Video RSA: An Unusual Approach to User Authentication: Behavorial Biometrics (Video) 69
Tim Lord: What’s your name and your title?
Neil Costigan: I am Neil Costigan and I am the CEO at BehavioSec.
Tim Lord: Okay. And BehavioSec is not an American company?
Neil Costigan: No. We are Scandinavian. We are a university spin-out from a university in the far north of Sweden, up in the [din dark] north in Lapland.
Tim Lord: Okay, and your company focuses on biometrics? What is the smart person uninterested in the field’s view of biometrics?
Neil Costigan: Well, what we do is behavioral biometrics. What we are doing is saying that how a person interacts with their computer, website or the phone, has a behavioral pattern that can uniquely identify them, and therefore like a biometric. Now we are not looking at your physical thing that you are doing, just more your attributes of how you act and make a statistical pattern of how you do things, and monitor that.
Tim Lord: So not like iris identification or fingerprint, it’s probably about more like statistical patterns of typing.
Neil Costigan: Yeah. There is a kind of you can’t take the biometric we have and reproduce a person. You can’t find our fingerprint or profile and then pretend to be that person, so it is kind of on the good side of Big Brother if that makes any sense.
Tim Lord: Sure. So what are some examples? You mentioned typing speed.
Neil Costigan: Yeah, it would be typing rhythm, we’d be looking at not what you type, it is not the password you are typing, it is not that it is Neil from Ireland, it is the speed from the N to the E. How fast you go from the N right to the N. So it is kind of key flight, key press, sequence speeds, pressure on the keys, and that in a simple sense is keystroke dynamics. In the case of a mouse or on indeed like a touchscreen like a smartphone, it is the pressure, it is the swipe, it is the angles, how fast you go across the sequence, do you hover over a button with your mouse, and there are small little behavioral patterns that are unique to yourself, and that helps us compare one person to another.
Tim Lord: Now things like that, that sort of ongoing behavior, that seems different from where we often see things like passwords used, or PIN numbers for bank account, things like that.
Neil Costigan: Exactly. It falls in this area of, what we would describe as continuous authentication or active authentication; it is after the gatekeeper, after the door is open, you know with a lot of stuff you are in and that’s actually you have proven yourself. Well, what we are saying, at any one time, you can constantly look at what is going on, and we publish a score, the likelihood that this person is who they are supposed to be all the time. So, it is continuous. And it falls then into a field of active authentication, and if the score is low, then you may be asked to produce the secret password, the one-time token or the smart card. So this is used very much as an additional layer that is constantly running and watching.
Tim Lord: Now you sell your software to companies, like a bank? Does that mean then that the bank has a subscription with you, or they buy a complete package that they then use?
Neil Costigan: Well, the software works is really not personal, we can host it in the cloud, indeed we have services in Amazon and in the cloud, where you can ask, “hey is this pattern this entity,” and it will give you back an answer, so it is not a personal identifier, but the banks tend to be quite conservative and also for privacy reasons, and also for performance reasons, scalability and ownership, they tend to take our software and put it in-house behind the firewall.
Now, there would be advantages to everybody collaborating with this stuff and protecting against fraudsters in a larger scale in the cloud and that may come down the line. But right now our current customers tend to install it in their bank, in the website, kind of behind the internet bank, or behind the app, and do the matching and comparisons there.
Tim Lord: Now if someone wanted to break the system and compromise it, is there a point that they could grab this data from the wire, and say, here is what the pattern looks like, even though it is not being done by a person.
Neil Costigan: We do a kind of ticketing, a system where you get one shot at a particular pattern, you got piece of token to do it. And also the software in the back, it is kind of some of the attributes, we can tell the frequencies are too uniform, so it is likely to be a bug or a robot or an attempt to do it exactly the same; and also perhaps it’s too fast, it is likely to be an automated attack and so those are some of the secondary attributes that it can help us to track that is it a human
Tim Lord: Now it sounds like it is still a startup company in some ways, but you have had some success as far as selling it?
Neil Costigan: Yeah, it does sound that well the idea itself, this whole idea of keystroke dynamics and stuff is quite old. I mean, they used to be used in second world war, listening into the wires, you could tell who was typing Morse code and stuff, and the family is all but I think we are at the generation where computing power and also the amount of sensors that are available, you don’t need custom keyboards for precision, the touchscreens and the mouse have the precision, and the amount of information it senses is huge, so we have got an awful lot more input in biometrics.
And finally we are going to have, instead of keyboard replacement, instead of getting somebody to type the same sentence over and over again, we are going at their normal behavior, whatever you type, your own password, your own user name, not the ‘quick brown fox’ but whatever you want to type. So the technology is old enough.
Now, we are a startup. It was a university spin-out, so the founding date is a bit hazy, but we think we are at it seriously in the last two years, when we raised some funding and put some permanent staff in and expanded the team.
We are Scandinavian. We have had great success in the local market which tends to be quite good at adopting new technologies. The traditional customers for security, the earlier adopters tend to be the banks, and the military and those kind of people who are normally risk averse and are normally very very slow to do things. We’ve been working on it quite a lot. We’ve got all the banks in Scandinavia, with a massive rollout of our phone stuff, so inside their internet banking app, all the banks have our behavioral biometric technology embedded in it. And so we are taking that now, and going out of Scandinavia.
Tim Lord: What about people who are uncomfortable with everything they type being viewed by an omniscient presence up above?
Neil Costigan: I suggest to our customers that you make sure that people know in a comfortable way that we are watching your behavior for your benefit, just like they log in your IP address, and they log in time of day when you do transactions, and you would expect this. Taking the rhythm of your typing, not what you are typing. And very often, it is and even in the most basic case, it is the PIN number, they know you are typing the PIN number, they are going to check the PIN number. The fact that they are able to have a four or six-digit PIN rather than a really hard password because you have this rhythm. It is not really the same as knowing what you are typing and that kind of stuff. It is kind of in a context which is suitable, that is the security step
Tim Lord: So in scanning behavior, like you said before, phones have lots of sensors, you don’t even have any hardware to do this, it is entirely data analysis.
Neil Costigan: No. That is also kind of the reason there has been a huge interest in this. We are using off-the-shelf hardware in this area, and the guiding light is, there are no extra sensors, no extra hardware, no extra costs, hardware costs. There is a balance in all this. I mean, you can get hugely impressive security solutions that would cost an awful lot of money because of the hardware and are very very complex to use because of the very nature of the complexity or whatever.
What we do is kind of balance that usability cost and security, so generally the end user isn’t involved. It is transparent. We are not doing a training stage, we are not changing the user experience, we are not shipping stuff out, we are not getting any people to lose. It is all in the app and behind. And so the extra layer is a real benefit to both the consumer. A simple system that is more secure, and then the people rolling it out, it seems to be cost effective, and all the benefits they want.
Tim Lord: One more thing. You mentioned that there is some DARPA involvement? Can you talk about that just briefly?
Neil Costigan: DARPA in their wisdom put out a program about a year or 18 months ago what they call Active Authentication or the DARPA AA program, where they had this vision that the desktop of the future for the DoD and subsequently for the rest of the world, would be not just this gatekeeper but also active authentication, all the things you do would be part of the things that involves you, would help identify. And we spotted this accidentally actually, and then waved our hands in the far north of Sweden, so we have been doing this for how long, that we would call ourselves the experts in it.
And so they asked us to put in proposals for how can this area be enhanced, what is the open research problems, what is stopping this idea from being real? And so we worked on it. And again, those things in security tend to be ability to quantify them, some metrics, new definitions for things like the biometric is normally false accept, false reject in a time span. Continuous needs a time dimension. Maybe if all the vendors and the reassessors used the same terminology, so we proposed our open terminology, common data formats, a lot of this stuff would need to be interoperable.
So if we have the solution, a customer would be much better off if they can use both and indeed a lot of this is stacked. We are doing gesture based and form based, but if somebody else has got a voice biometric joining those two things together makes sense. So an openness, open standards, open terminology, open data formats, I think or we believe encourages the whole sector to go and benefits everybody.
Tim Lord: So are these open formats, open standards that you are talking about, are they published and available some place that someone could investigate and examine?
Neil Costigan: To the best of my knowledge, right now they are open, and DARPA have published them, we submitted to DARPA and DARPA published them. We have together all submitted a number of papers to IEEE. This is special edition of the IEEE computer publication, can’t remember the name, going out in May, that is going to document and show this off. There is a large biometrics conference in Tampa in September, where all the participants in the program are jointly presenting and showing how it work and how it works together.
And the whole intent is that this stuff is open, it’s published, and it’s out there to encourage more research, more commercial companies to get involved and for collaboration. So to date, from it, today actually and at this show, a lot of the people have come up here saying, we know you are in the DARPA program, we have something similar, how do we work together. So it is DARPA seeding research and seeding collaboration and seeding the future I think.
Tim Lord: Could you please speak a few words of Swedish for us?
Neil Costigan: [Swedish].
Tim Lord: That sounds like a hard thing to learn.
Neil Costigan: I think so, my daughter doesn’t think so, so we’ll see where it goes. (smile)
Assuming you will always type the same way. (Score:5, Interesting)
Fail out the gate! (Score:5, Interesting)
I have experienced Behavior Biometric Denial of Services. Humans are just too erratic, imagine this.
Your front door is locked using this method. All of a sudden you are outside and a thug walks by making obvious threats and you start running inside to get away or get your gun and the door now locks your ass out.
You are using email services and you start looking for a job and with the sudden increase in email traffic and/or login presence causes your service to block your account temporarily because of behavioral changes. (this actually happened to me for a short time)
I was in the middle of waiting for an actual offer letter when this occurred... very frustrating!
It will never be reliable enough... (Score:4, Interesting)
What happens if I am sick? My mental acuity is not the same when my head is pounding with a headache... My reactions are slowed. Even if you can account for the difference in attentiveness between the start of the work day and the end, will you be able to recognize me when someone wakes me at 3am to troubleshoot?
Even without sickness and sleepiness, anything that can affect my mood can bring some minor changes to my typing habits. Even if they use cameras to measure eye movement, mood will be a factor. Think of how well you type (or how you would expect to) during major life changing events such as marriage/divorce/birth of children/death of parents. Can the even account for differences between days that you get promoted (or at least praised) compared to the day when your boss chews you out.
Then there are physical changes... Anything from a paper cut to carpal tunnel syndrome, or breaking a bone and getting a cast will seriously impact your typing.
Finally, what happens when your keyboard (or mouse) breaks and you need to get a new one. Even if it is the same model, a new one will generally have stiffer keys and buttons. You would be screwed if it had a different layout of keys or if it was a model of a different size. As for smart phones and tablets, what happens when you buy a new phone?
I'm sorry, I do not believe that this can be reliable enough. Even though I am somewhat impressed with Analytic software's ability to determine people's behaviour, that works on the masses with a margin of error; there will always be a few fringe cases that do not fit the mold; for authentication you need to be right, all the time, and I do not see that possibility.
Re:Smells like an academic spinoff (Score:5, Interesting)
This is not so much an authentication method as a heuristic used to decide whether or not to ask for additional credentials. It's exactly analogous to the way security questions work for online banking. If it recognizes you, there's a good chance you are who you say you are and your password is considered sufficient. But, if it doesn't recognize you, that isn't necessarily indicative of an impostor, just that it needs to ask for more information (in the form of a token, smartcard, security question, etc) before it can be confident you are who you say you are.
A "yes' from this this is acceptance, but a "no" is not a complete rejection. It just makes you jump through an extra hoop or two.