Recently, there’s been an uptick in the adoption of the NIST Cybersecurity Framework, a set of guidelines aimed at helping organizations improve their overall cybersecurity process. In December 2017, NIST released the second draft of its framework. Among the updates were two critical additions to the Identity Management, Authentication and Access Control guidance.
These updates address the disturbing reality that our digital identities are surprisingly unsecure. More than 9 billion credentials have been stolen since 2013, giving cyber criminals an abundance of personally identifiable information to use to commit fraud, from account takeover attacks, to fraudulent credit applications and more. By combining NIST Framework guidelines with behavioral biometric identity proofing and authentication solutions, organizations can fight back against these shocking statistics to detect and prevent fraud.
What is the NIST Framework?
The NIST Cybersecurity Framework is a set of guidelines collaboratively formulated to give companies a starting place for evaluating, preventing and responding to cyber risk. Thirty percent of U.S. organizations use the NIST framework, including JPMorgan Chase, Merck & Co, Kaiser Permanente and Chevron Corporation. The NIST Framework focuses on five areas for reducing cyber risk: identify, protect, detect, respond, recover.
Rather than being shocked by each new data breach, ransomware attack or instance of fraud, companies are increasingly working to improve their cybersecurity posture, and not just internal information security professionals. Business leaders and c-suite level executives are waking up to the importance of putting resources behind their organization’s cybersecurity, from the insurance industry to financial institutions. Companies are finding the NIST Framework’s guidance particularly helpful in a time when cyberattacks are costly and growing at an alarming rate. Every 39 seconds, there is an attack on a computer with internet access and cyberattacks are priced at an estimated $400 billion globally per year.
Meeting NIST Framework Identity Management and Authentication Guidelines with behavioral biometrics: Behavioral biometrics are specifically designed to address the identity management and authentication guidance added under the “protect” section of the NIST Framework’s second draft. Using behavioral biometrics, organizations can employ advanced identity proofing and authentication technology to detect fraud and prevent unauthorized access.
Identity proofing with behavioral biometrics
The NIST Framework recommends that “identities are proofed and bound to credentials and asserted in interactions when appropriate.” Identity proofing is a process organization’s use to collect and verify information about a person for the purpose of an account opening or issuing credentials to that person. Most often, identity proofing is used to meet regulatory requirements and prevent fraud.
Typically, companies rely on database searches to verify user information entered into online applications. These traditional identity proofing methods are no longer sufficient, however, as the information required to open new accounts is readily accessible to cyber criminals due to large-scale data breaches. In fact, one in nine of all online accounts created in 2017 was fraudulent.
Behavioral biometrics fulfill NIST Framework guidance for identity proofing by monitoring user behavior when filling out online applications, not just that the correct information is entered. Working in the background, behavioral biometrics verify that online applications are being filled out by genuine users, not fraudsters, by testing for application fluency, navigational fluency and low data familiarity.
For example, fraudsters often use keyboard shortcuts and enter unfamiliar data in a way not exhibited by legitimate users. Based on these parameters, organizations can effectively verify user identity, in real-time, and experience less fraud.
Risk-based, multi-factor authentication and behavioral biometrics
The second update to the NIST Framework that behavioral biometrics can address relates to risk-based, multi-factor authentication. Specifically, the NIST Framework recommends that “users, devices, and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).”
Behavioral biometrics go a step farther and meet these requirements by providing continuous authentication, not just single or multi-factor authentication. Rather than requiring users to provide a static identifier, like a password or fingerprint, behavioral biometrics monitor user behavior from login to logout to detect suspicious activity throughout a user session, not just at log in. This is important because 100 percent of fraud occurs in authenticated sessions, clear evidence that traditional authentication methods are still failing to catch cyber criminals.
Even multi-factor authentication has already proven vulnerable to attack. Working behind the scenes, behavioral biometrics collect data on user interactions with a device, establishing a unique identity profile that can’t be duplicated. How one user moves their mouse, for example, can’t be recreated by a cybercriminal or remote access trojan. This entire authentication process takes place without the user knowing — a win for customer experience.
When needed, behavioral biometrics can also introduce additional authentication measures if suspicious activity is detected. This could be a prompt to enter a password or use another biometric like a fingerprint or facial scan. This type of multi-factor authentication is significantly more secure than knowledge-based security.
Using behavioral biometrics, organizations can meet and exceed NIST Framework guidelines around authentication to better secure users, online transactions and the business as a whole.
The NIST Framework is an excellent place for organizations to begin improving and updating their cybersecurity process. In June 2017, NIST also released a Special Publication (SP) 800-63, a document outlining Guidelines on Digital Identity. The document replaced outdated authentication and identity proofing recommendations with new ones, meant to align with the types of cyber threats organizations are facing today. This includes providing adequate identity proofing and authentication solutions to prevent unauthorized access, activities and transactions.
Advanced technology solutions, like behavioral biometrics, are helping organizations put NIST Framework recommendations into practice. When it comes to preventing fraud, account takeover, malware or other cyberattack, behavioral biometrics provide the best option for ensuring users are who they claim to be.
Frances Zelazny is vice president of BioCatch, a cybersecurity company that delivers behavioral biometrics to protect users and data. She provided testimony last year to the New York State Assembly's banking committee on cybersecurity threats facing the U.S. financial industry.