Aetna replacing security passwords with machine learning tools
Aetna has launched a new security system for its consumer mobile and web apps that, in something of a twist, makes passwords optional.
Instead of a password or fingerprint being the only barrier to entry, Aetna’s new behavior-based security system monitors user devices and how and where a consumer uses that machine. Consumers can add biometric protection available on their devices.
“Passwords are a mainstay of conventional online authentication and are considered to be a binary control - if a consumer has the user ID and password, they are enabled to use the application,” said Jim Routh, chief security officer at Aetna. “Binary authentication controls work well when the assumption is that only the consumer has the password and remembers it. That assumption, however, is no longer valid.”
In 2016, more than three billion passwords were harvested from breaches by criminals in the U.S., according to Shape Security.
“Criminals exchange passwords on the Dark Web and use a technique called credential stuffing to apply passwords to targeted web domains and automatically attempt authentication for tens of thousands of compromised passwords,” Routh explained. “Criminals are able to achieve a two percent hit ratio of account takeover using credential stuffing, helped by the fact that consumers reuse passwords across sites.”
Consequently, passwords are becoming obsolete as a primary means of authentication. Enterprises need to change their thinking on the use of binary controls in an authentication event at the initiation of an online interaction with a consumer and consider using many different attributes to confirm authentication, Routh said.
Aetna enables consumers to choose which biometric factors they prefer on their device and then apply that selection as one of the authentication attributes considered by a risk engine.
That risk engine takes in data from many attributes of the device (software configuration, operating system version, etc.), in addition to benign attributes of consumer behavior (for example, how a mobile device is held when texting and location of the device), and matches these attributes against a device signature and a model based on previous behavior.
The risk engine binds a consumer to one or more of the devices they typically use. If they use a new device, the authentication request may include a PIN or biometric to confirm the consumer wishes to bind their identity to a new device. The risk engine compares the benign behavioral attributes to the existing behavioral model and determines a risk score based on the match.
“The behavioral attributes are used to compare with the baseline model and are not stored or used for other purposes,” Routh said. “The risk engine produces a risk score to the application and if it is within the risk threshold for the application then the consumer has full functionality. If the risk score changes during interaction and is outside of the established threshold then the consumer may receive a request to enter a PIN or verify with a biometric control.”
Put more simply, the risk engine is comparing attributes to an established pattern. The attributes have a weighting so if an attribute is not available then the other attributes are used by the risk engine to consistently produce a risk score. Some attributes have a higher weighting than others, and comparing attributes to a model to determine a risk score is something that is done consistently well with the risk engine, Routh said.
So how does the behavior-based security system get to know users so well?
“The risk engine is using unsupervised machine learning to match attributes to the existing model, so the more data provided into a model the better it performs over time,” Routh explained. “Therefore, the more often the consumer uses the application, the more effectively the risk engine performs. Aetna provides consumers with choices on how they wish to interact and which types of biometric controls they prefer on their devices. Giving consumers choices gives them more convenience while also providing them with better security to protect their information.”