www.blogs.wsj.com | July 12, 2017
App will monitor user behavior in real time; passwords optional
Insurance giant Aetna Inc. is rolling out a new security measure to its mobile and web applications that will monitor user behavior in real time.
Rather than relying solely on a password or fingerprint entered at a single point in time, Aetna apps will continuously monitor security based on user behavior and a number of contextual clues, such as location.
Customers will be able to add biometric authentication factors, such as a fingerprint or other options available on their mobile device,that use the FIDO security standard. Aetna also is introducing a feature that allows users to swipe their finger across the screen to verify their identity.
The move toward behavior-based authentication, a field that seeks to identify unique patterns in the way people perform various activities, comes as cybercriminals grow sophisticated both in tactics and the tools they use, says Jim Routh, Aetna’s chief security officer.
“The reality is the industry is getting more and more account takeover attempts,” he said. About 3.3 billion user credentials across industries were reported spilled in 2016 alone, according to Shape Security.
Security chiefs increasingly are looking for more sophisticated ways to monitor security beyond a one-time authentication measure, said Andras Cser, vice president and principal analyst for Forrester Research Inc. While a fingerprint or password can provide a snapshot, real-time behavior monitoring can allow security teams to monitor apps while users interact with the device.
In Aetna’s case, attributes such as how a person holds their phone, the device configuration or the apps used most frequently, will be fed into a risk engine. That engine uses machine learning to create an individual risk score for each user. When a user’s actions deviate significantly from their baseline normal behavior, the risk level increases, and the app may restrict access to certain functions or request another form of authentication before allowing a customer to proceed.
If a customer gave their phone to a friend, for example, the app may recognize them as a different person and ask for another form of authentication. “We start to reduce your access to your functionality in the app until you convince us this is actually you,” Mr. Routh said.
It takes between one to two weeks to determine someone’s baseline normal behavior, depending on how often the app is used. The behavioral data will not be stored, but rather fed into the risk engine and then discarded. The risk engine itself is protected with six layers of security controls, Aetna said.
Aetna has no plans or capability to monetize the data, a spokesman said.
Behavior-based, contextual security measures are relatively new. Few companies are using this technology in production, but corporate interest is high, according to Forrester’s Mr. Cser.
“Ultimately, we want to protect consumers’ health information better than their credit card information,” Mr. Routh said. The need to protect the apps is crucial, since many have access to potentially sensitive health and financial data.
During registration, customers will be offered the chance to set up a PIN and a biometric authentication option available on their device, Mr. Routh said. Over time, as the behavioral model improves, the traditional authentication measures are relaxed: instead of typing in the password or PIN, users will automatically be authenticated when they open the app.
To build the behavior-based functionality, Aetna collaborated with a handful of early-stage startups, most of which didn’t have a product when they began working with the insurer. Aetna combined the best capabilities from each startup, such as the risk engine or finger-swipe functionality, and combined them into a single framework, Mr. Routh said.
Companies walk a thin line as they work to improve security without disrupting user experience. Some customers may perceive their data is less secure if they give up their password, Forrester’s Mr. Cser said. On the other hand, user experience may be disrupted if the behavior-based security methods act on a false positive, such as limiting access to a user whose behavior changes due to a broken finger.
Aetna acknowledges that not all users will want to switch to the new authentication measures right away. Some will want to use a traditional password, and Aetna plans to offer them that choice. Health plan sponsors, such as employers, will be able to choose how quickly they roll new features out to individuals, Mr. Routh said.
The behavior-based model is now available through the insurer’s Aetna Mobile app. The insurer plans to roll out the feature for users of its HSA accounts, which use an app called PayFlex, later this fall. That deployment will reach about two to three million users, which Mr. Routh said is small enough to allow Aetna to refine the rollout strategy before deploying it more widely.