Behavioral biometrics: The new kid on the block?

Melanie Maier|13 Dezember 2018
Behavioral biometrics: The new kid on the block?

In this blog, Melanie Maier, pre-sales solutions lead for the DACH region at Entersekt, discusses how behavioral biometrics benefits the end-user’s experience, and how it links to strong customer authentication.

If you are at all familiar with the payments and security scene, you might have noticed an increase in the number of established companies and start-ups that are focusing on behavioral biometrics. Major vendors include BioCatch (Israel), IBM (USA), Nuance Communications (USA), SecureAuth (USA), Mastercard (USA), BehavioSec (Sweden), and SecuredTouch (USA), to name just a few. And, according to a research report published by MarketsandMarkets, the behavioral biometrics market is still expected to grow, from$871.2 million in 2018 to $2 552.7 million by 2023.

Despite all the recent hype, behavioral biometrics is not as new as you may think. Its birth – keystroke dynamics – goes back to the 1860s when telegraphy was invented. As telegraph operators got more experienced in sending “dots” and “dashes”, they developed their own characteristic style when sending messages. These characteristics were so unique to each individual that their colleagues, who received the messages, could recognize which telegraph operator sent a particular message. In fact, Allied forces in World War II would verify the authenticity of messages they received by these characteristics.

Behavioral biometric technology has come a long way since 1860s keystroke dynamics, mainly because of the widespread use of modern mobile phones, which are, of course, equipped with dozens of smart sensors. Today, the International Biometrics and Identity Association defines behavioral biometrics as “the measurement and recording of human behavioral patterns and their use to verify and authenticate an individual computer-user.” Rather than focusing on an activity’s outcome, behavioral biometrics focuses on how a user conducts the activity, for example, it focuses not on whether the username and password have been entered correctly, but on how the user enters the login credentials.

Stronger than fingerprints and faceID

Most of us are already used to using static biometrics such as fingerprint or faceID. Whenever we want to unlock our smartphone or log into an app, we can use our fingerprint or built-in facial recognition software. It is simply more convenient than having to remember and type in a password or PIN.

However, even though we all have unique fingerprints and faces, static biometrics are not foolproof; these systems can still be hacked. A previous Entersekt blog discusses how a Vietnamese security firm managed to hack the iPhone X’s facial recognition security system. Another recent article from the Guardian discusses how researchers used a neural network to generate artificial fingerprints that work as a “master key” for biometric identification systems, proving that fake fingerprints can be created.

Behavioral biometrics can mitigate such risks: On a smartphone or computer, the technology collects data on how the user interacts with the device; analyzing the typing rhythm and velocity, key pressure, swipe speed, and finger positioning, for example. Just as the telegraph operators developed their own style, we have all also subconsciously developed our own style in the way we type, the way we scroll, the way we hold our mobile device and the pressure we apply to the screen. Essentially, this personal style should be impossible (although never say never, and never ever underestimate the fraudsters) to copy or to steal. Even our walking patterns can be used to create gait-based profiles.

Behavioral biometrics and strong customer authentication

Despite the benefits of behavioral biometrics – its convenience and security – we should not solely rely on it for authentication. This is especially true for financial institutions that need to comply with regulations such as PSD2, which specifies the use of two-factor authentication (2FA) – a multifactor identity verification procedure. To fulfill the 2FA requirements, a user must provide at least two of the following authentication factors: possession (something you have, for example, a mobile device secured by a strong device identity), knowledge (something you know), and inherence (something you are). As part of the inherence factor, behavioral biometrics could become part of a 2FA strategy.

So, what are some of the use cases where this could work? With Entersekt’s push-based, phone-as-a-token authentication, behavioral biometrics could be used to assess whether to require step-up authentication.

Every time a user logs into an online portal on their smartphone where a behavioral biometrics solution is in place, the user’s behavior is analyzed and compared to their profile. This generates a risk score. A score below a certain confidence level generates a real-time alert, resulting in a user-directed authentication prompt. The request – which includes all the relevant details about the action – is pushed to the mobile phone or tablet in real time. Completing the process is a one-touch experience: the customer simply taps “Accept” or “Reject”.

Enhanced user registration is another use case. Here, someone wants to register for a digital service remotely. To do so, they have to complete a one-time validation of their identity. If the service provider in question is already utilizing behavioral biometrics technologies, the behavioral profile and risk score generated in this and previous digital engagements will “recognize” the user and can be used to streamline their enrolment experience by avoiding step-up authentication when it does not appear necessary.

Über den Autor

Melanie Maier

Melanie Maier

Pre-sales Solutions Lead DACH

Melanie Maier has extensive experience in the digital payments space, her strong business development and project management skills aligning perfectly with her role as Entersekt Pre-sales Solution Lead in the DACH countries. She is focused on driving business in the region and on providing solutions-based and consultative advice on the creative and innovative products that set Entersekt apart. Before joining Entersekt, Melanie spent more than five years at Wirecard, where she most recently served as Head of Presales: Value-Added Services. She holds a M.Sc in Service Management and a B.Sc in Business Administration and Management.

Abonnieren Sie unseren Newsletter für aktuelle Neuigkeiten, Pressemitteilungen und Events

logo entersekt

Entersekt ist ein internationales Software-Entwicklungsunternehmen mit Hauptsitz in der Nähe von Kapstadt, Südafrika.

Wir sind führend in den Bereichen Authentifizierung, App-Sicherheit und Zahlungstechnologie. Kunden bieten wir ein hoch skalierbares Lösungsportfolio, das sich weltweit erfolgreich bewährt hat.