How Behavioral Biometrics Is Innovating IT Security

As the need grows for more robust IT security, behavioral biometrics is emerging as a solution. Here we examine the technology and its pros and cons.

Passwords, not people, are what fall down. Passwords alone are no longer enough to protect online accounts. With 70 percent of us losing faith in a password’s ability to protect our accounts, according to a June 2015 TeleSign report, companies are looking for new, simple and secure ways to verify their users. The strongest form of account security requires a layered approach. Behavioral biometrics can effectively strengthen these simple passwords by adding another transparent layer of security, resulting in real-time, two-factor authentication that doesn’t get in the user’s way.

Google publicly launched a project called Abacus in 2015 that looks into behavioral biometrics, among other things, as a means to secure Android access. Many large companies, from banking to payment services to consumer Internet name brands, have expressed interest in testing the technology. Analysts at Radiant Insights estimate the biometrics market as a whole will grow to $44 billion by 2021 from $7 billion in 2014.

Alerts from banks and credit card companies, such as travel alerts, are tied to a physical card rather than a specific user. Behavioral biometrics could track patterns of a specific user via a range of touch points across an account, no matter how they are accessing that account—be it on a mobile device or Web platform. From mouse dynamics to keystrokes and graphical user interface, these patterns are analyzed and rated so they can be used to authenticate a user continuously and challenged if they appear fraudulent. It is extremely difficult to precisely imitate another person’s behavior, and this equates to high levels of accuracy with the numerous biometric patterns.

The financial services community has been the most active adopter of products that use biometric security techniques. Recently, the Bank of Montreal announced it will allow users to complete online payments with a “selfie” or fingerprint check. Earlier this year, Citi launched a voice authentication project, which will allow its customers to use their voice to verify themselves when they call the bank.

Behavioral biometrics, which collects behavior over time, differs significantly from physical (such as iris or fingerprint) biometrics, which collects static information about people’s physical characteristics. When a database containing physical biometric data is breached, it means that static identifying data is compromised indefinitely. The difference with behavioral biometrics is that it collects information about how a user interacts with a device; it isn’t static, and it’s constantly updated.

It is clear from the increase in cyber-crime during the past several years that traditional password-based security is no longer enough. Verizon’s “2016 Data Breach Investigations Report” found that 63 percent of data breaches in 2015 were a result of weak, default or stolen passwords. These data breaches continue to leak more and more account credentials and personal information. As a response, businesses are looking for smarter, more secure and more efficient ways to authenticate users and protect their accounts. This is where behavioral biometrics comes in.

While behavioral biometrics is still an emerging category, the technology has been in use for the last several years in places where people have felt the most pain—namely, where money is changing hands. The financial services community has been the most active participant, with quite a few banks embracing products that use biometric security techniques. There are many industries that could benefit from adopting behavioral biometrics, but industry people foresee retail/e-commerce, Internet services and online gaming to be early adopters.