Behavioral biometrics – the next level of web security

Biometrics – safety without the need for complex passwords

Biometrics is a solution used every day by almost everyone. Every time you unlock your smartphone using your fingerprint, iris or facial recognition, your physical features are analysed and compared to the template you had provided. The mentioned properties of our bodies are not the only features that can be used in the authentication. Others include the retina, the pattern of blood vessels in the hand, hand shape, the temperature of different sections of the face, ear shape and the shape and position of teeth. Such solutions are designed to eliminate or significantly limit the number of long and complex passwords we need to use in our everyday life.

Behavioral biometrics – a higher level of security

Behavioral biometrics analyses and profiles our behavior. This usually involves studying the ways we use our computers or smartphones, but it’s also possible to analyse the way we walk, the pace at which we type, our voices or how we operate our devices. You see this type of biometrics every day, e.g. in ‘captcha’ tests (in which you tick a box to verify you are not a bot) that analyse the speed with which you click on the box, the trajectory of your cursor and your precision rate.

The advantages of behavioral biometrics

One may ask: ‘Why introduce a new solution if regular biometrics works so well?’ It turns out that the technology used today does have its flaws. Fingerprint recognition is fast and intuitive in use but does not work if your hands are wet. Moreover, it is relatively easy to forge a template or force someone to use their print. Facial recognition works regardless of whether your face is wet or not, but the lighting, either too bright or too scarce, may interfere with the scanner’s ability to identify you, and the template may be copied, as in the case of the iris scan.

Another asset of behavioral biometrics is that it works incessantly. Imagine you log in to your bank account and get away from the keyboard for a moment without logging off. Anyone who sits down at your computer at that moment will have full access to your account. If a behavioral biometrics system is used, it will detect a different user, e.g. by analysing the movement of the cursor and block their access.

Behavioral biometrics is less invasive, essentially undetectable to the user. The prospect of logging to your bank account without the bothersome two-step verification and the need to retype codes received by applications or text messages, relying solely on our personal templates, certainly seems attractive.

Some may ask what would happen if, for instance, they broke an arm one day and had to log in to their account typing their password with one hand only. Experts assure us that the system would be able to adjust even to such unexpected situations.

How does behavioral biometrics work?

Behavioral biometrics is based on the principle of gathering data on the actions of a specific individual, analysing them to construct a template and comparing future behaviour to the existing model. The stages of the process are as follows:

Data collection consists of measuring (acquiring) various types of data, from the way the user holds their phone or operates the screen, to analysing what gestures and shortcuts they use when typing on the keyboard. Even the process of logging in to an account provides ample information: how fast we type in the password, whether we type one or two symbols at a time, or the entirety of the password in one go, and whether we switch between the boxes by clicking with the mouse or using the Tab key.
Data analysis begins when the sensors have collected the necessary information; a mathematical model is then created to be used as the basis for comparison.
The comparison involves checking the current data input against the existing model. If the result is matching (highly similar to the template), the user is granted access to their account, whereas if the similarity is lower than expected, the user will be able to view the account page but not able to make any transfers, or will be logged out automatically.

The future of behavioral biometrics

Selected banks are already working towards enabling authorisation through the analysis of the users’ interactions with their computers. Since December 2018, 50 000 users have participated in testing this feature for mBank.

The technology is expected to become widespread, as it does not necessitate any changes, only requiring skillful management of the already available data. Its expansion may additionally be facilitated by the progress in machine learning and artificial intelligence.