Behaviour-Based Authentication

Stephan Schultz
Mar 5, 2018 · 5 min read
Image for post
Image for post
The BAuth app for Android devices

We want to get rid of insecure and intrusive authentication methods.

Behaviour-based authentication — from now on referenced to as BAuth — is a new authentication method that is currently being developed at neXenio. It’s intended to replace some of the authentication methods that are in use right now.

BAuth is an app for mobile devices which continuously analyses the user’s behaviour, using nothing but the sensor data produced by these devices. It looks at the way a user interacts with the device, what activities are being performed and — most importantly — how these activities are being performed.

To give you an idea: The BAuth service, running on my personal device, is used to the way I walk with my phone in my pocket. If someone stole my device and walked away with it, BAuth would detect a change in behaviour because the thief’s gait differs from mine.

What’s wrong with passwords?

Actually, quite a lot. First of all, people tend to use weak passwords. According to statistics from 2016, 10% of all passwords in use are the number sequence 123456. Furthermore, people tend to use the same password for different services. Even if strong passwords are being used, many of them have been leaked in the past.

Image for post
Image for post
Numbers of passwords leaked by some well known services

Alternative authentication methods, like smart cards or USB tokens, can provide increased security — but they are proprietary hardware that users have to carry around. If they get stolen or lost, users are out of luck.

Fortunately, a user’s behaviour can’t be stolen or forgotten, which is why we’re introducing BAuth.

The Trust Level approach

Instead of providing a binary authentication success or failure result, BAuth continuously calculates so called Trust Levels. These are percentage values indicating how confident the system is that the current user of a device is also its owner — the person the user claims to be.

Image for post
Image for post
Authentication flow using passwords

In contrast to the current authentication flow, the access to services that require authentication can be streamlined using the trust level approach. Services can request a user’s trust level and decide if certain functionality should be locked or unlocked for that user.

Image for post
Image for post
Authentication flow using trust levels

It can also be used as an additional authentication factor to make the existing authentication more secure.

Privacy

It’s worth noting that all the magic required for calculating the trust levels (which we will cover in an upcoming post) happens locally, on the user’s device. The processing of sensor data, feature extraction and machine learning are complex tasks. However, the app is responsible for taking care of these due to the strict privacy requirements that BAuth has to fulfill.

In fact, no data ever leaves the user’s devices, except for the trust level and the metadata required for validating it. Private user data can’t be leaked, because it’s never actually stored anywhere.

Use Cases

We want to quickly showcase how BAuth can be used in the real world.

Think of a security door lock, restricting access to only selected people. To get through that door, people have to authenticate using a digital, NFC powered key. If a key gets stolen, the thief would be able to gain access.

If people authenticate using their phone instead (and thus also exchanging their trust level with that door), theft is not an issue anymore. The thief’s behaviour differs from that of the real owner, resulting in a low trust level, which the door would not accept.

This video showcases the use BAuth combined with access control gates, providing a seamless authentication flow without any user interaction.

Sticking to the phone theft mentioned above: Imagine a manager forgetting his phone in a bar. It’s a business phone, with a mail client containing a lot of sensitive information.

BAuth can protect this information by providing the current trust level to the mail client, which automatically locks itself when the current trust level is low (even when the phone itself is not locked). Instead of allowing sign-ins, BAuth triggers sign-outs.

Picture a company admin interface for a service like BDrive (another product developed by neXenio). The admin has access to the whole system, so his account needs to be secured with more than just a username and password combination.

BAuth can receive authentication requests from services and display consent screens, asking the user to approve the sign-in on his phone (just like mobile banking apps do). In addition, the service can request a minimum trust level. If that trust level is currently not reached, the user has to verify his identity using a fallback.

Fallbacks

Of course, the trust level can’t be perfect all the time. What if a user breaks his leg, resulting in a completely different gait? Or what if a user simply is stressed and thus behaving differently?

Image for post
Image for post

BAuth provides different fallbacks to boost the current trust level for a short period of time. Some of the fallbacks use biometrical features, like the fingerprint or the face recognition, others are knowledge factors, like the backup pin or signature move.

These fallbacks can be used in just a few seconds, allowing the user to prove his identity without requiring dedicated hardware.

Security

You might be wondering how secure behaviour authentication can be, especially in comparison to existing authentication solutions. To be honest, that’s a tough question to answer. It requires a lot of research and testing, which is why we’ll give you some more detailed insight about that topic in our next post.

Stay tuned!

neXenio

Engineering the digital workplace

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store