By: Paul Miller, CEO of mSIGNIA
The phone has come a long way, from its inception with Alexander Graham Bell to the brick phone in the 80’s all the way to today’s miniature computer. It’s hard to imagine going about our day-to-day activities without today’s mobile devices, especially now that they contain our entire lives: contacts, photos, music, video, health records and personal history, not to mention access to a world of information via the Internet. They are as powerful as a roomful of computers was a generation ago, and as personal as a toothbrush.
As with storing any personal data, there is a certain amount of risk involved if the phone were to be lost or stolen, but if collected and analyzed that precious data can give these devices such a distinct, one-of-a-kind fingerprint that it can actually increase the security of every electronic transaction. When discussing all the different forms of user authentication, the terms “contextual security” or “behavioral security” come into play, but what do they actually mean? Here’s how they relate to one another.
Contextual Security evaluates data from the end user to improve risk decisions. This includes attributes such as, geo-location, device IDs, device fingerprints, time stamps, IP addresses. When a user signs in for a service, this information is compared to previous interactions to evaluate whether this is the legitimate owner or a fraudster.
Behavioral Security has two aspects: user behavior and app behavior. It tracks a user’s typical navigational patterns when visiting a site or using a mobile app, including buying patterns, clicking behavior, swipe patterns etc. These actions are recorded and learned over time and are mapped to returning users to determine normal behavior.
App behavior, on the other hand, observes whether or not the app is behaving normally. If it is suddenly sending text messages to premium rate phone numbers, for instance, a warning flag could go up to alert users of potential fraudulent activity.
Is one method better than the other?
Contextual security is more broadly deployed today, as device ID, fingerprinting and GPS locating are common. Behavioral security is a newer approach that is gaining traction. For optimal protection, both are needed. They compliment each other and provide a better overall view of the risk decision. Sophisticated hybrids of contextual and behavioral security are emerging. “What you have” and “what you do” combine to form a richer set of identifying data to ensure the authenticity of the user by recognizing the device in their hand or pocket.
Everything a user adds to their device, such as contacts, calendar events and music, is constantly changing, and when combined with geo-location sets and usage patterns creates a data behavioral model that is truly as unique as a fingerprint.
Creating a new standard for authentication:
The password used to be the de-facto standard, with some “invisible” secondary factor such as geo-location or device ID recognition added at the back end for good measure. But now, organizations should look to provide as frictionless an experience as possible to the user by authenticating them via these invisible methods, while assuring that they are indeed using a secure service. A rich combination of contextual and behavioral data can recognize users so accurately that no further authentication methods are needed to keep that user and their transactions secure.
Obviously the more data collected about a user, the better organizations are able to recognize them. The distinction at this point needs to be made on being able to recognize the data and the unique patterns it contains, without intruding upon the privacy of the user. For example, an authentication program might know how many contacts or photos one has on a device, but it would not have access to those contacts or photos.
So what do customers need to know to keep their information safe?
1. Safe Environment.
Ensure that endpoints on a system, whether they are a mobile device, tablet or browser, are free of malware, that apps hasn’t been tampered with, and that the operating system is legitimate.
2. Layers of Encryption
Make sure any data that’s being stored, both in the client, on the back end or in transit, is encrypted so that nothing is being stored or transmitted in the clear.
3. Frictionless Authentication
Make sure the device ID is in place, and include contextual and behavioral authentication components, as needed depending on the use case. Frictionless authentication is becoming more and more critical. The user does not wish to be bothered, so the more that can be accomplished behind the scenes the better.
The day is at hand when the smart phone in a user’s pocket will become the gatekeeper to every digital transaction they make, recognizing their unique contextual and behavioral data to validate their identity. In turn these methods will encourage brand loyalty and ensure that end users get the quality mobile experience they demand when conducting transactions online.
Paul Miller is a Co-Founder and Chief Executive Officer of mSIGNIA, Inc., a company that uses patent-pending data analytics to validate device, software and user personalization data to protect against fraud, malware and identity theft. Mr. Miller has specialized in mobile and token-based security for the last 17 years. Prior to this, he served in leadership roles for both global companies and start-ups. At $6B Symantec, makers of Norton Internet Security, he served as Managing Director for Mobile Security with global responsibilities for their mobile strategy and business.