This is why Marines say cross rifles should be reserved for the infantry
Once you enter your password to access your accounts, you can imagine the website is happy that the verification process is complete and that, yes, now they know you just signed in and not a scammer.
But that’s not all – websites and the companies behind them often also monitor your behavior as a security measure.
“We’re studying behavioral biometrics,” Etay Maor, a security advisor at IBM Security, told Business Insider. “We’ve been doing this for years … most of the industries I speak in look into these things.”
Behavioral biometrics is similar to normal biometrics, like fingerprints. But instead of recognizing a fingerprint, it monitors your actions and behavior within a website or app where you have an account with sensitive information to authenticate you.
You’ve probably seen a few examples of behavioral biometrics. For example, if you’ve ever seen a warning saying, “You are signing in from a device that you don’t normally use,” a website will recognize that you are signing in from a new device.
(Photo by John Schnobrich)
There are also location-based security alerts available if your account is being accessed from a location that you normally don’t visit. Someone recently tried to access one of my accounts from Kuala Lumpur, but I was in bed in Connecticut when the attempt was made. I received a warning and took appropriate steps to better protect this account.
However, there are other forms of behavioral biometrics that occur while using an app or on your online accounts and you probably have no idea that this is happening.
The way you move your mouse after signing in, how fast you swipe in an app, what you normally do in an app or website, and even the angle you hold your phone are all monitored by biometrics.
Even when you’re not using your devices, behavioral biometrics are at play. In fact, Not Using your devices is in itself a biometrics. For example, if your bank account has been hacked while you sleep and fraudulent transactions are being made, banks can detect that the devices you normally use are offline. Your phone may be lying still and flat (because it’s on your bedside table) and your laptop is in sleep mode. Based on this information, and given ongoing activity, a bank could suspect something is wrong and issue a warning of suspicious activity.
In fact, like a fingerprint, your behavior is unique to you. And it’s more secure than passwords, PINs, and even your actual fingerprint, according to Maor.
“Passwords are not secure today because hackers have so many ways to guess and generate passwords. We are in a strange phase where it is becoming more and more difficult for a human to remember passwords and yet extremely easy for a machine or an algorithm to guess, ”Maor said.
Microsoft will make it an option to use passwords and encourage users to use PIN numbers instead, which the company believes are more secure.
For this reason, Microsoft is dispensing with the common password and is encouraging users to log in to Windows 10 with PINs and Windows Hello facial recognition, where this data is stored on their devices. The company argues that storing security data on the device is more secure than passwords stored on a company’s servers.
But even PINs and standard biometrics are not the ultimate in security. “If a person knows or remembers something, an attacker can extract it,” said Maor, be it through hacking or social engineering a website.
Even normal biometric data like fingerprints and irises can be socially extracted from you. Ultimately, passwords, PINs, and standard biometrics will not stop a “determined attack”.
With behavioral biometrics, your typical behavior is not easy to replicate. “An attacker cannot deprive you of your mouse movements or your behavior. Perhaps to a certain extent, but that’s a whole different level of attack, ”Maor said.
(Photo by Markus Spiske)
It seems creepy and raises privacy concerns. And Maor recognizes that. “It sounds a bit Orwellian because it sounds like you are being followed all the time. But yes, as soon as you visit the website we try to protect you by making sure that it is you, without you knowing that we are. “
Behavioral biometrics also has a practical use, as it is simply less annoying than traditional authentication methods, such as remembering passwords or multi-factor authentication. Behavioral metrics that take place under the radar provide a better experience while keeping you safe. Maor argues that if a company tries to authenticate you by making it too difficult or time consuming to enter your account, you’ll be switching to a different company or service.
Passwords, PINs, and fingerprints are still necessary first lines of defense, but they are only used to identify you. The real security used to authenticate you happens in the background, without you even realizing it.
This article originally appeared on Business Insider. Follow @BusinessInsider on Twitter.