SecurityBrief India - Technology news for CISOs & cybersecurity decision-makers
India
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Biometrics
#
MFA
#
Data Privacy

Behavioural biometrics seen as key layer, not replacement for passwords

Yesterday
Author image
By Sean Mitchell, Publisher

Specops Software has released an analysis assessing the effectiveness of behavioural biometric authentication compared with traditional passwords for securing organisations and individuals.

Behavioural biometric authentication involves identifying individuals through unique patterns in their interactions with devices, such as keystroke dynamics, mouse movements, touchscreen swipes, gait, and voice recognition. Unlike physical biometrics that rely on static traits like fingerprints or facial features, behavioural biometrics analyse continuous real-time activity, making it more adaptable to ongoing use.

Marcus White, Cybersecurity Specialist at Specops Software, explained, "Behavioural biometrics adds an innovative twist to traditional authentication methods by examining unique patterns in human activity. Unlike physical biometrics, which rely on static traits like fingerprints or facial structures, behavioural biometrics continuously verifies identity by analysing how you interact with devices in real time. Its continuous and unobtrusive nature makes it a perfect complement to existing security measures, filling in the gaps where traditional methods might fall short."

Advanced solutions in this field now integrate artificial intelligence and machine learning, enabling systems to adapt to changes in user behaviour over time. By aggregating data on behaviours such as typing rhythm and mouse paths, these solutions create dynamic security profiles. AI-driven analytics can also combine behavioural data with contextual information like geolocation and device fingerprinting, offering real-time risk assessment.

The advantages of behavioural biometrics over traditional methods include continuous authentication, reduced risk of session hijacking, and the ability to detect fraud in real time. White stated, "Behavioural biometrics offer several advantages over traditional biometric methods by providing continuous, dynamic authentication with minimal disruption to the user. Instead of requiring a singular scan or snapshot of a physical trait, behavioural systems continuously monitor patterns such as keystrokes, mouse movements, or touchscreen interactions. This not only adds an extra layer of security by making it more difficult for attackers to spoof the system, but it also helps identify subtle anomalies or changes in behaviour that might signal a security breach."

The passive nature of behavioural biometrics enhances user experience by reducing the need for frequent authentication prompts. These systems are capable of adapting to natural changes in behaviour, which may lower the chance of false rejections and streamline security processes for end users.

Specific benefits for organisations include lower dependency on passwords, streamlined integration with identity management tools, and support for compliance with regulations such as GDPR, HIPAA, and PCI-DSS. From an operational perspective, they can also ease help desk burdens associated with password resets and account lockouts.

For end users, the technology provides a frictionless authentication experience, minimises password management issues, and enables a more personalised security approach. It can also work across multiple platforms without requiring specialised hardware.

There are, however, limitations. Variability in human behaviour due to fatigue, stress or environmental changes can lead to false rejections or false alerts. The systems depend on well-trained machine learning models, and regular updates are necessary to maintain accuracy. Privacy and data protection concerns are also present, as they require extensive data collection and processing.

Addressing potential risks, White commented, "While behavioural biometrics are generally more difficult to spoof than traditional credentials, they are not immune to exploitation. Skilled attackers could, in theory, find ways to mimic a user's behaviour or manipulate the data used in behavioural analysis." He outlined possible vulnerabilities, including behavioural replay attacks, manipulation of machine learning models, data interception, and future risks posed by AI-generated synthetic behaviours. Despite these risks, continuous authentication can provide additional protection by identifying unauthorised behaviour over time.

On the question of whether biometrics are more secure than passwords, White explained, "Biometrics are often considered more secure than traditional passwords, but the truth is a bit more nuanced. Unlike passwords, which can be guessed, stolen, or forgotten, biometric data is unique to each individual and difficult to replicate. This makes it harder for attackers to gain unauthorised access, especially in casual or opportunistic attacks." He noted, however, that biometrics are not foolproof and can be compromised using advanced methods. Multi-factor authentication, combining both biometrics and passwords, remains the most secure approach.

White also compared the two methods, listing the higher implementation cost and privacy concerns associated with biometrics, but also highlighting their uniqueness and convenience. Passwords, while easier and cheaper to use, are vulnerable to being guessed or stolen and are often reused, increasing the risk of breaches.

It is suggested that behavioural biometrics will complement rather than replace passwords in organisational settings. White said, "Behavioural biometrics offer a promising and innovative layer of security by continuously analysing user behaviour, but they are more likely to complement rather than completely replace passwords in an average organisation. While these systems can provide a frictionless and continuous authentication experience, they also face challenges such as variability in individual behaviour, false positives, and potential privacy concerns." As a result, most companies are likely to incorporate behavioural biometrics as part of a multi-factor authentication framework.

White also pointed to the continued importance of strong password protection, stating, "Protecting passwords remains crucial even in a multi-factor authentication environment because they continue to serve as a foundational layer in many security systems. They are often the first line of defence and are still used for initial logins, account recovery, and fallback authentication when other methods—like behavioural biometrics—may not be available. If passwords are compromised, attackers can potentially gain access to systems, bypassing additional security layers and exposing sensitive data."

Figures such as banks have been cited as employing behavioural biometrics in addition to standard procedures, demonstrating its usage as a background security layer rather than a replacement for traditional authentication methods.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Adobe launches free app to secure digital content attribution
Ericsson debuts clientless ZTNA for third-party access
AI bots drive 57% of holiday shopping traffic, study finds
Zenity secures ChatGPT Enterprise use with expanded AI oversight
Cybercrime losses soar to USD $16.6 billion in 2024, outpacing US box office
Top stories
AI enhances SOCs but human expertise vital against threats
Organisations increasingly refuse ransom demands, says DBIR report
Amplifier Security secures USD $5.6 million for AI platform
SquareX raises USD $20M to boost enterprise browser security
Bitdefender Launches PHASR to Fight Stealthy Cyber Threats