We all know that there are three basic ways to authenticate somebody: something you know, something you have, and something you are. I\u2019ve wondered recently though where habits and behavior fit in. For example, I\u2019m writing this post from India. I don\u2019t usually go to India and I\u2019ve just used my credit card here a few times. Sure enough my card got red flagged and not long after blocked. The card company got \u201cconcerned\u201d when they saw charges from somewhere new; somewhere outside of my typical charging radius. This happened to me a couple of times in Europe but a quick call, a mother\u2019s maiden name, a birtdate, a social security number, and a DNA sample later and the card was back in action.\u00a0 This \u201cbehavioral\u201d monitoring wasn\u2019t an authentication mechanism so much as a \u201cde-authentication\u201d trigger. That out-of-the-ordinary behavior sparked suspicion despite all standard authentication mechanisms being in place (meaning that the clerks in India processed my card in the standard way). This profiling\/\u201clook for weird stuff\u201d philosophy has been used in Intrusion Detection Systems (IDS) forever but is now moving to watching employees on their desktops in hopes of preempting insider attacks. It\u2019s even being used as a method for authentication as one company (https:\/\/www.biopassword.com) has a tool to observe the cadence with which a password is typed to guard against the inevitable employee with a bad memory and an inviting yellow sickynote pad. Measuring behavior \u201cpost authentication\u201d brings a whole new dimension to trust but verify. It basically makes the statement \u201cWe trust that this person is who the say they are because they just *proved* it\u2026but we\u2019ll keep checking to see what they do just incase.\u201d It can automatically tune security controls. Right now, if you\u2019re making a bigger-than-normal transfer on many banking sites they may ask you for some additional information like your mothers maiden name. What if this was taken a step further? If my browsing behavior on a site was \u201cdifferent\u201d is some meaningful way maybe a series of safeguards kick in even if the transaction that I made was \u201cnormal.\u201d\u00a0Initially it seems shocking and intolerable from a privacy perspective that sites would keep track of enough historical information to realize what \u201cabnormal\u201d is but most web sites do this already; except the data is used for marketing. Amazon.com always tweaks their landing page based on personal browsing history (either that or books on Reverse Engineering are truly more popular than the works of Dr. Phil) and we accept that this data is aggregated. If that behavioral data is laying around anyway \u2013 be it in user profiles, logs, server access records, whatever \u2013 it seems like a natural (and, if done right, user transparent) fit to throttle security controls up when risk is afoot. \u00a0Like anything else though there can be false positives and hiccups \u2013 like having to switch to cash in India till I could get to Skype to call my credit card company. Still, I\u2019m glad I\u2019m not funding somebody else\u2019s shopping spree.