Behavioral Biometrics 101

According to The National Council on Identity Theft Protection, someone becomes a victim of identity theft every 22 seconds.¹ Javelin Strategy & Research found that 42 million US consumers were the victims of identity fraud in 2021, amounting to losses of $52 billion.²

When bad actors can easily find details like email addresses, phone numbers, and birthdates online, steal other personally identifiable information, or buy information someone else has stolen, it’s more important than ever to protect customer data and accounts with stronger security methods – methods that go far beyond passwords and authentication questions.

Biometrics takes security further. By using something intrinsic to the customer that cannot be easily hacked or stolen to unlock their information, biometrics creates a barrier that is exceedingly difficult to break through. There are two types of biometrics: behavioral, which is based on the way a user does something, and physical, which is based on a user’s unique, unchanging physical characteristics.

 

What is Behavioral Biometrics?
Whenever a person performs an activity, even something as simple as typing on a keyboard or walking, there is a unique pattern to the way they do that action.³ Behavioral biometrics uses AI and machine learning to analyze these patterns, establish the norms in an individual, and record measurable characteristics that can all be used to verify a person’s identity.

Behavioral biometrics operates in the background of a web or mobile session, minimizing customer friction as it monitors the parameters that enable it to detect if someone is who they claim to be. It can even determine if the activity is being done by a human or an automated entity.

 

The Difference Between Behavioral and Physical Biometrics
Behavioral biometrics is based on the way a person does something. For example, how they move a mouse around their desk, the pressure they apply to keys or a touchscreen, and the way they move between screens on a computer all have characteristic patterns that, in combination, are unique to that individual.

Physical biometrics is based on something the person is; it includes characteristics that are both unique and unchanging. A common example of using physical biometric authentication is unlocking a phone using a fingerprint or a facial scan. Other physical biometric modalities that can be leveraged for identity verification include iris, retina, and palm scanning; ear shape, hand, and finger geometry; and vein patterns.

Both types of biometrics encrypt data when presented for identification and are used for digital identity verification and authentication. Only the data points necessary to identify the customer are retained in a database. When the customer returns to access their data or account, the biometric input is matched against the data provided at onboarding.

In terms of customer experience, when looking at physical biometrics vs. behavioral biometrics, both offer faster, easier, and more secure onboarding processes than non-biometric approaches. Because it occurs in the background as customers go about their business, behavioral biometrics may offer a higher level of user ease.

 

Types of Behavioral Biometrics
Many believe that the origins of behavioral biometrics lie in the telegraph, when operators could be identified by the way they keyed their Morse code messages. While this is similar to the keystrokes that are used for identification today, these device-based characteristics are only one of three types of behavioral biometrics in common use. The other frequently used behavioral biometrics modalities are body movements and voice recognition.

Device-based
The two most common device-based biometrics used on laptops and PCs are keystrokes and cursor movement. Every person has a different typing pattern when they use a keyboard, including speed of typing and duration, any changes in these for certain key sequences, and even how an individual corrects mistakes in text. Likewise, every person has an individual pattern to how they move the cursor with a mouse or trackpad – from their tracking speed, to how they change direction, to how they click.

On mobile devices, the chip inside a smartphone, for example, is able to capture sophisticated behavioral patterns stemming from human cognition and executive motor control. The touch sensors from the device’s chip can capture data like intensity, dwell time, location, and flight time – to name just a few. The first refers to the strength of a user’s touch, measured by the pressure applied to the touchscreen. Dwell time measures how long a user’s touch lasts on a mobile device’s screen; location concerns the distance from a particular touch and the average location of the touch event. Flight time measures the total amount of time required to enter a password or some kind of sequence into the device.

Body movements
There are three types of body movement that are used to securely identify a person: gait, posture, and handling.

Gait is a person’s walking style, which is made up of many small, synchronized movements that distinguish one person from another, including the speed that they move and the length of their stride.

Posture is how a person holds themselves. For behavioral biometrics, the unique characteristics of how a person positions their body and distributes their weight as they do certain activities is considered. As an example, how a person sits in a chair in relation to their desk and to the computer they are using can distinguish them as a unique individual.

Handling tracks how a person holds and orients their smartphone or tablet by registering the pressure they use on the touchscreen and measuring how they swipe to move between screens.

Voice recognition
Just as we can identify someone by the sound of their voice, biometrics can identify someone from the unmistakable speech patterns they use. Everyone’s speech has distinct and recurring sound variations that can be captured and analyzed.

There are two types of voice recognition methods used for biometric identification: text-dependent and text-independent.

In a text-dependent voice recognition system, a person is asked to repeat a particular phrase or sentence when they onboard, creating a sample of their voice. They are later asked to repeat the same phrase or sentence each time they return to access their account or data.

In a text-independent voice recognition system, a person can be identified from any words they say, both when providing the initial sample and for future authentication. This allows authentication to happen in the background, like when a customer first speaks to a call center agent.

 

Industries That Leverage Behavioral Biometrics
While any business that wants to improve its security can benefit from using behavioral biometrics, its use is growing in fraud-prone industries – often industries that handle highly sensitive and confidential information, and ones that may be subject to regulations.

Banking and Finance
Digital banking has grown in popularity and is an important channel for financial institutions trying to attract new customers and increase revenue. As digital banking has increased, so has fraud in banking: PYMNTS reports that between 2021 and 2022 alone, banking fraud increased 41%.⁴

Banks hold customers’ money and some of their most sensitive personal data, making banking one of the most highly regulated industries. Banks can avoid losses and increase customer trust through biometric authentication solutions to ensure that the person opening the account is both an actual person and who they say they are and to strengthen security for returning users.

Because behavioral biometrics provides continuous authentication throughout an online session (and not just at login), it helps prevent account takeover and fraudulent transfers.

Ecommerce
Online retailers are under constant pressure to provide a fast and easy buying experience for customers. If customers experience too much friction, they may abandon the retailer and seek out another ecommerce site with better UX. This is contributing to the rise in online payment fraud, which was estimated at $41 billion in 2022 and is expected to rise to $48 billion by 2022.⁵

The challenge ecommerce companies face is implementing security that can protect the business from fraud losses, protect customers from account takeovers and other forms of fraud, and do so without making the buying process difficult.

Contact Center
The contact center is a favorite perceived weak spot for bad actors, and it’s where over 60% of all fraud losses occur. Traditionally, a customer is asked to answer a question, like the last four numbers of their social security number, when calling in or initiating a chat with an agent. This level of security, with so much of this information readily available to bad actors online, is insufficient.

With behavioral biometrics, authentication happens in the background; any customer with an issue (who may already be upset by the situation) can launch right into the problem, which helps them feel like they’re on the way to a quick resolution. And the business can be sure that they really are talking to an actual customer.

So, what’s the bottom line for all these industries? Behavioral biometrics lets any organization implement the strong security they need without making identity verification and authentication feel burdensome for the customer.

 

Why Do We Need Behavioral Biometrics?
Security is about balance. If a business makes it too difficult for customers to access their accounts in the name of extra security, that business may lose customers as a result.  At the same time, customers expect that the companies they do business with are actively protecting their accounts and information by using the most advanced security technology available.

Behavioral biometrics offers balance in three important ways:  increased security, improved customer experience, and easy implementation for businesses.

Because behavioral biometric modalities can’t be lost, stolen, or shared, and are practically impossible for criminals to duplicate, they are inherently more secure than non-biometric factors. Behavioral biometrics also offers the benefit of continuous authentication throughout a session, reducing the possibility of account takeover.

In terms of customer experience, behavioral biometrics streamlines both onboarding and account access. It frees customers from remembering passwords and allows authentication to occur in the background as they keep typing or talking

Because behavioral biometrics captures information from existing devices, it can be implemented quickly and cost-effectively.  A growing number of use cases for avoiding fraud support the use of behavioral biometrics by many businesses.

 

Use Cases for Behavioral Biometrics
While there are many use cases for behavioral biometrics, four of the most common include account opening, defending against account takeovers, defending against fraudulent payments, and mitigating insider threats.

Account opening
The number of attempts to open fake accounts skyrocketed during the pandemic. Behavioral biometrics helps businesses avoid falling victim to scammers by detecting the differences between “bad actor” behavior and real customer activity. As an example, because they often don’t have all the details they need to impersonate a real customer, bad actors copy and paste the information (like a birthdate or address) onto a screen; a real user would have typed it in themselves.

By using machine learning, behavioral biometrics understands both the patterns that identify a particular customer and the set of characteristics that set legitimate customers apart from bots and bad actors.

Defending against account takeovers
In its article, “How to Protect Consumers from Account Takeover Fraud,” Payments Journal said: “According to Javelin Research’s latest annual identity fraud study, ATO in 2021 increased 90% from 2020 to an estimated $11.4 billion.”⁶ Account takeovers occur when a bad actor gains access to a legitimate account. The imposter may have stolen the customer’s login credentials or taken over the customer’s computer and, beyond affecting that individual customer, account takeovers give the bad actor entry into a business’s CIAM – with the potential to steal other information and commit additional fraud.

Behavioral biometrics can protect against account takeovers in two ways. First, it can keep bad actors from logging in when they are unable to match the legitimate customer’s behavior. Second, since behavioral biometrics continuously monitors behavior throughout a session, it can also stop bad actors who take over a session after a customer has already logged in.

Defending against fraudulent purchases
LexisNexis reports that every $1 lost in fraud actually costs US merchants an average of $3.75.⁷ At a time when 35% of US ecommerce merchants say they’re seeing a significantly higher number of malicious transactions,⁸ this statistic is doubly troubling. This trend is being driven in part by the growing rate of mobile commerce transactions via smartphones.

By identifying individual customers – whether they’re using a computer, a tablet, or a smartphone –and by being able to differentiate between bots, bad actors, and legitimate customers, behavioral biometrics helps online retailers reduce fraudulent purchases losses.

Mitigating insider threats
For the same reasons passwords don’t provide adequate security for customer account access, they, too, can be a threat to the security of sensitive internal information. Behavioral biometrics ensures credentials can’t be stolen or shared, and that the person with access to the information is the person who should have access.

 

Should You Use Behavioral Biometrics?
Quite simply, every business has something to lose by continuing to use non-biometric factors to secure customer data and accounts. Behavioral biometrics makes improved security available to the widest range of companies who do business online.

Improve your security
Behavioral biometrics is unique in its ability to provide credentials that can’t be shared or stolen and that are very hard to duplicate. Behavioral biometrics excels at unobtrusively identifying legitimate customers, distinguishing bots and bad actors, and being easily implemented using equipment the customer already has.

Improve your accuracy
Behavioral biometrics relies on machine learning; the more behavior it monitors, the more accurate it becomes. This means you can more quickly identify returning customers and more accurately reject bad actors and bots, all without mistakenly keeping out new customers.

Create the right balance between security and experience for your organization
All security methods have thresholds, or the amount of acceptable variation in the credentials that will still result in access being granted. Generally, the tighter the threshold, the more burdensome the user login process, and the higher the number of false rejections that you’ll have to deal with.  Behavioral biometrics understands normal changes in user behavior and takes them into account as part of its machine learning processes. This allows you to maintain the security level you need without increasing false rejections or customer frustration.

To see what your business has to gain, explore the benefits of AI-powered behavioral biometrics from Daon®.

 

---

External Sources:
[1] National Council on Identity Theft Protection, “2022 Identity Facts and Statistics.”
[2] Javelin Strategy and Research, “2022 Identity Study Report: The Virtual Battleground,” March 29, 2022.
[3] BiometricUpdate.com, “Explainer: Gait Recognition,” November 15, 2013.
[4] PYMNTS, “Today in Data: Battling Bank Fraud,” July 11, 2022.
[5] Statista, “Value of e-commerce losses to online payment fraud worldwide from 2020 to 2023,” November 22, 2022.
[6] Payments Journal, “How to Protect Consumers from Account Takeover Fraud,” August 8, 2022.
[7] LexisNexis, “The LexisNexis Risk Solutions True Cost of Fraud Study Finds a 19.8% Increase in Retail Fraud Since 2019,” August 2, 2022.
[8] LexisNexis, “The LexisNexis Risk Solutions True Cost of Fraud Study Finds a 19.8% Increase in Retail Fraud Since 2019,” August 2, 2022.