways, and the potential is huge. Its use for digital identities deserves special attention, as it is particularly valuable and sensitive due to its function as the backbone of digital life. This is true not only for the user, but also for providers of websites, platforms and applications – as they want to win, retain and protect the user as a customer.