Emerging Defense
Offensive Security

Latest Posts

Is this the end of the password?

We’ve all heard of two-factor, three-factor, or the often overpromised “multi-factor” authentication mechanisms.  Traditionally, there are only 3 possible factors:

  1. Something you know (password)

  2. Something you have (a secret token)

  3. Something you are (fingerprint)

Each of these factors is based off of some observable feature of the user/device interaction. Each one has its strengths and limitations. Passwords are easy to manage but can be guessed or brute forced; tokens add a physical dimension but too complex for repetitive authentication; and history has shown us that biometrics, while provocative, are easy to simulate, and, once compromised, cannot be changed.

Some consider device or environmental information, such as an IP address or hardware fingerprint, as additional factors that enable true multi-factor authentication. These are really just “something you have”, making true multi-factor a myth that is only used to ‘lubricate’ software sales. Today, we are left to contend with three exploitable factors. That is, until a better one emerges.

The Fourth Factor

BioEncrypt SDK has developed a fourth authentication factor that most haven’t considered as a result of technology and privacy challenges. The fourth factor encompasses  the most critical and unique feature of the user… their behavior.  The popularity of mobile devices has driven the consumerization of a previously expensive array of  sensors. These sensors reside in the pockets of people worldwide from which we can measure  what makes you, you.



This sensory data can be used to authenticate users not on what they know, have or are but on how they are. Think about that for a minute.  The angle at which you hold your phone, the gait of your stride, time of access, your last workout activity, and your location in the world at any given moment, are all unique to you.  No two people have the same behavior, and no two people use their devices in the same way. By harnessing the availability of GPS, gyroscopes, accelerometers, and time BioEncrypt can build behavioral baselines of how and when a user interacts with their world.


Wifi, cellular, and Bluetooth interfaces enable one to learn not just how you interact with the world, but literally what your world consists of. Do you connect to a specific set of Wifi access points every day? Did you know every bluetooth device you own is unique to you? While no two people use their devices in the same way, you can be sure they don’t live in the same environment.


What if we could take these measurements in a way that respects user privacy while building a mathematical model of the individual behind the device? The BioEncrypt approach is designed for privacy, its your data, so it never leaves your device. Who needs raw data? BioEncrypt operates exclusively on baseline analysis and tokenization.

Our research has not only shown that this is possible, but can be widely successful. New technology requires new   security measures that scale appropriately with risk. BioEncrypt’s user TrustScore does just that. As we move into the next evolutionary phase of mobile computing, we must rid ourselves of the shackles of traditional security controls and leverage the strengths of device capabilities in the name of usability and security.

Jason Miller