.<\/span><\/p>\nFirst, this is hardly one of the better ways of getting back with one\u2019s ex. But from a cybersecurity perspective, it reinforces the point that mobile devices need much more stringent authentication methods.\u00a0<\/span><\/p>\nThe best route would be to use weaker methods \u2014 such as passwords, PINs, and weaker biometrics \u2014 to conveniently access low-priority accounts, such as unlocking the phone to check a weather forecast. But for bank\/money access, social media logins, and any connection to enterprise systems, behavioral analytics should be required.<\/span><\/p>\nThe very nature of behavioral analytics makes it difficult for a thief to impersonate the individual. Taking an unconscious person\u2019s finger or pulling back an eyelid can be done, assuming the thief has physical access to the user and the phone. PINs are unfortunately easy to steal via shoulder surfing, especially for someone with extended physical access.<\/span><\/p>\nBut mimicking how many typos that user does every 100 words? Or their exact typing speed? Or the angle they tend to hold their phone? Those are personalized and difficult to fake. Yes, <\/span>some<\/span><\/i> behavioral analytics factors are easy to fake, including a user\u2019s IP address, location, and a phone\u2019s fingerprint. That\u2019s why a behavioral analytics deployment needs to use as many factors as possible, mixing easy-to-fake factors with difficult-to-fake ones.\u00a0<\/span><\/p>\nOne of the best things about behavioral analytics is that it operates silently in the background, which means that it\u2019s about as frictionless (for the user) as it is practical. It offers the best of both worlds: it\u2019s a far more stringent and reliable authentication method, but is easier for users than a password or biometrics.\u00a0<\/span><\/p>\nFor IT, that frictionless nature makes users more accepting. Also, that \u201cin the background\u201d nature makes it even more difficult for a thief\/intruder, because the attacker can’t be certain what the system is checking at any given moment.\u00a0<\/span><\/p>\nThis why CIOs and CISOs shouldn’t put a lot of faith in biometrics. Even the most violent and aggressive attack methods \u2014 such as putting a gun to a user\u2019 head and ordering them to access sensitive enterprise files \u2014 can be thwarted with behavioral analytics. If the fear and nervousness from such an attack increases typos and slows down typing speed, that might be enough for a supervisor to be contacted. If that supervisor then asks for a video session to make sure everything is OK, it might make the attacker leave. (This is especially true if the attacker suspects the supervisor has already sent police and is using the video session questions to just stall for time.)<\/span><\/p>\nThe reason this is such a critical issue for 2022 is that the steady rise of mobile access to your most sensitive databases on the enterprise (including enterprise cloud accounts) is likely to keep growing. We are now at the point where IT can no longer assume that desktop defenses are sufficient. Even if IT has issued a laptop to all employees with sufficient privileges, there isn’t an company out there that would discourage mobile access. As travel slowly returns this year for some segments, the road warrior issues will make a return engagement. Now, though, attackers \u2014 especially those with a specific interest in your systems \u2014 will be ever more focused on those mobile interactions.<\/span><\/p>\nThe most popular and amorphous cybersecurity buzzword these days is Zero Trust. Any meaningful Zero Trust rollout needs to start with a far more robust approach to authentication, along with a hard review of access management\/privilege control. With mobile devices, authentication has to be the<\/em> overwhelming priority. The path of least resistance is to just piggyback on a mobile device’s on-board authentication. That can work <\/span>as <\/span><\/i>long<\/span> as <\/span><\/i>biometrics is just one of a half-dozen factors examined.<\/span><\/p>\n If you\u2019re still skeptical, there’s a Chinese ex-boyfriend you need to meet.<\/span><\/p>\nhttp:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"![](\"https:\/\/images.idgesg.net\/images\/article\/2020\/01\/cso_nw_digital_identity_security_authentication_access_by_metamorworks_gettyimages-1176067266-100826768-large.3x2.jpg?auto=webp&quality=85,70\"\/)
<\/p>\n
Credit to Author: Evan Schuman| Date: Mon, 03 Jan 2022 06:43:00 -0800<\/strong><\/p>\n\n\nIt\u2019s one of the sad facts of mobile authentication that the industry tends to initially support the least effective security options. Hence, phones initially supported authentication based on fingerprints (which can be impacted by prescriptions, cleaning products, hand injuries, and dozens of other factors) and then moved on to facial recognition.\u00a0<\/span><\/p>\nIn theory, facial recognition is supposed to be more accurate. Mathematically, that\u2019s fair, as it is examining far more data points than scanning a fingerprint. But the reality in the real world is much more problematic. It requires a precise distance from the phone and yet offers no pre-scan markers for the user to know when they hit it correctly. That\u2019s one reason I see facial recognition reject a scan roughly 40% of the time \u2014 even though it will approve a positive scan two seconds later.<\/span><\/p>\nTo read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10554,714,24580],"class_list":["post-18030","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-mobile","tag-security","tag-small-and-medium-business"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18030","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18030"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18030\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18030"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18030"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}