by Roger Grimes
Data-Driven Defense Evangelist at KnowBe4
I’m a big fan of cutting-edge behavioral analytics, such as keystroke dynamics, to assist with authentication. I wrote about keystroke dynamics and one such company focusing on it, Intensity Analytics (intensityanalytics.com/), last May (linkedin.com/pulse/using-keystroke-dynamics-authentication-roger-grimes/).
They recently released Tickstream for Windows (tickstream.com/product/purchase/tickstreamforwindows) and in the Azure Marketplace. Tickstream for Windows is a plug-in product that anyone can add to a Microsoft Windows password logon. The product is a Windows Credential provider and plugs right into the Windows Hello functionality. The Windows login goes as it normally does, then Tickstream for Windows looks at how the password was typed (e.g. speed overall, speed for each keystroke, speed between keystrokes, and dozens of other variables) to determine if the password was typed the way the legitimate user normally types it. The software is even smart enough to know if someone recorded a logon session and replayed it.
I’m a huge proponent of behavioral analytics as part of an authentication layer. It’s invisible to the end-user, and thus, low to no user friction. It’s difficult for malware or the bad guys to know when it is or isn’t being used. It can help defeat malicious logons that use stolen credentials. Today, most of the time when a user’s logon credentials have been phished or stolen, it’s game over, unless the user realizes it ahead of time and is able to change their password before the hacker or malware re-uses it. But with behavioral analytics and keystroke dynamic analysis, when the hacker or malware puts in the stolen credentials they are blocked from logging on…and they won’t know why. It devalues stolen logon credentials and confuses bad actors. Imagine the frustration of a malicious person who paid real money to purchase your stolen password on the dark web, only to find that they can’t use it to access your account!
People often ask me, especially with my webinars on hacking MFA (my Hacking Multifactor Authentication book (amazon.com/Hacking-Multifactor-Authentication-Roger-Grimes/dp/1119650798 comes out Oct. 27th), what I see as the future of digital authentication. Surprising to some, I don’t think some great future MFA solution is the answer. I think the future of authentication is frictionless, behavioral analytics, like keystroke dynamics, but even more so. In the present, where passwords are a reality, adding keystroke dynamics makes them infinitely more difficult for bad actors to exploit. Your safest password is one that only you can use.
I tell people to think about how they use their credit and debit cards. Most of the time you enter or use those numbers they simply work. Occasionally though, once every year or three, the card vendor places a temporary block on a specific transaction, because their backend analysis engines see something anomalous and high risk for your usually purchasing patterns.
I think the same type of logic is the future of authentication. As long as you are coming in from your normal devices, locations, and performing your normal actions, the systems will let you do what you need to do. But if the system spots a strange logon, differing from the way you usually login, followed by usual, high-risk actions, then you’ll be blocked from performing those actions until some additional, more friction-oriented, more traditional, confirmation can be performed.
Keystroke dynamics for authentication is the natural extension of this thinking, applied to “normal behavior” measured in nanoseconds and analyzed in real-time so that even you don’t know what is “normal” for you, but the software reliably does. I think the future of authentication is less hassles and more access, and I think keystroke dynamics is likely to be a big part of that future.
I also don't do a lot of vendor promotion unless I really see something interesting or new. I think Intensity Analytics and their products fall in this category.
Read the original post on LinkedIn at: