Everyone hates passwords – even the guy who invented them – but some bank app users in the Nordic region are experiencing a taste of a future where they might not be necessary.
Password theft – on a massive scale – has become a near-weekly happening, and biometrics have their own disadvantages – such as inaccurate scanners which wonât work when wet, as well as hacks with latex fingerprints and other such gizmos.
But customers at Danske bank have been trialling a new âbehavioralâ form of identification, according to Forbes magazine. Rather than simply ID a customer using a PIN, the app tracks the pressure and speed they use to type it in.
Banking security: Touch too much?
The theory is that even if a PIN is weak, or stolen, the thief cannot mimic the distinctive pattern of pressure the user types theirs in with.
âEventually mobile security may no longer hinge on whether a password is long enough, but on how well the device knows the user,â ComputerWorld comments.
âWeâre monitoring the small stuff,â says Neil Costigan, founder of Behaviosec,. âThe flight between the keys, which corners of the keys you tend to hit, where you pause. Do you circle in on a button or do you go straight to it and hit it?â
‘How well the device knows you’
As a security solution, itâs low-cost (it uses sensors already present in the phone) and demands nothing of the customer. The trial has been such a success that multiple banks in Sweden, Norway and Denmark will use similar apps shortly. The app scored 99.7% session acccuracy.
âMultilayered security can be achieved by combining the three pillars: something you have (i.e., the phone as a token), something you know (like your PIN), and something you are which is your physical or behavioral metrics,â says Behaviosec.
At present, Behaviosecâs technology can pick up a âfalseâ user within 20 to 60 seconds. The company said it could also have wider applications such as preventing children accessing inappropriate content on tablets.
The start-up is now investigating further behavioral tracking – such as monitoring the way in which a user picks up a smart device, using the gyroscope.
Our own daily routines could even be used as âpasswordsâ some researchers believe. Googleâs âpredictiveâ Google Now system already offers Android users reminders to go to work (by monitoring their movments by GPS), and to go home. Could such data be used as a âpasswordâ?
âMost people are creatures of habit – a person goes to work in the morning, perhaps with a stop at the coffee shop, but almost always using the sameroute. Once at work, she might remain in the general vicinity of her office building until lunch time. In the afternoon, perhaps she calls home and picks up her child from school,â says Markus Jakobsson of the Palo Alto Research Centre.
Jakobsson analyzed several techniques for identifying users via smartphone use, and found GPS to be the most reliable.
Jakobsson claims that by combining techniques, itâs possible to lock out up to 95% of adversaries, even, âan informed stranger, who is aware of the existence of implicit authentication and tries to game it.â
The post Banking security – new apps ‘know’ your touch appeared first on We Live Security.