With all the fraud today coming from authenticated sessions, behavioral biometrics are gaining in prominence now, particularly in banking, because they can provide a form of continuous authentication without compromising the user experience.

Invisible Challenges

Coming up with ways, however, to drive the accuracy of behavioral biometrics necessitates an approach that leverages a deep understanding of how fraudsters behave online. It is not enough to emulate a robotic attack, to know the difference between robotic and human behavior.

Invisible Challenges are a patented technique discovered by BioCatch co-founders, that introduce subtle tests into an online session that users subconsciously respond to without sensing any change in their experience. The response contains behavioral data that can be used to distinguish a real user from an imposter, whether human or non-human (robotic activity, malware, aggregator, etc.).

For example, a common user interaction element in mobile apps is the spinning selection wheel for dates, time, numbers, etc. This is often used when entering information such as a new destination account for money transactions. In this challenge, passive measures related to spinning the wheel are collected (speed, stopping strategy, corrections towards the end), along with an introduction of subtle fluctuations to the spinner that can elicits different subconscious reactions.

In the example below, the challenge makes the wheel spin slowly (not kinetically). The first user compensates with a few long and continuous "pushes" to spin the wheel, and adds two powerful strokes in the other direction for fine-tuning and final targeting. The second user, on the other hand, compensates by making many small and short "pushes" to spin the wheel. Afterwards, the user adds several short, concentrated and powerful strokes in the same direction for final targeting. 

Screen Shot 2017-04-27 at 8.43.10 AM.png

Invincible Challenges

Invisible Challenges help deliver the promise of behavioral biometrics for continuous authentication and overcome many of the challenges that traditional behavioral and fraud prevention approaches do not address:

RAT and device spoofing detection: Invisible Challenges can detect an unnatural response or delay indicating a remote connection or Virtual Machine attack;

Robotic detection: Given that bots are automated tools, by nature they ignore the Invisible Challenges.

Malware and sophisticated bot detection: Malware will not know how and when to respond to an Invisible Challenge, and it is therefore not necessary to maintain malware libraries which are inevitably obsolete the moment they are updated.

Replay attacks: Invisible Challenges are random in timing, intensity and flavor, so no past activity can be used to produce a legitimate response to the challenge.


Maintaining the balance of identifying real fraud while maintaining low false alarm rates and low user friction is the catch-22 for behavioral biometrics which are passive in nature and do not require an active enrollment.

Invisible Challenges optimize this balance. Using advanced data science and machine learning methods, the challenges are typically introduced as a form of risk-based authentication prior to crucial online tasks such as changing payees, transferring large sums of money, updating personal details, card activation and deactivation.

Related Posts