Behaviometrics: The holy grail of authentication?

Passwords to biometrics to behaviometrics

Can you ever be 100% sure that someone is who they say they are? A signature used to be enough. Then it was Chip & PIN. Until recently, the most universally-accepted authentication method in the online space was the password…

But four years ago, computer scientist Fernando Corbato said the password had ‘become kind of a nightmare.’ A bold statement perhaps, but worth taking seriously given that Corbato invented the password in the 1960s. For harder evidence that passwords have had their day, consider the estimated number of records exposed by data breaches in the year following Corbato’s statement: 707 million.

Then when you consider that many people simply don’t have the time to pick a strong password. Last year, 123456 was the most common. ‘Starwars’ was also a new entrant onto the list.

It’s been clear for some time that we need a personal authentication method that doesn’t depend on our memories, especially now that the average Briton has 118 online accounts registered to just one email address.

In recent years, smartphones have facilitated one alternative to the password for hundreds of millions of people: biometrics. Why battle the fatigue of generating and remembering a piece of information when you can instead prove who you are using the unique physical signatures you’re born with, such as your fingerprints, face, eyes, or even DNA? 

Multi-factor is the future

Fingerprint recognition is currently the most widely used biometric authentication method in the world because the technology is cheap, fast, reliable and unobtrusive. Other biometric methods are on the rise too though. The iPhone X uses a neural engine and infrared imaging to scan owners’ faces, confirm their identities and authorise purchases. And Samsung has used a special iris scanner to unlock their devices since the Galaxy Note 7.

A biometric form of ID such as a fingerprint is a step forward, but like a password it suffers from being a single-factor authentication method. Once you know the password, or can bypass the fingerprint scanner, you have full access to a person’s identity and finances. Two-factor authentication is far better and soon to be a legal requirement. An extra layer of security is added through an additional step taken by the user, like when a service texts a verification code to your phone, as well as asking for your usual password. This process can be extremely strong and is in use across the world, but it has its drawbacks as well. It can feel slow and convoluted, and the procedure differs depending on the app or service.

A more sophisticated approach is to combine various signals into a detailed picture of an individual. This could be done through multiple physical markers, like fingerprints, faces and irises, but it would also be convoluted – like a scene from Mission Impossible. Instead, the profile is built by examining a range of behavioural patterns in the background, with no conscious input required by the user. This is how biometrics is evolving – into behaviometrics. 

It’s not what you do, it’s the way that you do it

The idea of using someone’s behaviour to confirm who they are isn’t new. Towards the end of the 19th century, telegraph operators were being ID'd through their typing characteristics. The modern equivalent is using keystroke dynamics – the way we tap words on our phones and other devices – to build a model that is unique to each of us.

Your typing rhythm is measured by the millisecond, alongside the duration of presses and even quirky spelling mistakes. Analysing these factors manually would be impossible, but with AI and machine learning, a smartphone can soak up the information continuously behind-the-scenes, constantly adding to and strengthening your personal profile.

Google has been interested in incorporating keystroke dynamics into its services for some time, having registered a patent for the technology back in 2007. More recently, Google described how its Trust API would eventually kill off passwords on Android devices by using your typing speed, how you swipe your screen, voice patterns, and even how you walk, to create a cumulative ‘trust score’.  

Behavioural biometrics spreads to the real-world

A major advantage keystroke dynamics and similar input streams have over fingerprint scanners is that they’re based on software, not special hardware, which means they could be brought to devices in a consistent, cost-effective way.

Other tech companies aren’t holding back, though. Israel-based Bank Leumi has used behavioural metrics including a user’s finger size and their touch pressure to enable passive authentication with a view to replacing passwords for its online banking app. Other companies in the race include BioCatch, whose behavioural biometric authentication and threat detection tech is set to enable banks, including Barclays, to stop online fraud before it happens using 500 cognitive parameters.

The U.S./Israeli start-up considers the way you hold your phone, palm size, and even hand tremors alongside behavioural traits. The company has partnered with Samsung SDS to integrate their system into popular mobile apps.

Other real-world applications of behavioural biometrics include Barcelona-based ID Finance, which is using biometric patterns in its AI-driven fraud scoring engine to eliminate fraud, boost loan approvals, and reduce the number of non-performing loans. In tests, the system worked with 97.6% accuracy and has now been rolled out to all seven markets of operation. ID Finance has estimated the financial impact of the tool will be $2.8 million in 2018.

UnifyID has recently boasted an even higher level of accuracy with its online and physical dynamic probability and confidence scoring engine. Using 100 authentication factors running in the background, it can ID users with 99.999% accuracy. The platform has reached general availability and can be built into existing Android and iOS apps with little effect on battery and data usage. 

Will seamless behaviometrics replace traditional biometrics?

The biometrics market is still growing year on year, so why is behaviometrics touted as the next big thing in authentication? From a security point of view, the fact that it uses not one, two, or a few factors, but dozens or hundreds is appealing to financial institutions as well as their customers. But from a consumer perspective, the advantages are as much about experience as anything else.

The clunky process of swiping a payment card has been mostly replaced by contactless, and invisible payments – in which your card doesn’t even need to leave your wallet or purse to pay – are gaining momentum. In a similar way, behaviometrics has the potential to make authentication frictionless and invisible, while boosting security. While fintech investors are keenly aware of the global behavioural biometric market, which is predicted to grow at an annual rate of 17.9% until 2020, consumers are likely to notice less and less as the tech spreads and makes authentication more seamless.

Nick Kerigan, MD Future Payments at Barclaycard said:

‘We’re seeing that there is no single biometric or behaviometric win. The primary reason is that any biometric alone can be broken. For example, a latex mask could fool a face scanner. Fingerprints are useful, if it’s secure, but if a fingerprint database is hacked, you’ll have to start using another finger to identify yourself.

‘The solution is about multiple data sources. You might use a finger print, along with how you type on a keyboard. Then other data sets will come in, where are you making a payment? What time of day is it? Is this a normal transaction based on your behavioural profile? These are other types of behaviometrics already being used. Then it becomes about percentages rather than a ‘yes’ or ‘no’. You decide what is an acceptable degree of certainty that you have correctly identified an individual.

‘This is good for the consumer as it becomes incumbent on a vendor or bank to identify them, rather than asking the consumer to remember lots of passwords. In the future, you’ll just be identified by being you.’