How is behavioral biometrics used for authentication?
Behavioral biometrics applied to authentication leverages the behavior patterns of an individual to confirm identity for access to digital services. It is commonly used in order to prove a person’s identity and assess the risk of fraudulent activity. In addition to offering a higher level of security compared to other authentication solutions that rely on static information, behavioral biometrics reduces friction when working in the background, with no interference to the user experience.
In recent years, the number of fraud and account theft incidents has been growing exponentially. In 2020, losses related to identity fraud reached a total of $56 billion, while P2P payment systems (which allow transactions between individuals) saw a 733% increase in fraud between 2016 and 2019. This increasing fraud illustrates the need to implement new, more effective cybersecurity solutions.
One of the answers to the need for fraud prevention methods with increased security is the adoption of authentication methods using biometric data, which can be divided into two main types: physical biometrics and behavioral biometrics. Physical biometrics refers to the user’s physical traits and includes technologies such as facial recognition, fingerprint reading and retina scanning. The problem with this type of authentication is that once biometric information is exposed through a theft or data breach, it can be permanently compromised as it is static data. Even if there is no leak, methods such as Facial Recognition have security and privacy issues.
The definition of behavioral biometrics, on the other hand, refers to the process of analyzing behavior patterns. This type of information is almost impossible to steal or replicate since it is constantly changing and updating. In addition, behavioral biometrics-based authentication works in the background, monitoring a series of parameters that configure a unique profile for each user, based on unique patterns in specific situations.
The data collected and analyzed in this authentication method can be categorized as follows:
Keystroke dynamics: captures and identifies the typing pattern and rhythm of a given user on their computer or mobile keyboard.
Gait recognition: captures and identifies the walking pattern of a user, such as the pace and pressure in which they step.
Voice ID: Unlike voice recognition technology, Voice ID does not analyze the voice itself, but rather the characteristics of this communication, such as rhythm, pauses, pitch variations and other elements unique to each user.
Mouse and touch use characteristics: this type of biometrics collects and analyzes data regarding the characteristic movements of the mouse, the touch on a screen, or the tap on a touchpad for a given user.
Signature analysis: Specialized software is used to compare sample signatures to see if they were made by the same person.
Cognitive biometrics: Less common, this type of authentication method seeks to obtain information about users by generating external stimuli, such as the display of images, to analyze the responses of the nervous system.
Location behavior: this method is based on the user's location pattern; that is, an analysis of the places the user frequently visits is used to create a unique identity, which changes according to the user’s changes in location behavior.
The fact that behavioral biometrics used for authentication takes place in the background is another advantage, as it adds an extra layer of protection without requiring any additional action on the part of users. That is why not only does it add extra security measures, but also significantly improves the customer experience. Using behavioral data, financial institutions can revamp their fraud prevention stack and trust legitimate customers will benefit from it. Even in cases where a customer has their personal information stolen and falls victim to identity theft, behavioral biometrics will be able to act as the first barrier to fraudsters, since it will identify a different behavior during login.
Use Cases for Behavioral Biometrics based Authentication
Behavioral biometrics-based authentication is commonly used in the financial industry and e-retail considering that both involve frequent financial transactions and are targets for fraudsters.
The use cases of behavioral biometrics include:
Prevention of Fake Account Opening
According to a study by the Federal Trade Commission (FTC), in 2020 there was an 88% increase in new active credit card accounts and a 33% increase in new accounts opened using stolen identities compared to the previous year. Behavioral biometrics can provide a solution to the problem of fake account opening by verifying the identity of new users based on their behavior.
Real users behave differently than fraudsters. They are less likely to get their own password wrong, they know the information they are typing in, and they are often physically present at the location where they claim they live. Scammers, on the other hand, copy and paste information into registration forms, in addition to using mobile emulators, or even apps that have not been downloaded from official app stores to register a new account. The difference between user behavior patterns is leveraged by behavioral biometrics to assess the risk of fraudulent activity when accounts are being opened.
The recognition of these patterns is further enhanced by machine learning technology, which accumulates data and knowledge about fraudulent patterns or patterns of legitimate users.
Account Takeover Protection
Behavioral biometrics is effective at preventing account takeover by continuously monitoring users’ activity patterns to detect anomalous activity that indicates a higher risk of fraud. Possible anomalies include transactions carried out from an unusual location, not fitting the user’s normal location behavior, or requests to send large amounts of money to an unknown account. This allows fraudulent actions to be flagged in real-time and prevented from taking place.
Behavioral biometrics is a powerful tool to prevent account takeover, even by social engineering, which is a technique widely used by criminals to steal and use personally identifiable information of legitimate users to access accounts. A common method of social engineering attack is to manipulate and trick the potential victim into clicking on links that give access to sensitive information that can be used for account theft. With behavioral biometrics, even if attackers manage to obtain sensitive information, such as a username and password or even a second-factor authentication code, it is possible to recognize the non-standard behavior of the user trying to access the account, and thus directly block access, or warn of the high-risk access attempt, or even trigger step-up authentication.
In addition to using dynamic information that is almost impossible to steal or replicate, behavioral biometrics-based authentication improves the user experience by reducing friction.
Considering the many benefits offered by behavioral biometrics technology over legacy authentication methods such as passwords, the expectation is that in the not too distant future most services can actually be passwordless and deliver a better user experience.