Behavioral biometrics enables the measurement and analysis of patterns in human activities. It’s a breakthrough cybersecurity technology that identifies people by how they do what they do, rather than static phyiscal characteristics, like what they know, or what they have access to. It is the advanced solution for fighting cybercrime in an age when criminals have more access to our personally identifiable information (PII) and more sophisticated hacking methods than ever before.
The Rise of Biometric Authentication through Physical Characteristics
In the last two decades, the use of biometric security applications has catapulted alongside digital innovation. This is due in large part to digital transformation in traditional industries, identity-based functions shifting to mobile applications, and a rise in fraud and identity theft in new digital channels.
According to forecasts by Acuity Market Intelligence, the demand for mobile/wearable devices that include biometric security applications will reach 2.5 billion users and ~4.8 billion devices by 2020. Moreover, Juniper research has recently claimed that more than 770 million biometric authentication applications will be downloaded each year by 2019.
If you do your banking through a mobile device or transfer funds through any type of payment application, you’ve almost certainly experienced authentication through your physical characteristics. These are static, highly resistant to alteration, non-transferable and cannot be misplaced or forgotten.
Characteristics like fingerprints, face recognition, hand geometry, voice recognition, palm vein recognition, retina scans, iris recognition, and signature verifcation are the most common types of characteristics used for biometric authentication.
- Fingerprints: Through optical/ultrasound/thermal sensors, fingerprints can be digitally collected and stored. Fingerprints are considered the most popular biometric identification method and have been in extensive use for more than a century. The most widely-used technique, minutiae-based matching, compares the location and direction of minutiae points. Each fingerprint contains 30 to 40 minutiae points and no two people have more than eight points in common.
- Facial Recognition: Using statistical patterns, facial recognition measures different points on an individual’s face to extract data and match them to pre-existing templates associated with the individual to verify his/her identity.
- Iris Recognition: These systems use special sensors to identify the iris and map segments into vectors, which include spatial and orientation data. This data is converted to a unique code and compares it to other stored codes.
The underlying assumption in the biometric security approach is that biometric factors are unique, measurable and consistent. Thus, in a wide array of technological systems, physical biometrics are used as the primary method for identification/ authentication and access control.
In a nutshell, biometric systems are based on three pillars:
- Sensors: subcomponents that detect and measure biometric data and digitize it.
- Templates: signal processing algorithms and techniques create biometric templates of the user. Later, these templates are compared to stored data and matched with existing profiles.
- Decision Rules: a decision process that uses matching event results.
Static Biometrics vs. Continuous Behavioral Authentication
While the use of biometrics has increased over the years, a growing number of companies and organizations have raised serious concerns about the use of physical factors.
- First, using only one physical biometric data point to authenticate a user at the time of login is fundamentally the same as adding a static second password; albeit one that can never be changed if compromised
- Second, physical biometrics can be captured and in many cases sold, used again or synthesized with fake IDs
- Finally, physical biometrics are based on a static approach
The problem with physical biometric security based on static factors, like points captured in fixed images, is that even if the initial authentication is valid and done by the legitimate user, the integrity of the session gradually erodes over time. The only way to restore it is to require additional authentication factors.
However, continuing to ask users for traditional factors like fingerprints, facial recognition and passwords is disruptive and causes friction, leading to a poor user experience. In today’s mobile-first world, users not only expect, they demand to be able to access their bank accounts and payment applications as seamlessly as chat applications.
So, how do companies stay competitive while still keeping customers secure? The optimal solution is using a safeguard that increases trust and reduces friction during the session, that can run passively and continuously in the background and provide escalation triggers based on risk.
With cyber attackers becoming much more sophisticated, security measures must get smarter too. The key is to implement security measures that continuously monitor and test the authenticity of users in ways that are difficult, if not impossible, to replicate. Many experts and market leaders agree: behavioral biometric profiling is the only effective way to achieve this level of security.
Behavioral Biometrics: Then and Now
While behavioral biometrics is a breakthrough technology that’s gained traction over the last decade, the measurement of patterns relating to human activity is nothing new.
In the 1860s, as telegraph operators got better at using the new machine they became recognizable by the way they sent dash and dot signals. In fact, allied forces in World War II would verify the authenticity of messages they received by how they were sent.
In the 1960s, with the advent of computers, the first model of human acoustic speech production was created, followed by the development of the first signature recognition system. By 1970, the behavioral components of speech were modeled, and by 1976, the first prototype for speech recognition was created. In 1977, a patent was awarded to Veripen for the capture of dynamic pressure related to an individual’s signature characteristics.
Today’s behavioral biometrics go beyond signature, voice and speech to look at multiple data and end point interactions like hand-eye coordination, pressure, hand tremors, navigation and other finger movements. They can assess how well people know the information they’re entering and how familiar they are with the application they’re using by how they interact with it.
Continuous Authentication with Behavioral Biometrics
Behavioral biometric technology runs silently in the background, providing a passive and continuous authentication layer that maintains the integrity of sessions without any friction or disruption to the end-user.
BioCatch’s behavioral biometric solution selects 20 unique features from its 2000+ behavioral profiling metrics to authenticate a user — without any disruption in the user’s experience. The features are selected according to highly-advanced machine learning algorithms, which are employed to maximize the profiling process. After a few minutes of user activity, a robust user profile is built.
In each case, a user’s biometric profile is based on 3 elements:
Physical-behavioral attributes: Scrolling patterns, hand tremors, pressure, swipe patterns
Cognitive-behavioral attributes: Preferences on toggling, in-screen functions, habits on data entry
Response patterns: These are elements unique to BioCatch, based on patented techniques of injecting subtle tests into an online session that elicit a user response and helps to distinguish legitimate users from fraudsters, malware, robotic activity and replay attacks
Once established, the system can detect anomalies and suspicious behavior at an extremely high-level of accuracy and low rate of false positives. In the event of anomalous behavior, real-time alerts and analyses are provided to support the customer’s authentication policy. This capability provides ongoing security throughout the session and guides the customer to escalate only in which the anomaly rate is very high.
Touch data collected from a mobile session.
Mapping and monitoring these behavioral patterns throughout the users’ time within the application, continuous authentication can indicate fraudulent behavior that occurs after the login, that is, after the two-factor authentication has been validated. This method also reduces the risk of false alarms, as opposed to traditional device ID or IP address validation and identifies threats immediately. This means stopping fraud in real-time and protecting consumers against the range of cyber threats.
The Future of Behavioral Biometrics: What’s Next?
Sophisticated cybercrime will not slow down, and neither will the race to provide users with advanced digital experiences. With this trend, innovative behavioral biometric capabilities will be in high-demand and will continue to rapidly advance. These are the trends we can expect to see in the not so distant future:
- New Use Cases: Unlike traditional biometrics, behavioral biometrics was born in the banking consumer arena, mostly focusing on fraud prevention. In recent years, behavioral biometrics has slowly moved to new use cases such as: Identity Proofing and Enterprise Security
- New Markets: The use of behavioral biometrics is expanding to new markets like e-commerce, credit card issuers, credit bureaus, insurance, payroll systems, gaming, device authentication and enterprise.
- Redefining Digital Identity: The factor known as “something you are” becomes the most important authentication factor for mobile and web sessions.
- Behavioral Profiling in Multimodal Biometrics: Multimodal biometrics refers to the combination of two or more biometric modalities in an authentication system. For instance, a system that combines fingerprint scanners and voice recognition. In the coming years, we can expect to see behavioral profiling combined with other biometric modalities to create more robust security systems.