The principles of MFA are actually quite simple. In order to gain access to a network, an application, or a VPN, you are required to authenticate with two of the following: something you know, something you have, and something you are.
Powered By Behavioral Biometrics
“Something you are” can really only mean one thing: Biometrics, the measurement and statistical analysis of an individual’s unique physical and behavioral characteristics. Behavioral biometrics are a form of passive biometrics that take into consideration the way a person behaves. This could be the way they walk, the rhythm in which they use a keyboard, the way they move a mouse, or the gestures they use when scrolling on their smartphone. These “passive” or behavioral biometrics are done instinctually, and because of the intrinsic nature of these behaviors, they have become a fundamental variable in identity security.
PCI DSS Approved Biometrics
While PCI guidance recommends biometric authentication, it does not specifically define what is considered a biometric factor. For that, PCI DSS relies on NIST for guidance:
“PCI DSS relies on industry standards—such as NIST, ISO, and ANSI—that cover all industries, not just the payments industry. ”
The MFA Guidance document links specifically to NIST Special Publication 800-63 for that. SP 800-63 defines the term biometrics in the following way:
“Biometrics: Automated recognition of individuals based on their biological and behavioral characteristics,”
Here, NIST clearly labels behavior as a biometric, which is in line with their current approach to Zero Trust. NIST advocates for behavior as a factor across the board, with NIST Special Publication 800-207 Zero Trust Architecture as a prime example. This is also in line with international regulation, where behavioral characteristics have been approved by the UK ICO as a strong authenticator for EU payments PSD2.
Simply put: according to PCI SSC and NIST, behavioral biometrics do meet PCI DSS and PSD2 requirements for multi-factor authentication.
Leveraging Machine Learning
The Twosense Windows agent continually collects keystroke timing and mouse coordinates from each user. This data does not contain any actual keystrokes or information about what the user clicked. By itself, this data is worthless; it is only when machine learning is applied that patterns can be identified.
Twosense’s cloud-based machine learning platform analyzes the passive biometric data to learn who your users are, creating a unique profile for each user. Whenever a user passes an MFA challenge, each model continues to learn and adapt to changing behaviors. The more behavior is observed, the more confident Twosense can be that the user is who they claim to be. When the model is mature, Twosense can validate the user's identity and create a baseline of trust.
With Continuous MFA, the user’s recent behavior is continually compared to their behavioral biometric model. This means that multifactor checks are being performed on the user consistently throughout the day, instead of waiting for the moment the user is authenticating to an application.
Users are assigned a trust score based on how much their behaviors match. If the trust score is high enough, the user will not be inconvenienced with a manual MFA challenge when accessing an application. Some organizations will even use high trust scores in passwordless policies, and let the user bypass password requirements entirely.
If the trust score is low, which could indicate that the wrong user is behind the keyboard, multiple options are available for Twosense administrators:
- Fallback MFA can be required.
- A manager approval workflow can lock the user’s session until a supervisor investigates.
- An alert can be sent that will later be investigated without interrupting the user’s session.
Continuous MFA is the Future
Traditional multifactor authentication is falling further behind as its flaws become apparent.
MFA that requires a phone is prone to issues with broken and lost phones, or the inconvenience of registering a new device whenever an employee buys a new phone. It is also prone to user error, phishing attacks, and sophisticated prompt-bombing attacks that have led to large-scale breaches.
Hard tokens can similarly be broken or lost, and frequently need to be replaced whenever an employee quits or is fired. The time and effort required to assign tokens to users can also be overwhelming for IT departments. Both phone-based and hard token-based MFA waste valuable time, and interrupt users when they’re trying to do their jobs.
Behavioral biometric MFA is the only solution that can check user identity hundreds of times each day without requiring any participation from the user, making it completely phishing proof. Finally, the best user experience is also the most secure solution.