Over the years, Ubisecure has helped several organisations that have services where it is of outmost importance to be sure that a person logging in to a service is really who they claim to be. A solution to this, as typically recommended by security consultants as a basic solution, would be a traditional username-password setup – and when that is not enough, adding some selected form of multi-factor control to it.
However, there are situations when even this is not sufficient. The reasons might vary, e.g. further eliminating the risk of stolen or otherwise compromised credentials. Then, we must introduce a solution as a response to this requirement and further remove the remaining risks. In such cases, risk-based authentication is what one would typically go for, i.e. taking into account location or other basic behavioural data.
But unfortunately “not all risk-based authentication methods are created equal”- if you follow what I mean. This is because such “solutions” are often too lightweight and, in practice, might just add a false sense of security with limited real impact.
Risk-Based Authentication
Ubisecure has decided to dig a bit deeper into the subject and, in cooperation with researchers and technology partners, has gone to the next level of so-called behavioural biometrics.
Those principles take into account not only the basic operational elements and metrics, such as IP address or location, but also real individual human behaviour and the differences and “personalities” that each one of us demonstrates. In this sense each human being is different and distinct, which can then be used to add one additional level of security, taking into account how we individually use and interact with our keyboards, screens and input devices when using services. It is truly fascinating what can be achieved.
The beauty is that we can now enable services and operations teams to make a knowledgeable decision of when to require additional authentication measures and also decide how much to interfere. All that can be based on value of transaction, confidentiality of content etc.
Ubisecure may then, based on the policy, enforce denial of service, reduced access to content, re-authentication or step-up authentication with a higher LoA (level of assurance) mechanism.
For Ubisecure, because of the suitable endpoints we already have in our Identity Server platform, this has meant that we can now easily add the use of behavioural biometrics into the security and access policies, and then allow reactions in an optimal business-driven and risk-managed way.
In all, we are now equipped with the best tools there are for risk-based authentication and behavioural biometrics, for the benefit of our partners and customers.
Request your demo here.
About The Author: Charles Sederholm
More posts by Charles Sederholm