Behavioral Biometrics Guide
Introduction
SecureAuth's Behavioral Biometrics is a new form of Multi-Factor Authentication that analyzes a user's keystroke and mouse movement behavior during login / page interaction to create a profile that is then compared to subsequent login attempts. Once a profile is trained, the user enters the required information into the fields, and SecureAuth IdP can determine whether this behavior is consistent with that of the mature profile.
To utilize Behavioral Biometrics, the Authentication API must be employed and the relevant endpoints called to by the application. The Authentication API enables customers to utilize SecureAuth IdP authentication and IdM Tools while maintaining the custom application's interface and preferred workflow.
Authentication API Behavioral Biometrics Workflow
The Authentication API has two (2) endpoints and three (3) requests for Behavioral Biometrics. The first endpoint is a simple GET request to acquire the Javascript source file required to create the behavior profile. The second endpoint can be called via a POST request to post the user's behavior profile to enable the comparison, or a PUT request to reset the user's behavior profile or a field in the profile to retrain keystrokes and mouse movements.
Once the Javascript source file is obtained, it must be added to the webpage(s) in order to collect the relevant data. As users interface with the page(s) and form(s), SecureAuth IdP generates a profile containing particular keystroke and mouse movement behavior, actual values, and other components.
The profile created by the Javascript is then posted to the second endpoint for either training or authentication purposes. If the profile is still being trained, then the data is used solely to mature the profile, rather than to validate the user's identity. Profile training takes ten (10) sessions, which can be completed in days, weeks, or months, depending on the frequency of user access to the form. Once a profile has matured, it is ready for comparison to securely authenticate the user. After the profile is posted to the API endpoint, SecureAuth IdP responds with an Accuracy Score and a Confidence Score.
The Accuracy Score is how close the current behavior resembles that of the trained profile, and the Confidence Score is how confident SecureAuth IdP is in the provided score. To increase accuracy and confidence, it is recommended to utilize numerous, static fields with six (6) or more characters per field. Having a profile that is rich in behavior produces the best results and raises the confidence level of the identity verification.
When a profile is trained, that behavior is what SecureAuth IdP expects; so if a field value changes (such as password, address, phone number, etc.), then reseting the profile is necessary to ensure that the correct values are being assessed. The PUT endpoint enables users to reset their entire, trained profile, or specific fields in their trained profile. Once a profile is reset, then the user undergoes the same training procedure as before until the new values are matured and the profile can once more be used in authentication.
Behavioral Biometrics Best Practices
To achieve the best Behavioral Biometrics results, SecureAuth recommends the following:
Use at least six (6) characters for text fields
After reseting a password, the profile (or profile field) should be reset to ensure accurate data collection
The more data that is captured in the application results in more accuracy and confidence in the scores
Profile training takes ten (10) sessions, so applications that are accessed more frequently yield faster training
Prerequisites
1. Follow the steps in the Authentication API guide and Behavioral Biometrics Authentication API Guide
2. Create a New Realm or accessing an existing realm in the SecureAuth IdP Web Admin in which the Authentication API is enabled
3. Integrate a corporate LDAP directory with SecureAuth IdP on the Data ta.
Note
LDAP directory integration is the only supported data store for the Behavioral Biometrics API.
SecureAuth IdP Configuration Steps
These are the required steps to enable Behavioral Biometrics, but additional steps are required to enable the Authentication API as outlined in the the Authentication API guide and Behavioral Biometrics Authentication API Guide
Data
1. In the Profile Fields section, map the Behavior Biometrics Profile Property to a directory attribute field, e.g. comment
2. Check Writable
Warning
Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes
API
3. In the API Key section, check Enable API for this realm
Refer to the Authentication API guide for additional configuration steps in this section
API Permissions
4. Check Enable Authentication API in the Authentication section
Warning
Click Save once the configurations have been completed and before leaving the API page to avoid losing changes