User Behavior Analytics: User Behavior as Security Component

Dynamic aspects of the digital identity

User behavior analytics is something we know from online shopping. The users' navigation in e-shops is tracked and the results are used for up-selling, cross-selling or personalized advertising. Today, new insights from user behavior also increase the security and usability of online applications.


It has become difficult to define the virtual external borders of a company: the Internet of Things, exchange with customers, partners and suppliers, and cloud services expand and blur the boundaries. Potential attackers lurk everywhere. However, for risk assessment the location of the attacker is no longer key. He may be inside the IT infrastructure or outside of firewalls and other protective devices.


Digital identity: Who am I and, if so, how many?

Who is the user and how does he behave? Is it a human being, a robot, a server or a smart device? The identity of a user and its verification – i.e. authentication – is more important than ever for IT security. While interaction used to take place at the bank counter, it now takes place electronically. This is why we need the digital identity (s. figure). As the backbone of digital life, it has a specific function – but also transfers valuable data and permissions to more or less trustworthy players. No wonder, digital identities – of which many of us have a high number – are often stolen and traded. Therefore, digital identities deserve attention within the larger IT security picture.


Usability versus security

As identity theft cannot be prevented, abuse must be limited. This is done with strong authentication: mTAN, one-time password tokens or new identity cards are useful. Adaptive security methods such as continuous authentication, misuse detection and alarming the legitimate identity owner are also working. These methods respond to changing environments, thus offering security benefits. At the same time, they reduce usability, which is why their acceptance is poor. The emerging biometric authentication is user-friendly and therefore seems to be the ideal solution. However, fingerprint sensors, iris scanners and face recognition software can also be cracked – and they make highly sensitive biometric data electronically accessible. As a result, the data can be copied, which is particularly unpleasant for users. Behavior analytics comes in as an alternative as, compared  to biometric data, it captures more dynamic aspects of our identity.


Show me how you type, and I know who you are

Place (geolocation), device and time are already common elements of «Behavioral Analytics»: Does the user log in on a familiar device at the normal time of day or week? If someone logs in in New York and in Zurich at the same time, it can hardly be the same person. How people enter information and use a particular device can be recorded and analyzed too: How does the user type on the keyboard or the screen? By using one or all his fingers? How big are his fingertips, how strong is his touch? Does he move the smartphone? Do the mouse clicks take place in the usual combination, speed and order (click stream)? The navigation behavior within an application provides additional information: Which contents and actions does the user choose when? Does he always look at the price trend of his investments first in e-banking? Does he navigate straight to the payment application to execute transactions?


Behavioral aspects as part of the digital identity

Tailored to risk tolerance and habits

Based on anomalies, behavior analytics software continuously calculates a risk score, which measures and defines the risk of a false identity. To get to know the user and calculate risk values, the software needs a training phase. For this, the behavioral aspects can be configured individually. With geolocation, it is possible to assign risk-specific tags to individual countries. Behavioral aspects can be weighted differently and measured at different tolerance values (thresholds). They take into account the risk tolerance of the application provider and the user as well as the user's requirements or habits. For a business traveller and frequent flyer, a lower weighting or higher tolerance with regard to geolocation makes sense.


Avoiding extra work and trouble

An increased risk score may raise the required security level as needed and trigger additional measures. For example, if the user wants to transfer a higher amount of money to an unfamiliar recipient, additional authentication steps are automatically generated, with measures ranging from a session stop to the notification of the legitimate user. This, in turn, generates costs. Avoiding «false positives», i.e. false suspicions, thus becomes an important task of the behavior analytics system and its configuration options.


Practical applications: fast and secure access

User behavior analytics is widely used in e-banking and mobile banking. Aspects such as geolocation, device, time and typing behavior are analyzed. The user is continuously monitored even after logging in. Customer portals today already allow password-free login based on bahavior analytics. Only more important transactions trigger additional authentication factors. In both cases, security shall be increased without compromising usability. Finally, user behavior analytics is used to identify the legitimate mobile device owners. The high number of sensors and parameters of these devices support these applications.

User behavior analytics is used in many ways, and the potential is huge. Its use for digital identities deserves special attention, as it is particularly valuable and sensitive due to its function as the backbone of digital life. This is true not only for the user, but also for providers of websites, platforms and applications – as they want to win, retain and protect the user as a customer.