From the Wall Street Journal, July 12:
Aetna Adds Behavior-Based Security to Customer Application
App will monitor user behavior in real time; passwords optional
Insurance giant Aetna Inc. is rolling out a new security measure to its mobile and web applications that will monitor user behavior in real time.
Rather than relying solely on a password or fingerprint entered at a single point in time, Aetna apps will continuously monitor security based on user behavior and a number of contextual clues, such as location.
Customers will be able to add biometric authentication factors, such as a fingerprint or other options available on their mobile device,that use the FIDO security standard. Aetna also is introducing a feature that allows users to swipe their finger across the screen to verify their identity.
The move toward behavior-based authentication, a field that seeks to identify unique patterns in the way people perform various activities, comes as cybercriminals grow sophisticated both in tactics and the tools they use, says Jim Routh, Aetna’s chief security officer.
“The reality is the industry is getting more and more account takeover attempts,” he said. About 3.3 billion user credentials across industries were reported spilled in 2016 alone, according to Shape Security.
Security chiefs increasingly are looking for more sophisticated ways to monitor security beyond a one-time authentication measure, said Andras Cser, vice president and principal analyst for Forrester Research Inc. While a fingerprint or password can provide a snapshot, real-time behavior monitoring can allow security teams to monitor apps while users interact with the device.
In Aetna’s case, attributes such as how a person holds their phone, the device configuration or the apps used most frequently, will be fed into a risk engine. That engine uses machine learning to create an individual risk score for each user. When a user’s actions deviate significantly from their baseline normal behavior, the risk level increases, and the app may restrict access to certain functions or request another form of authentication before allowing a customer to proceed.
'Ultimately, we want to protect consumers' health information better than their credit card information,' says Aetna CSO Jim Routh.
If a customer gave their phone to a friend, for example, the app may recognize them as a different person and ask for another form of authentication. “We start to reduce your access to your functionality in the app until you convince us this is actually you,” Mr. Routh said....MORE