Ron Moritz

The problem with secrets

With behavioral authentication, you no longer have to remember the name of your first pet in case you forget your password
A Jerusalem hacker at work attacking web sites (Photo credit: Sliman Khader/FLASH90)
A Jerusalem hacker at work attacking web sites (Photo credit: Sliman Khader/FLASH90)

Secret questions are about to be relegated to the dust-bin of technology.

What’s the name of your first pet? Where did you attend high school?  What was your mother’s last name before she got married? Where did you get married?

You’re now scratching your head. These questions sound familiar. Then it hits you: You were required to provide answers to such questions when your registered for some web service. Just in case you forget your password, the web service will ask you to answer one or more such questions. Feels secure? Makes sense? Sure!

But wait. Didn’t you happen to post a picture of your first pet on Facebook? Didn’t you Tweet information about your wedding (though hopefully not while taking your vows!)? Don’t you belong to your high school group on And aren’t you friends with your mother who posts using her maiden name so that she can be found by her childhood friends?

You’re not alone. And everyone knows that.

By now you may be asking yourself, perhaps these challenge-response security systems are not so secure? If I’ve managed to disclose all this “private” information on the Internet, can’t the bad guys put together a profile that would allow them to defeat the security systems that depend on knowing the response to common challenges?

Yes they can. And yes they are. Secret questions are no longer effective to authenticate users to online services. And so the days of challenge-response systems are coming to a close – and many of us are ready to say hurrah!

If online account access authentication services that depend on secret questions are no longer viable, what alternatives are available? One emerging trend is behavioral authentication. What if the apps you use could learn your online behavior? If so, could they trigger alarms when the account is being accessed by someone whose behavior differs from yours?

These systems are fascinating in that they are continuous: They don’t limit their decisions based on a single username/password combination entered at the start of an online session. By monitoring the interaction with the web site, activities and transactions performed, flags can be raised as any point in time.

By considering the device being used to access the service, the navigation through the service, the location from which the connection originates, the way the mouse is moved or its wheel rotated, the way the mobile phone or tablet is held, the amount of pressure applied to the touch screen, and so forth, profiles can be created and compared.  When a future session associated with a specific account doesn’t match to the historical (legitimate) profiles, alarms are triggered and action can be taken.

Behavioral authentication is all about constantly monitoring and building activity profiles and continuously verifying that a legitimate user is in the driver’s seat. It’s like going to the ATM with a personal bodyguard who is ready to push aside any attempt to grab the cash you are withdrawing.  This exciting stuff will be coming soon to a high-risk website near you courtesy of yet another Startup Nation innovation. Stay tuned!

Read Start-Up Israel to keep your finger on the pulse of Israeli high-tech and innovation!

About the Author
Ron Moritz is a well-regarded high tech executive and cybersecurity expert. He is the cybersecurity venture partner with equity crowdfunding platform, OurCrowd, and recently founded TrueBit Cyber Partners offering cybersecurity technology due diligence services.
Related Topics
Related Posts