You generate a large number of signals as you interact with your mobile phone and browser which are now being captured to help identify you. Combined as multifactor biometrics these may ultimately eliminate passwords and physical challenges, but first they need to be proven reliable. This article in Biometric Update claims Behavioral Biometrics are a game changer and fails to discuss the need for validation:
“Behavioral biometrics is a breakthrough cybersecurity technology that identifies people by how they do what they do, rather than by their physical characteristics, what they know, or by the authentication technology they possess.
Behavioral biometrics is defined as the measurement and analysis of human activity patterns. Historically, these have included keystroke patterns, gait, and handwritten signatures. However, today’s advanced behavioral biometric techniques now capture a wider array of human interactions between a device and an application, such as hand-eye coordination, pressure, hand tremors, navigation, scrolling and other finger movements.
BioCatch’s behavioral biometrics-based authentication technology analyzes the way people interact with online applications or devices. BioCatch has positioned itself as a market leader, with a solution designed to reduce transaction friction, decrease fraud and associated cyber threats, and provide quantifiable business value. The firm’s enterprise-grade solution is used by major banks and e-commerce sites worldwide, and currently monitors over four billion transactions per month, in order to provide measurable returns on investment.
“It is not enough to rely on static identification verification when opening an account or conducting a credit check,” said Frances Zalazny, Vice President of Marketing at BioCatch, in an exclusive interview with BiometricUpdate.com. “Relying on static data makes organizations susceptible to social engineering attacks.””
As described in Mercator’s report “Biometrics: A New Wrinkle Changes the Authentication Landscape” Behavioral Biometrics should indeed be deployed as quickly as possible to detect bots and prevent attempted account takeovers, however the report identifies the larger opportunity to utilize multiple independent factors to passively, or semi-passively, identify people without a challenge:
“Zalazny notes that with BioCatch running in the background, retailers and banks can analyze, in detail, the methods in which people interact with online applications or devices. The approach is passive, and analyzes physical, behavioral and cognitive attributes in real-time, while injecting invisible challenges to ensure the veracity of the user.
BioCatch’s platform can thus undertake real-time risk assessments to determine whether a user is navigating an online form at an unnatural rate of rapid speed or taking too long to enter intuitive information. Analysis of such behavior allows the firm to develop a “risk score” which informs its banking and retail customers as to the legitimacy of a user and transaction.”
The invisible challenges can be a slight jump in the pointing device or move a field slightly to determine if the user reacts in a similar fashion to past challenges. The biggest problem today is the lack of science on false positive and false negative rates. These will vary as new factors are added to the calculation, but one would think a company such as BioCatch that claims to monitor 4 billion transactions a month could provide detailed statistics regarding its accuracy.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
Read the full story here