The principles of MFA are actually quite simple. In order to gain access to a network, an application, or a VPN, you must authenticate with two of the following: something you know, something you have, and something you are.
“Something you are” can really only mean one thing: Biometrics, the measurement and statistical analysis of an individual’s unique physical and behavioral characteristics. Behavioral biometrics is a form of passive biometrics that consider how a person behaves. This could be the way they walk, the rhythm in which they use a keyboard, the way they move a mouse, or the gestures they use when scrolling on their smartphone. These “passive” or behavioral biometrics are done instinctually, and because of the intrinsic nature of these behaviors, they have become a fundamental variable in identity security.
PCI DSS Approved Biometrics
While PCI guidance recommends biometric authentication, it does not specifically define what is considered a biometric factor. For that, PCI DSS relies on NIST for guidance:
“PCI DSS relies on industry standards—such as NIST, ISO, and ANSI—that cover all industries, not just the payments industry. ”
NIST states: “Biometrics: Automated recognition of individuals based on their biological and behavioral characteristics,” *
Here, NIST clearly labels behavior as a biometric, aligning with their current Zero Trust approach. NIST advocates for behavior as a factor across the board, with NIST Special Publication 800-207 Zero Trust Architecture as a prime example. This also aligns with international regulation, where the UK ICO has approved behavioral characteristics as a strong authenticator for EU payments PSD2.
Simply put: according to PCI SSC and NIST, behavioral biometrics do meet PCI DSS and PSD2 requirements for multi-factor authentication.
Leveraging Machine Learning
The Twosense Windows agent continually collects keystroke timing and mouse coordinates from each user. This data contains no keystrokes or information about what the user clicked. By itself, this data is worthless; only when machine learning is applied can patterns be identified.
Twosense’s cloud-based machine learning platform analyzes the passive biometric data to learn who your users are, creating a unique profile for each user. Whenever a user passes an MFA challenge, each model continues to learn and adapt to changing behaviors. The more behavior is observed, the more confident Twosense can be that the user is who they claim to be. When the model is mature, Twosense can validate the user's identity and create a baseline of trust.
With Continuous MFA, the user’s recent behavior is continually compared to their behavioral biometric model. This means that multifactor checks are being performed consistently throughout the day instead of waiting for the user to authenticate to an application.
Users are assigned a trust score based on how much their behaviors match. If the trust score is high enough, the user will not be inconvenienced by a manual MFA challenge when accessing an application. Some organizations will even use high trust scores in passwordless policies and let the user bypass password requirements entirely.
If the trust score is low, which could indicate that the wrong user is behind the keyboard, multiple options are available for Twosense administrators:
- Unauthorized use will be detected in under 60 seconds, and if this happens, admins are notified immediately.
- Threats can be automatically remediated, with options that can be configured by the Admin, such as fallback MFA or manager approval.
- A manager approval workflow can lock the user’s session or endpoint until a supervisor investigates.
- An alert can be sent that will later be investigated without interrupting the user’s session.
Continuous MFA is the Future
Traditional multifactor authentication is falling further behind as its flaws become apparent.
MFA that requires a phone is prone to issues with broken and lost phones or the inconvenience of registering a new device whenever an employee buys a new phone or forgets it at home. It is also prone to user error, phishing attacks, and sophisticated prompt-bombing attacks that have led to large-scale breaches.
Hard tokens can similarly be broken or lost and frequently must be replaced whenever an employee quits or is fired. The time and effort required to assign tokens to users can also be overwhelming for IT departments. Phone-based and hard token-based MFA waste valuable time and interrupt users when trying to do their jobs.
Behavioral biometric MFA is the only solution that can check user identity hundreds of times each day without requiring any participation from the user, making it completely phishing-proof. Finally, the best user experience is also the most secure solution.
*NIST Digital Identity Guidelines Special Publication 800-63