Who knows you better than your smart phone? Your family? Maybe. Your colleagues? Perhaps. Your dog? Almost certainly—but that could change very soon.
For many of us, our phones and other devices—smart watches, tablets, laptops—are privy to our deepest secrets.
Our devices may know, via the alarm we set, when we get up in the morning, and, if we have a sleep-tracking app, when we go to bed at night. They may also store information on nearly everything we do, think, and even feel, from the emails we send and receive to the purchases we make, to the contours of our fingerprints. It’s all faithfully recorded for our eyes only—until our device is lost or stolen.
When that happens, we may panic—rightfully so. After all, we’ve given so much of ourselves to our technologies; it’s as if they have become extensions of us.
Adding to our anxieties is the fact that, for now, at least, cybersecurity is imperfect. Passwords and passcodes are fallible; even the strongest can be cracked. (“New Technology Cracks ‘Strong’ Passwords — What You Need To Know,” Forbes, April 21, 2015) As recent events in the news have shown, encryption has its weaknesses, as well. How do we ensure that what happens on our devices stays on our devices?
Up close and personal
Ironically, one answer may be to open ourselves up even further, to give our devices access not only to our information but also to the aspects of ourselves that make us special: our quirks and peccadilloes, our foibles and preferences and habits—not just who we are and what we do, but how we are.
Think about it: a lot of people might set their alarm for the same time in the morning. What differentiates us may be how we start the day. If I hit the “snooze” button four times, then read my emails, social media, daily horoscope, and the news—always in that order—before finally getting up, that individuates me. If I turn on my coffeemaker using an app on my phone and play hip-hop on a radio app while making the bed, I’ve differentiated myself a little bit more.
And if our devices could process and memorize these details, they might know us as well as we know ourselves, or even better—and could perhaps block an imposter from gaining access to our inner digital sanctum, cracked code or not.
This is the thinking behind behavioral authentication, which treats our devices not just as accessories but as parts of us—able to accept or reject a user based on compatibility, like blood type, and whether that user fits the mold that our device interactions have shaped over time.
Creatures of habit
Behavioral authentication shows such potential because it taps not only into the details that make each of us unique, but also into a feature that, psychologists say, we all share in common: habit.
A study of signals from 100,000 cell phones revealed that we tend to take the same route every time we go to school and work, for instance. (“Phone study confirms people are creatures of habit,” Reuters, June 5, 2008)
Consider all the tasks you perform every day without thinking about them. Habit enables us to drive to work without having to decide which way to go. Instead, we may arrive at the office without quite realizing how we got there, our bodies having performed the task of navigating while our minds pondered the day ahead.
Habit enables us to move through life more smoothly, to perform perfunctory tasks on auto-pilot and save our brain power and time for more complex tasks such as innovation, writes Charles Duhigg in his book, “The Power of Habit: Why We do What We do in Life and Business.”
This finding, that humans follow “simple, reproducible patterns,” could enhance a number of human services including epidemic prevention, emergency response, urban planning and agent-based modeling. Now, behavioral authentication may add cybersecurity to the list.
When our devices know our daily habits, they may detect deviations—and lock out those whose behaviors don’t fit. Having hacked our phone, the cyber criminal won’t get far if she or he or sleeps until noon and then tries to log into a social media account we don’t have, or makes calls to people not among our contacts, or tunes into the country-western station instead of playing hip-hop, or walks faster or more slowly than we do or with a limp, or fails to meet any other of a seemingly infinite number of criteria that, taken together, make up our identity.
Not just ‘who,’ but ‘how’
Schedules change, of course, and so do habits. What if you switched shifts at work, or left your job, or had a child, or moved to a new home? A device focused solely on what you do and when you do it might lock you out until it learned your new routine. But how we conduct our lives is as much a part of who we are as what we do.
Researchers are working on behavioral authentication that also checks aspects of us that are more likely to stay the same over time. Do we hold our phones or tablets vertically or horizontally? Are our hands warm or cool? What’s our pulse rate? Do we use our thumbs to type on our phones or, hunt-and-peck fashion, a single index finger?
The more our devices learn about us, the more they can help us, even becoming virtual personal assistants. In the movieHer, the protagonist has a unique operating system assigned to him. Like an assistant, the OS reads his emails to him and answers them, makes appointments for him, and even helps him with personal problems. (“Something About ‘Her’: Will Our Computers Ever Be Real Friends?” ReadWrite, Feb. 12, 2014)
Already, our devices alert us when we have an upcoming appointment, provide a map and directions, tell us when it’s time to leave, and guide us to our destination until we have arrived. Our email accounts tell us when a message from someone important has come in; our fitness trackers help us stay in shape, even reminding us to get up and move around.
A friend, indeed
And as more and more of the objects in our lives become “connected” to one another and to us, the picture they form of us could become increasingly complete.
Although many worry that all the data being collected makes us more vulnerable to thieves, I submit that the opposite may also be true: the better our devices know us, the better they may be able to ward off intrusions and attacks.
Like the trustiest of canines, our devices may serve someday not only as our confidants and companions but also our guards, protecting us and our data from harm. And, who knows? With behavioral authentication, we may come to view our smart phone, wearable, or other, as-yet-to-be invented device as “man’s (or woman’s) best friend.”
(Originally published in SecurityCurrent http://www.securitycurrent.com/en/ciso_journal/ac_ciso_journal/behavioral-authentication-your-new-best-friend)