Q&A: How your typing and screen swiping nuances can verify your identity

By Byron V. Acohido

The recent data breaches at Timehop and Macy’s are the latest harbingers of what’s in store for companies that fail to vigorously guard access to all of their mission-critical systems.

Related podcast: Why identities are the new firewall

A common thread to just about every deep network breach these days is the failure of the victimized entity to effectively deploy multi-factor authentication (MFA) to at least make it harder for threat actors to access their sensitive systems.

Compromised accounts came into play in data breaches of Uber, Tesla, Gemalto, Aviva, Equifax and many others. Threat actors are authenticating themselves at numerous junctures in order to gain deep access and deliver malicious payloads without being detected.

And with “digital transformation” accelerating, there are so many more weakly-secured login accounts just waiting to be maliciously manipulated.

Generally speaking, companies have yet to fully address authentication weaknesses, with respect to their legacy on-premises systems. And yet they doubling down on public cloud services, as well as increasing their dependence on an entire new solar system of  software “microservices” and  “containers” that come and go.

The vast majority of these new, interconnected components and layers that make up digital transformation require login accounts, which translates into a fresh galaxy of attack vectors.

The good news is that this is a solvable problem. The Identity Access Management (IAM) space is one of the more mature subsectors of the cybersecurity industry. And IAM vendors are innovating like crazy. They are bringing data-analytics, machine-learning and behavioral biometrics to bear, to help companies more effectively manage account authentication, without slowing down digital transformation.

For instance, IAM supplier Optimal IdM recently  announced that it is partnering with TypingDNA to add “typing behavior analysis” as an added feature to its core MFA services. I asked Chris Curcio, vice-president of channel sales at Optimal IdM to set the wider context. Here are excerpts of the interview, edited for clarity and length.

LW: What should we take away from the TimeHop and Macy’s breach, and others like them?


Curcio: First and foremost, all privileged accounts should leverage MFA. Also, keep in mind MFA can’t prevent all data breaches, since many breaches come from people with proper access. To combat this issue, adaptive authorization policies need to be implemented and enforced; access can be conditional, taking into account risk. Conditions can refer to things such as geo-location and time of day. And identities need to be governed; legacy users should not have permissions they no longer need.

LW: For that matter, should companies be hanging on to as much sensitive data as they now do?

Curcio: Companies should only collect and store data that is essential to their business, therefore, if a breach happens the damage can be limited. It should go without saying that all collected data should be encrypted while it is in transit, and sensitive data should be encrypted while it is at rest in a database.

LW: What are a few best authentication practices companies should embrace?

Curcio: The biggest fundamental challenge for any organization is to get out of the password business altogether. The more passwords an organization has to manage across all of their users, the higher the likelihood of a critical one being breached.

For employees, it is about consolidating logins. A typical employee could have upwards of 20 or more application ID and password combinations. It is very important to reduce this number of credentials to the bare minimum, and then leverage technologies, such as single sign-on (SSO) and MFA, to ensure ease of use and a high level of security.

In the B2B world, a company should never provision a password to a third-party. Vendors and partners should only gain access to the exposed applications through a Federated SSO standard such as FIDO, OAuth2, OpenID Connect or SAML2. And they should be required to use MFA to access any application with sensitive data.

LW: What exactly is ‘typing behavior analysis?’

Curcio: Typing is a common form of behavioral biometrics. Your password could easily be hacked, but your typing speed and style are unique, just like your fingerprints. No one else is going to be able to easily guess, or emulate, the way you behave when you’re encountering online forms or logins.

Other types of behavioral biometrics are used on wearable technology and mobile devices. These now come equipped with sensors that can read everything from how quickly you swipe the screen to how you hold your smartphone.

Behavioral biometrics aren’t going to replace your password. But they can add an extra layer of security that, along with a traditional MFA solution, will make it easier for your sensitive data to stay private.

LW: Where are we heading with behavioral biometrics?

Curcio: Many commercial, civilian and government entities are already utilizing behavioral biometrics to secure sensitive data. Companies are also beginning to use typing biometrics, along with traditional MFA, to increase security and prevent lost revenue from password sharing.

Behavioral biometrics will continue to evolve in new and exciting ways.  The future possibilities seem endless.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Editor’s note: Last Watchdog has supplied consulting services to Optimal IdM)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone