Can behavioral biometrics really replace passwords?

Although biometrics may still feel like science fiction to some, the use of biological or behavioral traits for uniquely identifying people is a time-tested method that continues to improve dramatically, driven by ongoing breakthroughs in AI and machine learning.

By Silicon Editorial,
min

As the world becomes increasingly digitized, leveraging biometrics for authentication has become essential to enhancing and strengthening digital security. But do biometrics have the potential to replace passwords soon?

This article explores the current landscape of biometric authentication and assesses its potential as a viable replacement for traditional passwords.

Understanding behavioral biometrics

When visually identifying another person, your brain analyzes their physical appearance for discernable patterns that make them unique as a person. Technologies that employ behavioral biometrics work in a similar way, except that they analyze users’ behaviors and physical activities. Each user interacts with a computer or device in a unique manner, both cognitively and physically; behavioral biometrics analyzes these interaction patterns to create a detailed profile of the user’s online and digital behavior. Organizations can in turn use these behavioral biometric profiles to detect and prevent identity fraud, augment password-based authentication, and more.

Given the diverse ways modern users interact with computers and devices, behavioral biometrics come in a number of types:

Keystroke dynamics

Keystroke dynamics analyze typing behavior, including a person’s typing patterns, rhythm, and speed. This biometric modality was first proposed in 1980 by researcher R.S. Gaines, whose experiments on touch typists revealed that everyone has a unique typing signature that can serve as a distinct identifier. Since then, keystroke dynamics have become an instrumental fixture in user and entity behavior analytics (UEBA) security solutions.

Mouse movements

Like a person’s typing behavior on a keyboard, mouse movements are also unique per user. Mouse movement dynamics—the unique patterns and cadence of an individual’s interactions with a mouse or trackpad—are also used as a mechanism for user profiling.

Touchscreen gestures

In terms of behavioral biometrics, touchscreen gesture analysis is similar to the analysis of mouse movements; touch screen users can make up-and-down finger motions, single or double tap the screen using various intensity levels, zoom in and out of an image, scroll/pan, and more.

Biometric traits can be extracted from all of these touch gestures for use in user profiling and identification.

Voice recognition

Voice recognition authenticates individuals through their unique vocal characteristics. Unlike speech recognition, which simply converts spoken words into text, voice biometrics analyzes distinctive traits in a person’s voice pattern (e.g., pitch, tone, and resonance) to verify their identity.

Advantages of behavioral biometrics

Behavioral biometrics enhance security and user experience by potentially replacing traditional passphrases with the automated analysis of unique, extremely difficult to replicate behavioral patterns. This authentication method allows organizations to implement continuous, real-time monitoring while eliminating password management overhead.

User convenience

Behavioral biometrics creates a frictionless security experience by automatically authenticating users through their natural behaviors. This allows for more expansive security coverage, since more frequent analysis can be carried out on the backend for continuous user verification.

Enhanced security

Behavioral biometrics enhances security by analyzing unique patterns in user behavior that are nearly impossible to replicate or steal, unlike passwords. These distinct behavioral profiles enable real-time monitoring and swift detection of suspicious activities.

Reduced risk of phishing and credential stuffing

Behavioral biometrics provides effective protection against phishing and credential-stuffing attacks, as it cannot be compromised in the same way as traditional passwords. By using behavioral biometrics to continuously monitor user behavior and authenticate them in real-time, organizations can minimize vulnerabilities and leave attackers with little to no exploitation opportunities.

Challenges and limitations

Despite its benefits, behavioral biometrics are not a panacea for authentication security issues. Some of the following challenges and limitations make behavioral biometrics ideal as part of a comprehensive authentication strategy rather than a standalone solution.

Accuracy and reliability

Behavioral biometrics can produce false positives and false negatives, since user behavior varies dramatically due to external factors like stress, injury, or illness. For example, a user with a broken finger will invariably change their typing pattern to accommodate the damaged appendage.

User acceptance

Users may also knowingly present roadblocks that limit the efficacy of behavioral biometrics. People may object to the profiling of their keyboard typing patterns or voices, or resist the adoption of new technologies that incorporate behavioral biometric data collection for authentication/validation purposes. The adoption of biometrics opens up a broader range of issues when it comes to data collection and privacy concerns.

Technical and implementation costs

Setting up behavioral biometrics is challenging for organizations without the proper technical expertise; even with competent technical staff on hand, integrations with existing systems/infrastructure and ongoing maintenance overhead can be costly and difficult to keep up.

Future trends and developments

Powered by cutting-edge machine learning algorithms, modern behavioral biometrics are becoming increasingly accurate and reliable, instilling greater confidence among organizations in their adoption. As a result, they are being widely integrated with other biometric and authentication methods to strengthen security. In response to the EU’s revised Payment Services Directive (PSD2), some banks are implementing behavioral biometrics as a potential step towards phasing out passwords.

However, growing concerns about privacy and data security have led to the implementation of current and emerging regulations governing the use of behavioral biometrics. For example, both the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) impose specific requirements on the collection, use, and storage of biometric data, though they approach the issue somewhat differently. GDPR categorizes biometric data as “special category data” (Article 9), meaning it is subject to stricter protections.

Passwords are here to stay (for now) so make them secure

Despite their promise, behavioral biometrics are likely to remain a secondary form of validation rather than a primary authentication method. For most organizations, passwords will continue to be the main line of defense, as transitioning to a passwordless system can be complex and costly. Windows administrators should therefore prioritize strong password creation and ensure that mechanisms are in place to prevent the use of compromised passwords.

Specops Password Policy can help by continuously scanning your Active Directory for over 4 billion compromised passwords—try it out for free today.

Advertising