19
Behavioral Biometrics Balancing Security with Usability Neil Costigan [email protected]

BehavioSec Web Summit START slideshare

Embed Size (px)

DESCRIPTION

public overview of behaviosec company & technology contact direct for more detailed deck

Citation preview

Page 1: BehavioSec Web Summit START slideshare

Behavioral Biometrics

Balancing Security with Usability

Neil [email protected]

Page 2: BehavioSec Web Summit START slideshare

Aiming to solve We aim to increase IT &

mobile security in a cost-effective, transparent, and user friendly fashion.

“The idea -- and I think this is a good one -- is that the computer can continuously authenticate people, and not just authenticate them once when they first start using their computers.”

- Bruce SchneierSchneier on Security A blog covering security and

security technology.

Page 3: BehavioSec Web Summit START slideshare

BehavioSec. Overview. Swedish IT-Start-up. Luleå (R&D) & Stockholm (Commercial) Backed by Conor Ventures (Finland) and consortium of regional

agencies. Patented technology. Sales agents in US & Germany Product exists with high value paying customers TODAY.

Core position is Behaviour biometric for financial institution's web & mobile apps. Actively being pursued by handset manufacturers for differentiator. Success with US DARPA for desktop security add-on

Recent news Gartner ‘cool vendor 2012’ Finnovate ‘best in show’ SF May 2012

Page 4: BehavioSec Web Summit START slideshare

So what are we looking at ?How the user interacts with device, browser or computer

Page 5: BehavioSec Web Summit START slideshare

KeySequence

KeyFlight

KeyPress

TouchAngle

TouchPressure

TouchSwipe

TouchQuotient

”Press” ”Flight” ”Sequence”

How does it work

Page 6: BehavioSec Web Summit START slideshare

Two distinct solutions Desktop

Akin to an anti-virus solution. Sits transparently behind desktop Monitors ALL interaction. Both mouse and keyboard. Taking action if it detects abnormal behaviour. DARPA DoD desktop

Web & Mobile. Help detect online fraud. No client install. Small code added to web forms or Apps Processed server side. (internal or cloud) Transparent customer experience. Adds to RISK scoring on a transaction. Allows for Forensics.

Page 7: BehavioSec Web Summit START slideshare

DARPA

US Defense Advanced Research Projects Agency Fund ‘Moon shots’ Next generation DoD workstation security Active Authentication Transparent. Out of the hands of the end-user.

Today US DoD. Tomorrow mainstream. A tool for all enterprise security desktops &

professionals

We have success with multi-year research contact.

Page 8: BehavioSec Web Summit START slideshare

BehavioWeb & Mobile

Suitable for all web & mobile access where identity and user verification is valuable

Banking & Payment industry tend to be early adopter's

Social Media has urgent need Access portals (email, SharePoint's, cloud, etc) Government & Education

Future is embedded into devices & infrastructure so handset manufactures are long term target

Page 9: BehavioSec Web Summit START slideshare

Back Office

Management

Inte

rnet

Client

Web Architecture

TimingJSON

Web Server

Web Services

Database

BehavioStat

Management Dashboard

Business Logic

Page 10: BehavioSec Web Summit START slideshare

Mobile biometric security for enterprise

- Ant Allen. Gartner. Predicts 2012: A Maturing Competitive Landscape Brings New identity and access Management (IAM) Opportunities. Nov 2011.

“The need to provide a workable user experience that is

consistent across multiple endpoints (including PCs, tablets and

smartphones) has become one of the key considerations for any

enterprise authentication implementation, including those using

biometric identification methods.”

“Strategic Planning Assumptions

By 2015, 30% of users accessing enterprise networks or high-

value Web applications from smartphones or tablets will use

biometric authentication.”

Page 11: BehavioSec Web Summit START slideshare

For social media&cloud servicesEnhance social media platforms such as Facebook, Linkedin etc. or cloud services (email, skydrives) with transparent usable security.

To prevent account hijacking (ie facerape). To strengthen the brand as a safe place to play. To increase usage of mobile clients as safe access

devices regardless of their vulnerabilities. To enable the social media platform to be a

trusted source of identity for higher value services such as banking and payments.

Page 12: BehavioSec Web Summit START slideshare

Technical problem ?

Currently the de-facto authentication to all social media platforms or cloud services is via user/password.

The username usually being email and a password being selected by the user.

Typically no ‘hard password’ rules. While this is in the lower spectrum of

authentication techniques it has the benefit of being perceived as user friendly and is good for reflex typing.

Page 13: BehavioSec Web Summit START slideshare

Technical solution..

By transparently, and with little overhead, analyze the customers’ interaction with the social media site or mobile client then using this behavior to help continuously, and in real-time, verify their identity. Use of client side JavaScript or a mobile SDK

enables the capture of user interaction. Server-side analysis compares to the users

historic behavioral fingerprint. Augments or replaces captcha, device identity

and geo-location. Safe biometrics.

Page 14: BehavioSec Web Summit START slideshare

Benefits

Without making security over complex and less user friendly the social media platform can increase user trust while protecting the trusted brand.

Utilize this trusted authentication to upsell identity services to high-value 3rd parties such as financial institutions, payments, gaming, who have traditionally shyed away voicing security and fraud concerns.

Improved targetability for ad-networks.

Page 15: BehavioSec Web Summit START slideshare

Mobile biometric security for enterprise

- Ant Allen. Gartner. Predicts 2012: A Maturing Competitive Landscape Brings New identity and access Management (IAM) Opportunities. Nov 2011.

“The need to provide a workable user experience that is

consistent across multiple endpoints (including PCs, tablets and

smartphones) has become one of the key considerations for any

enterprise authentication implementation, including those using

biometric identification methods.”

“Strategic Planning Assumptions

By 2015, 30% of users accessing enterprise networks or high-

value Web applications from smartphones or tablets will use

biometric authentication.”

Page 16: BehavioSec Web Summit START slideshare

Match-in-net for mobile apps

SDK for App developers to get Behaviometric data from iPhone or Android.

Rich behaviour monitoring if platform allows (Android).

Keystroke timings from native keyboard.

Integrated to BehavioWeb for back-end risk based authentication.

App FieldsBackend Score

Page 17: BehavioSec Web Summit START slideshare

Match-on-device for smart phones

Extended authentication methods for BYOD.

Secure mobile devices. A Biometric lock

without extra hardware. Looks at how the user

types or swipes a PIN code.

Allows or denies access to phone or specific applications

Page 18: BehavioSec Web Summit START slideshare

Demos - WebAvailable online :http://cloud.behaviosec.com/BehavioWebDemo

Sample Application: Scenario simulates a transaction that contains commonly

used fields such as name, email and password. Added behavioural biometrics Can see scores in real-time and management console

http://cloud.behaviosec.com/BehavioWebDashboard/

Page 19: BehavioSec Web Summit START slideshare

Demos - Mobilehttp://www.behaviosec.com/mobile-demonstration-video/

Apps in all app stores (Apple, Google, WindowsMobile)

Example : Available in Samsung App store:

Behavio AppGuard

BYOD for sensitive apps Add biometrics to app access Typing or swiping authentication Five tries before locking the app 30 second cool down