Snippet: If you are at all familiar with the payments and security scene, you might have noticed an increase in the number of established companies and start-ups that are focusing on behavioral biometrics. We take a look at the technology and its long journey since 1860s keystroke dynamics.

In this blog, Melanie Maier, pre-sales solutions lead for the DACH region at Entersekt, discusses how behavioral biometrics benefits the end-user’s experience, and how it links to strong customer authentication.

If you are at all familiar with the payments and security scene, you might have noticed an increase in the number of established companies and start-ups that are focusing on behavioral biometrics. Major vendors include BioCatch (Israel), IBM (USA), Nuance Communications (USA), SecureAuth (USA), Mastercard (USA), BehavioSec (Sweden), and SecuredTouch (USA), to name just a few. And, according to a research report published by MarketsandMarkets, the behavioral biometrics market is still expected to grow, from$871.2 million in 2018 to $2 552.7 million by 2023.

Despite all the recent hype, behavioral biometrics is not as new as you may think. Its birth – keystroke dynamics – goes back to the 1860s when telegraphy was invented. As telegraph operators got more experienced in sending “dots” and “dashes”, they developed their own characteristic style when sending messages. These characteristics were so unique to each individual that their colleagues, who received the messages, could recognize which telegraph operator sent a particular message. In fact, Allied forces in World War II would verify the authenticity of messages they received by these characteristics.

Behavioral biometric technology has come a long way since 1860s keystroke dynamics, mainly because of the widespread use of modern mobile phones, which are, of course, equipped with dozens of smart sensors. Today, the International Biometrics and Identity Association defines behavioral biometrics as “the measurement and recording of human behavioral patterns and their use to verify and authenticate an individual computer-user.” Rather than focusing on an activity’s outcome, behavioral biometrics focuses on how a user conducts the activity, for example, it focuses not on whether the username and password have been entered correctly, but on how the user enters the login credentials.

Stronger than fingerprints and faceID

Most of us are already used to using static biometrics such as fingerprint or faceID. Whenever we want to unlock our smartphone or log into an app, we can use our fingerprint or built-in facial recognition software. It is simply more convenient than having to remember and type in a password or PIN.

However, even though we all have unique fingerprints and faces, static biometrics are not foolproof; these systems can still be hacked. A previous Entersekt blog discusses how a Vietnamese security firm managed to hack the iPhone X’s facial recognition security system. Another recent article from the Guardian discusses how researchers used a neural network to generate artificial fingerprints that work as a “master key” for biometric identification systems, proving that fake fingerprints can be created.

Behavioral biometrics can mitigate such risks: On a smartphone or computer, the technology collects data on how the user interacts with the device; analyzing the typing rhythm and velocity, key pressure, swipe speed, and finger positioning, for example. Just as the telegraph operators developed their own style, we have all also subconsciously developed our own style in the way we type, the way we scroll, the way we hold our mobile device and the pressure we apply to the screen. Essentially, this personal style should be impossible (although never say never, and never ever underestimate the fraudsters) to copy or to steal. Even our walking patterns can be used to create gait-based profiles.

Behavioral biometrics and strong customer authentication

Despite the benefits of behavioral biometrics – its convenience and security – we should not solely rely on it for authentication. This is especially true for financial institutions that need to comply with regulations such as PSD2, which specifies the use of two-factor authentication (2FA) – a multifactor identity verification procedure. To fulfill the 2FA requirements, a user must provide at least two of the following authentication factors: possession (something you have, for example, a mobile device secured by a strong device identity), knowledge (something you know), and inherence (something you are). As part of the inherence factor, behavioral biometrics could become part of a 2FA strategy.

For more on authentication best practices, read 7 Steps to stronger authentication.

So, what are some of the use cases where this could work? With Entersekt’s push-based, phone-as-a-token authentication, behavioral biometrics could be used to assess whether to require step-up authentication.

Every time a user logs into an online portal on their smartphone where a behavioral biometrics solution is in place, the user’s behavior is analyzed and compared to their profile. This generates a risk score. A score below a certain confidence level generates a real-time alert, resulting in a user-directed authentication prompt. The request – which includes all the relevant details about the action – is pushed to the mobile phone or tablet in real time. Completing the process is a one-touch experience: the customer simply taps “Accept” or “Reject”.

Enhanced user registration is another use case. Here, someone wants to register for a digital service remotely. To do so, they have to complete a one-time validation of their identity. If the service provider in question is already utilizing behavioral biometrics technologies, the behavioral profile and risk score generated in this and previous digital engagements will “recognize” the user and can be used to streamline their enrolment experience by avoiding step-up authentication when it does not appear necessary.

Entersekt has recently announced it's partnership with NuData Security, a Mastercard company, which will enable it to integrate NuData's behavioral analytics solution NuDetect with the Entersekt Secure Platform. Click here to read more on this partnership.

Subscribe to our blog.

Browser authentication steps up for FIs' omnichannel strategies

Melanie Maier


Melanie is focused on helping financial institutions and enterprises achieve compliance through strong authentication and state-of-the-art app security while simultaneously enabling exciting new digital experiences. She is also country ambassador (Germany) for the European Women Payments Network, where she helps to grow the network in order to bring more female voices and diversity to the payment industry.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.