Are Humans The “Weak Link?”
Security professionals often lament the “human element.” It is only due to human fallibility that our systems are not secure. We are not good at coming up with or keeping track of passwords. We don’t follow security guidelines. We are easily fooled by phishing or social engineering. We often act in ways that leave systems vulnerable.
It is time to flip this attitude around. Yes, humans are not machines. We are wonderfully flawed. And each of us is profoundly unique; a combination of nature and nurture, a product of our experience and circumstance, all woven together with the human spirit to form the tapestry of who we are. All of these little imperfections are not “bugs” to be fixed, but form the core of our humanity.
GaitAuth: One Small Step for Man, One Giant Leap for Authentication
Today, we are releasing a new API called GaitAuth™. It can authenticate a person based on the motion associated with their gait – the way they walk – completely passively and at a high level of accuracy. It is able to return an authentication result after only a few steps of carrying your phone. This allows you to authenticate a user using one of the most natural human actions: walking.
You may wonder how unique someone’s gait truly is. Your gait is a product of your unique physiology and years of muscle memory. And unlike static biometrics like fingerprint or facial recognition, it is dynamic and constantly changing, and it is hard for others to spoof and steal. We’ve tested our models using anonymized data from millions of mobile phones and found the accuracy of gait-based authentication can rival other biometrics like fingerprint, iris, or face. Gait also has the benefit that it continues to work even if the user is wearing a face mask or gloves.
GaitAuth is the culmination of almost four years of research and development from the UnifyID team to bring a solution that is highly accurate, efficient, robust, and secure. I’m proud of what they have been able to accomplish and the results are truly amazing.
GaitAuth Use Cases
Because GaitAuth can run passively in the background, it is useful in a wide variety of situations:
- GaitAuth is an ideal solution where passive or continuous authentication is desired. With GaitAuth, you can detect if a device changes possession within a handful of steps and deauthenticate the user. The user also does not need to be walking to authenticate. Because GaitAuth runs passively in the background, you can also use historical information about the last time they were walking and whether the phone has left their possession since that time.
- GaitAuth helps provide seamless access control for doors and smart locks. By using GaitAuth, a user can walk up to a door with their phone and have the door unlock automatically. If someone steals their phone, their gait signature will not match and they cannot unlock the door. In fact, GaitAuth is the only multifactor authentication technique that requires no user interaction or training – it combines something you have (your phone) with something you are (your unique gait) without requiring the user to do anything extra.
- GaitAuth is also useful for vehicles and travel. With GaitAuth integrated into your car’s mobile app, you won’t need to carry keys to your car anymore. You can walk up to your car with your phone and the door will unlock, and even if someone grabs your phone, they won’t be able to get into your car. It is also useful for seamless authentication for the entire travel journey, from the moment you leave your door, to airport security, to boarding, to rental cars, to hotels, to dining and activities, all of which have friction due to authentication. Using GaitAuth allows many of these interactions to become much more seamless.
- GaitAuth is a great fit for situations where workers have access to sensitive data, but are on the move and need to authenticate often, such as medical workers, airport personnel, or flight attendants. This is especially true if workers may be wearing masks or gloves, as face or fingerprint recognition may be impractical.
- GaitAuth is also useful for cross-device authentication like automatically unlocking your computer when you approach your desk or touchless access to ATMs, kiosks, or point terminals. You can leverage the passive GaitAuth biometric signal from the phone to authenticate to other devices, without having to take out your phone.
GaitAuth is now available for both iOS and Android as a modular SDK you can link into any mobile application. It is lightweight (<2 MB), low-power, and uses only minimal network as the motion data is processed directly on the phone.
GaitAuth is the first of our public APIs we are releasing with the goal of continuous, implicit authentication, with more to come. Rather than view humans as the weak link in security, we want to use what makes us unique as humans to strengthen security. Our GaitAuth API is our first “step” towards our goal of making our experiences with security and authentication more seamless, more usable, and ultimately, more human.