Authentication and Machine Learning: Taking Behavior Recognition to a New Level

Long a staple technology for fraud detection in the financial services industry, machine learning is increasingly being used in conjunction with behavior recognition to deliver identity assurance.

rsa bp article 6 istock 457795741 copy

Behavior recognition is a powerful tool, helping to establish that people who request access to business applications or services are in fact who they say they are. When someone attempts to sign in from a familiar device in a familiar location, for example, behavior recognition picks up on those cues. And now it’s proving even more effective when paired with machine learning, which makes it possible to adapt in response to how users behave throughout their access history. The result is higher confidence in a user’s identity and, at the same time, less need to inconvenience the user with requests for additional authentication.

A New Way to Apply the Machine Learning Model

In traditional fraud detection scenarios, machine learning tools look at broad user populations and report back on fraudulent transaction attempts, using the information collected to continually improve the data model. Machine learning in this context relies on people reporting discrepancies in their bank accounts or credit card activity. That makes it less useful for user authentication, because people aren’t likely to be aware of, and therefore can’t report on, unauthorized attempts to access the business services and applications they use. 

In applying machine learning to user authentication, the focus of the model shifts from fraud detection to identity assurance. In other words, how confident can you be that a given user is who he or she claims to be, based on past successful authentications? This confidence is gained by learning from data in users’ past authentication attempts, such as:

  • Location/network
  • Time of day
  • Device fingerprint
  • Pattern of access
  • Keystroke dynamics

Much of this data is the same as what’s used to establish static business context rules for access requests. The difference lies in how the data is applied. Instead of declaring a network address “trusted,” for example, the idea is to analyze user activity to determine if the user has repeatedly provided a high level of authentication from a particular IP address. That provides one data point to consider when determining confidence in the user’s identity. Combine it with other data points, creating confidence across multiple attributes, and you can make an informed determination about whether more authentication is needed.

Don’t Be Left Behind

Machine learning for user authentication in this context is rapidly evolving. As the possibilities for understanding and responding to a variety of behaviors develop, there’s tremendous potential for authentication that’s even more secure, with less friction for users. As you consider how to take advantage of machine learning, keep in mind that no matter how sophisticated the static rules you use for business context, they can never match the capabilities of an approach that includes machine learning.

Don’t be left behind; make sure machine learning has a place in your identity assurance strategy. As you seek out identity and access management partners, look for those that also have a strategy to keep up in this rapidly changing space. Meanwhile, learn more about leveraging identity assurance in the authentication process in this on-demand webinar.

Copyright © 2017 IDG Communications, Inc.