Mitigate cybersecurity threats with MFA
While massive data breaches affect the security of billions of people worldwide, access control has turned into a global issue, which demands perpetual progression and collaboration between defense practices. Leveraging typing biometrics with almost any other factor of authentication allows for frictionless and affordable online privacy protection.
Strong Customer Authentication (SCA) requires MFA
Strong customer authentication has been enforced by compliance regulations (EBA/PSD2, NIST, PCI DSS) to protect users online. It implies that during login, in addition to the password, users should undergo a second authentication measure (2FA). A Multi-factor authentication framework (MFA) combines 2 or more different types of authenticators, which, even though are all used with security in mind, differ significantly.
Evaluating available MFA solutions (knowledge, possession, inherence)
We should evaluate these factors based on the level of security they provide, the cost to the business, and how they affect the user experience (UX). There are three main categories of identity evidence based on one of the following elements:
knowledge (something we know such as passwords, or answers to secret questions)
possession (something we have like email or SMS codes, or OTP)
inherence (something we are which is biometrics)
Knowledge-Based Authentication (KBA) is quickly becoming irrelevant with more than 81% of confirmed data breaches being attributed to weak, default or stolen passwords. PINs and passwords are not enough, if they are complex, people might forget them, and if they are too basic, they are easily guessable. Using “something we know”, like answers to secret questions, is less reliable because answers can be found online or stolen through social engineering such as spear phishing, baiting, and pretexting.
Similarly, possession-based authenticators such as one-time passwords or SMS verification are vulnerable security measures. SIM Swaps allow hackers to access and use personal information found online to convince telecommunications companies to change users’ phone numbers to their phones. Moreover, the National Institute of Standards and Technology no longer recommends SMS for 2FA, as it can be easily intercepted.
Biometrics, also known as “what we are” metrics, such as fingerprint, voice or face recognition, seems secure on the surface. Yet, more in-depth scrutiny indicates its susceptibility to being relatively easily hacked. Not only can our voices be recorded, but we leave fingerprints everywhere we go and our eyes are revealed whenever we look around. Besides being easy to spoof, biometrics requires additional hardware, implying higher costs for businesses.
What is typing biometrics?
By capturing and recording people’s unique typing signals and transforming them into patterns, leveraging machine learning to build a user’s profile and to match it against previous samples. During login, when end-users type their credentials, a matching score verifying their identity is released.
Typing biometrics complements MFA in a user-friendly and secure way.
Typing biometrics diminishes end-user disruption as it is a passive verification process that runs in the background. As a frictionless additional security layer, it maximizes security by using the unique user typing pattern which is almost impossible to replicate. Spoofing can’t perfectly emulate the way someone types, so typing biometrics minimizes the risk of data breaches. Typing biometrics also drastically reduces costs, requiring only an existing keyboard to perform, and no maintenance costs as typing patterns can’t usually be forgotten or lost. Thus, complementing MFA with typing biometrics prevents unauthorized account access from the start in a frictionless, secure manner.
Here’s a summary of why typing biometrics is a reliable and noteworthy option for a solid MFA.
- Delivers high security
- Prevents unauthorized access to a user’s account
- Is very difficult to spoof as typing patterns are unique
- Customizes the sensitivity rate of the matching algorithms to meet security requirements
- Complies with regulations – EBA/PSD2, NIST, PCI DSS
- Quickly integrates with other systems, using only an existing keyboard
- No SMS/email costs
- No maintenance costs
- no supervision required as typing patterns can’t be lost/forgotten
- No hardware costs – no scanners, gadgets or tokens
- Able to be easily scaled
- Reduces friction
- Used as 2FA with email/OTP
- No extra effort for the user – using the same device for MFA
- Provides seamless user enrollment – works in the background
- Works with low bandwidth internet
- Works on both mobile and desktop