Is It Really You? Developing New Ways to Authenticate Users

By Shawn Dougherty April 7, 2014

Shawn DoughertyWhat was the name of your first pet? What city were you born in? What is your mother’s maiden name?

If you’ve ever forgotten your password, you’ve probably had to answer those or other personal questions designed to prevent hackers from accessing your account. Those types of questions are referred to as knowledge-based authentication, or KBA. As you can imagine, KBA has become far less effective as social media and phishing have become more advanced. Today, a quick search on Google or Facebook can often provide the answers a hacker needs to authenticate your account. At the same time, cyber attackers have targeted employees of popular websites, causing them to click on links or download attachments that unknowingly provide access to users’ KBA. It’s called “spear phishing” and, when successful, can allow hackers access to a company’s entire network.

The good news is that efforts are under way to develop a better form of authentication using biometric identifiers unique to each individual. One type of biometric identifier is categorized as “physiological” characteristics: items we’re generally familiar with, such as fingerprint, facial recognition, and retina recognition, to name a few. A less familiar type of biometric identifier is “behavioral” characteristics, including a user’s voice patterns, typing rhythm, or computer mouse handling. Behavioral characteristics are sometimes referred to as behaviometrics. Some of the latest research focuses on these behavioral characteristics, the idea being that a computer and related programs and software can be used to detect a stranger. The Defense Advanced Research Projects Agency (DARPA) has developed an Active Authentication research program to examine how effective these behaviors are at identifying individual users. In the meantime, many websites are using multifactor authentication, combining passwords, KBA, and text messages to defend against unauthorized users.

As with passwords, to be effective, the solutions will have to balance users’ time and frustration with their desire for better authentication and ease of access. I, for one, am looking forward to seeing what the future holds in cybersecurity.

Speaking of the future, I’m pleased to announce the newest member to the ISO cyber team, Jason Bucher. Jason joins ISO as our Cyber and Technology E&O project manager. You’ll be hearing more from Jason about his unique thoughts and perspectives on these and other cyber-related topics in future posts.

Please feel free to e-mail me at sdougherty@iso.com with any questions you may have regarding cyber risk and cyber-liability insurance. You can also follow me on Twitter @doughertyshawn.

Stay tuned for the next blog post in our Cyber Monday Series.


Shawn Dougherty

Shawn Dougherty is the assistant vice president of ISO's Specialty Commercial Lines Division. He is responsible for providing the overall direction, leadership, and client service for ISO's cyber liability (e-commerce), D&O (management protection), businessowners, crime and fidelity, financial institutions, employment-related practices liability, and professional liability (other than medical) insurance programs. He is also the ISO product manager for the Lloyd's Wordings Repository, an electronic database of policy wordings and clauses regularly used within the London market. Mr. Dougherty has worked at ISO since 1988.