We want to get rid of insecure and intrusive authentication methods.
Behaviour-based authentication — from now on referenced to as BAuth — is a new authentication method that is currently being developed at neXenio. It’s intended to replace some of the authentication methods that are in use right now.
BAuth is an app for mobile devices which continuously analyses the user’s behaviour, using nothing but the sensor data produced by these devices. It looks at the way a user interacts with the device, what activities are being performed and — most importantly — how these activities are being performed.
To give you an idea: The BAuth service, running on my personal device, is used to the way I walk with my phone in my pocket. If someone stole my device and walked away with it, BAuth would detect a change in behaviour because the thief’s gait differs from mine.
What’s wrong with passwords?
Actually, quite a lot. First of all, people tend to use weak passwords. According to statistics from 2016, 10% of all passwords in use are the number sequence 123456. Furthermore, people tend to use the same password for different services. Even if strong passwords are being used, many of them have been leaked in the past.
Alternative authentication methods, like smart cards or USB tokens, can provide increased security — but they are proprietary hardware that users have to carry around. If they get stolen or lost, users are out of luck.
Fortunately, a user’s behaviour can’t be stolen or forgotten, which is why we’re introducing BAuth.
The Trust Level approach
Instead of providing a binary authentication success or failure result, BAuth continuously calculates so called Trust Levels. These are percentage values indicating how confident the system is that the current user of a device is also its owner — the person the user claims to be.
In contrast to the current authentication flow, the access to services that require authentication can be streamlined using the trust level approach. Services can request a user’s trust level and decide if certain functionality should be locked or unlocked for that user.
It can also be used as an additional authentication factor to make the existing authentication more secure.
It’s worth noting that all the magic required for calculating the trust levels (which we will cover in an upcoming post) happens locally, on the user’s device. The processing of sensor data, feature extraction and machine learning are complex tasks. However, the app is responsible for taking care of these due to the strict privacy requirements that BAuth has to fulfill.
In fact, no data ever leaves the user’s devices, except for the trust level and the metadata required for validating it. Private user data can’t be leaked, because it’s never actually stored anywhere.
We want to quickly showcase how BAuth can be used in the real world.
1. Physical Access Control
Think of a security door lock, restricting access to only selected people. To get through that door, people have to authenticate using a digital, NFC powered key. If a key gets stolen, the thief would be able to gain access.
If people authenticate using their phone instead (and thus also exchanging their trust level with that door), theft is not an issue anymore. The thief’s behaviour differs from that of the real owner, resulting in a low trust level, which the door would not accept.
This video showcases the use BAuth combined with access control gates, providing a seamless authentication flow without any user interaction.
Sticking to the phone theft mentioned above: Imagine a manager forgetting his phone in a bar. It’s a business phone, with a mail client containing a lot of sensitive information.
BAuth can protect this information by providing the current trust level to the mail client, which automatically locks itself when the current trust level is low (even when the phone itself is not locked). Instead of allowing sign-ins, BAuth triggers sign-outs.
3. Multi-factor Authentication
Picture a company admin interface for a service like BDrive (another product developed by neXenio). The admin has access to the whole system, so his account needs to be secured with more than just a username and password combination.
BAuth can receive authentication requests from services and display consent screens, asking the user to approve the sign-in on his phone (just like mobile banking apps do). In addition, the service can request a minimum trust level. If that trust level is currently not reached, the user has to verify his identity using a fallback.
Of course, the trust level can’t be perfect all the time. What if a user breaks his leg, resulting in a completely different gait? Or what if a user simply is stressed and thus behaving differently?
BAuth provides different fallbacks to boost the current trust level for a short period of time. Some of the fallbacks use biometrical features, like the fingerprint or the face recognition, others are knowledge factors, like the backup pin or signature move.
These fallbacks can be used in just a few seconds, allowing the user to prove his identity without requiring dedicated hardware.
You might be wondering how secure behaviour authentication can be, especially in comparison to existing authentication solutions. To be honest, that’s a tough question to answer. It requires a lot of research and testing, which is why we’ll give you some more detailed insight about that topic in our next post.