We shouldn’t focus on changing user behavior—but on understanding it

The state of online identity is bleak—mostly because it relies on an outdated username and password model. Each year, 1 billion credentials are leaked or breached, and 73 percent of passwords are being reused across sites. These dynamics have led to an increase in account takeovers (ATOs), in which a hacker tries stolen credentials across a variety of websites and takes over entire accounts to steal financial or personal information or to abuse the reputation of an account.

Because the activity is associated with a user account and not, say, a suspicious email address, ATOs can be hard to catch with existing fraud tools. But they’re one of the fastest-growing threats to online businesses of every kind, up 31 percent in 2016, according to a Javelin Strategy & Research report from earlier this year. And losses due to such fraud topped $2.3 billion, a 61 percent increase over the prior year.

It’s a serious problem that we realized didn’t have a clear solution. The conventional thinking out there is that it’s the user’s responsibility to take extra steps to secure their accounts. Users need to implement two-factor authentication; users need to make their passwords unique and complicated enough. That means that companies are pushing the burden of security onto their customers, but the way we see it, that thinking is flawed. We shouldn’t focus on changing user behavior—but on understanding it.

That’s why we created Castle.

We wanted a new approach to security that would work for businesses without placing the burden on customers, because that’s the only thing that actually has a chance of working. Rather than focus on two-factor authentication or rate limiting login attempts, which have become table stakes for online businesses but can reduce conversions, Castle focuses on user behavioral analytics.

Castle learns from users’ behavior and identifies suspicious activity in real time, whether it’s accessing from an unusual place in the middle of the night, interaction that doesn’t match a user’s typical patterns, and hundreds of other signals. The second someone starts behaving suspiciously or tries logging in using a stolen password, Castle takes measures automatically to lock down clearly malicious accounts, alert end users to self-verify their suspicious activity, and flag situations for administrators. The user challenge model is especially important, because it means that we avoid false positives while preventing account takeovers, but also leverage that feedback to improve our risk engine automatically. This approach means we’re able to detect — and prevent — ATO in real time, without driving legitimate users away. The closed feedback loop also means Castle can be completely automated to prevent such attacks.

In an era where emails have become users’ identities online, this means we can benefit from shared knowledge — but also need to leverage this insight to properly provide security, which we do with our self-learning models and practical end-user challenge and notification flows, which helps Castle get smarter. There are clear network effects to Castle, which is why we built it so that it could be accessible to businesses of every size: We made it simple to integrate, test, and automate. And it doesn’t replace anything on existing applications; it’s just a layer that fits on top of password and security parameters.

We made Castle because we believe behavioral analytics are the future of user security and identity, and we’re ready to make the future a reality now. What it comes down to is that passwords are broken — but behavior is not. And creating a security moat based on behavior is exactly what we’re equipped to do.