By Craig Guthrie, deputy editorAfter years of indecision, 2014 seemed the year when major US and European banks began considering biometrics in earnest as the best solution to prevent fraud, secure smartphone apps and authorise transactions.From finger vein readers to voiceprints, and fingerprint scanning cards to cardio-rhythm wristbands, a range of options have been touted as the best solution to balance privacy, convenience and security.One modality that's hit less headlines is behavioural biometrics – quietly recording a user's mannerisms and device “events” to generate distinct patterns for identity authentication.Swedish firm BehavioSec has been a forerunner in integrating the tech with financial service providers. Following extensive trials with Nordic banks, the firm's solution has been deployed across the region for mobile and internet banking, and is now being adopted by other financial institutions globallyIts trials have shown strong potential – and without raising the potential logistics headaches that could accompany major hardware changes.In Scandinavian trials, BehavioSec's solution detected a false user in between 20 to 60 seconds of them picking up a smartphone, when the technology is installed at OS-level. When BehavioSec's technology was used at application-level, a major e-commerce trial demonstrated accuracy levels of 99.8%.There is also scope for deeper integration into our daily lives. Since 2012, the firm has been working with the US's Defense Advanced Research Projects Agency (DARPA) on advanced active authentication.If realised, the research would see behavioural biometrics embedded in devices before we even buy them – meaning that every aspect of our mobile behaviour – from thumb swipes to page scrolling – would be silently logged and analysed.Planet Biometrics discussed the trend of biometrics in banking and the potentials of behaviour-tracking technology with Neil Costigan, CEO of Behaviosec.Has BehavioSec found that implementing behavioural biometric solutions is harder on mobile apps that on web applications?Not at all. Our SDK just merges in with existing software because it is quite small. All it is really doing is capture – recording the events on the phone.What we mostly can gain from web implementations is quite basic, mostly keystrokes and mouse movements. And these keystroke dynamics are just up-down events.In contrast, the phone generates a large amount of data because of all the sensors – there's pressure readers, gyroscopes and accelerometers. This means we get a far richer biometric on the phone if compared to web.If you are in a phone, you are getting the X-Y position inside the button, plus the pressure, plus the angle the phone is at. This means we have much more dimensions and the algorithms are also getting much better.Here we are just capturing the phone's events and all the security decisions are managed in the back-end, usually by a bank or payment provider's app.This is relatively light and easy. In fact, to us, implementing on mobiles or for desktop applications is about the same. It's all about product integration.Now parallel to this we have advanced research work underway – this is supported, largely to date by DARPA, who are funding moon-shot ideas. These are grand ambitious projects that are perhaps going to see the light of day commercially in a two, three or five year horizon.In that case we have been working with DARPA and a handset manufacturers on embedding the behavioural biometrics into the operating system. So it goes in the phone even before you get it.This makes integration really easy because our solution is in the phone when it ships. This way we would be getting way much more input – when you're playing Angry Birds, checking your Facebook, or doing your corporate stuff. All of this will be fed into the algorithm so it can give a really rich biometric score.However, as a route to market for a company may prove difficult because it involves dealing with a handset manufacturer rather than a bank or payment provider.How have your end customers, for example banks, reacted to Behaviosec's technology since it has been implemented?Well, it involves new concepts, so everybody is a bit intrigued. The general go-to-market approach tends to be: Bank takes the software, tries it internally, says 'yes this is pretty cool' and then does a pilot, trying it out on their website or app to investigate it and see how it works.This cycle can take quite a long time, but when we get to the deployment we generally hear feedback like: 'this is a good tool', 'its integration is seamless',or 'the results are much more impressive than we expected'.To date, we have had nobody buy the solution and then not continue to use it. Everybody in the subscription model has decided to keep the licence or even expand it so it has been going great.However, a few customers have gone through the process and then said: “yes it is great but we're not sure what to do with it”.Lots of the current authentication technologies are just a nightmare. For example, PIN numbers and out-of-band SMSs cause so many support headaches.Because our software is always in the background, lots of customers don't see it – it doesn't need a 24-hour support line or cause massive issues. So it can be a lot more painless for users.In this sense, could behavioural biometrics be less intrusive for authentication banking transactions than examples like the credit cards we see with fingerprint sensors?I suspect solutions like that will be great for high security customers and for people who are interested in new technology, but not necessarily suitable for the mass market. I don't think, for example that my mother would rushing out to enrol for services like that.It is a very cool solution and can be done, but I think it may not be adopted by the wider public.Behavioural biometrics come in as lightweight, friction-less option that offers a layer of security which can keep banks ahead of the curve with regard to fraud. It is also low impact in that it doesn't need end user education or user support.It allows banks to continue to use low level security. There are banks that went from one-time tokens and smartcards to as the preferred entry for the consumer, and now switching to six digit PINs on their mobile app because it is using the security layer created by us inside.How does Behaviosec's approach vary in performance from other passive anti-fraud tech like voiceprint recognition?I think these are different solutions – if I was picking biometrics – I think that behavioral and voice are a lot more acceptable as consumer-friendly tech. Although ours is more about rhythms than personal identification. I think people are a bit spooked by enrolment of physical biometrics whereas voice is normal and natural. We're also seeing the demand for continuous authentication which is impossible for all practical purposes with any other form of biometric.How do you respond to talk about 'the death of the password'?I think it is a bit premature. People are not as uncomfortable with passwords as the security experts would like to predict. If I could safely use the same password for every login – I would love it and I don't think I'm alone.And I think that is what behavioral can offer
Recent Video
- New non-profit trade association of HAND will standardise global talent ID
- No cards, no phones: J.P. Morgan’s biometric revolution in payments
- Anthony Vidiano on building the future of access management
- Charisma Check wins 2025 Start-Up Pitching Competition, advancing identity verification and background checks for dating app users
- How to protect one billion Amazon customers: Lessons from continuous risk assessments
