Desktop computers, mobile devices and tablet computers have no built-in security mechanisms for user authentication with web services and applications, other than the traditional Personal Identification Number (PIN) or use of additional devices like smart cards or One-Time Password (OTP) tokens. However, web services and applications for banking access rely on a strong user authentication to protect customer data and funds against unauthorized access. For authentication of users to be non-annoying and not disrupting, a behavioral authentication which is transparent to the user is seen as a favorite method.
As behavioral methods are built to discriminate users based on their behavior, they have a hard time coping with shared accounts which are used by two users having different behaviors, such as, for example, account sharing for banking accounts (spouse account). These kinds of accounts are wide spread, typically as family accounts as well as in small companies, causing the problem to arise in many settings.
There are several patent applications and issued patents in the field of user authentication which use biometric methods to identify users on mobile devices and other computing devices. In U.S. Patent Publication No. 2010/0225443, a system is described for user authentication using touch sensitive elements and/or using a signature of the user. In U.S. Patent Publication No. 2011/0126024, a method and system are described for combining a PIN and a biometric sample. In U.S. Pat. No. 8,443,443, a behavioral system is described for authenticating users, based on keyboard, mouse and Graphical User Interface (GUI) actions.
In behavioral systems, there is typically an enrollment phase and an authentication phase. In the enrollment phase behavioral data of the user is gathered on the client computing device and transferred to a behavioral authentication system, which server generates a behavioral profile for the user and stores the profile in a database.
In the authentication phase, behavioral data of the user is gathered on the client computing device and is sent to the behavioral authentication system, which compares the received behavioral data with the behavioral profile associated with the user. If the behavioral data of the user is similar to the behavioral data, stored in the associated behavioral profile, the user is granted access to the protected application or the protected resource. The problem with this solution is that there is no possibility of adding multiple users to the same profile, as different users shows different behaviors.
Many software applications, such as for example banking applications, provide for a joint account, often termed a “spouse account”, where two or more individuals share an account and are both authorized to access the shared account. In real environments, like banking applications or access control systems for sensitive information, many times multiple users access the protected information or application using the same username or user access data, such as a customer number and a user specific PIN. In banking applications, these might be the owner of the account and his spouse, or multiple employees in a company, where several people are allowed to manage a banking account while using the same customer number. As such, the users cannot be distinguished by their customer number. Because typically a single profile is built for each customer number, the behavioral profile associated with the customer number must consist of stored behavioral data of several people, which is not possible using the solutions described above. Thus, there is need in the art for more effective systems and methods for authenticating several users using a single account based on behavioral information.