Is behavioral biometrics the next cybersecurity weapon?
You don’t need to be a tech insider like me to know that cybercriminals and their methods are continually growing in sophistication. To keep up, security and authentication methods constantly need to evolve too.
The main issue I hear time and time again from clients is that these extra authentication methods can be cumbersome for the user, putting them off using them entirely. In fact, a recent survey from Prove found that 33% of consumers don’t enable multi-factor authentication (MFA) because they find it too annoying. Chances are, you’re one of them. (No need for shame — even your friendly neighborhood Undercover Geek balks at extra security steps every once in a while.)
So, what’s the solution? A rising number of industry experts think it could be behavioral biometrics authentication. And the money doesn’t lie. According to market research group IMARC, the global behavioral biometrics market was worth $3.6 billion in 2022. They expect this to increase to US $7.9 billion by 2028, a growth rate of 13.5% during 2023-2028.
But what exactly does this mean for you? Find out with my inside scoop on why behavioral biometrics might soon be a big deal in cybersecurity.
What is behavioral biometrics?
When you hear the word biometrics, you probably immediately think of things like face recognition and fingerprint scans. But that’s just one category of biometrics. There are actually several more that account for different parts of human physiology that can be used for identity verification. The three main categories of biometrics are:
- Morphological biometrics: This type focuses on unique physical traits of your body. Security scanners can be trained to recognize anything from the previously mentioned face and fingerprints to retinas, ears, and even veins.
- Biological biometrics: This type is essentially DNA recognition and requires collecting elements of human physiology like blood samples or other bodily fluids.
- Behavioral biometrics: This type focuses on recognizing behavior patterns unique to every person. Many people are unaware of how unique their walk, voice, or handwriting is, but security systems can be trained to pinpoint your identity utilizing these markers.
As you’ve probably noticed, morphological is currently the most commonly used type of biometric authentication, while biological biometrics is somewhat invasive, so generally isn’t used out of high-stakes environments. Let’s be real — if you’re currently unwilling to download an extra app to your phone for authentication purposes, would you really be willing to provide a vial of blood for each new site you sign up for and every time you sign in after that? Yeah… didn’t think so.
That brings us to behavioral biometrics. It isn’t so widespread yet, but that’s set to change soon.
How can behavioral biometrics be used for authentication?
I’ve given you a fair idea of behavioral biometrics, but what does it look like in action? Practically, it can pinpoint individual traits, habits, and patterns to identify users. When users communicate with a server with an authentication system, it will track multiple aspects of their behavior and learn who they are from their unique behaviors, patterns, and how they interact with the technology. This makes it an effective way to block unauthorized access to accounts. Because the system will be so familiar with the user’s unique behavioral patterns, it becomes much harder to impersonate them.
The kinds of behavioral patterns a biometric authentication system might look out for include:
- Typing patterns: This tracks not just your typing speed but also cadence, which is basically the rhythm of how you type. For example, how much time you spend pressing down on keys before the next keystroke.
- Touchscreen pressure: This measures how much force you use when tapping or swiping on your device’s screen during use.
- Device tilt: What direction you tend to tilt your device when using it, as well as the hand you hold it in.
- Mouse movements: Much information can be gleaned from mouse movements, from tiny-hand movements to click speed.
Benefits and use cases of behavioral biometrics
As an authentication method, behavioral biometrics is the opposite of cumbersome. Its main appeal, according to my insiders who’ve adopted it, is that it’s passive. The user doesn’t have to take any extra steps to set it up — all they need to do is use a website, app, or platform how they usually would. No downloading additional apps, taking pictures of their face, or giving fingerprint verification data. Everything happens in the background. This ease of use and strengthened safety appeals to both business owners and customers (and me, if i’m being honest.)
Another essential appeal is the ability to continuously authenticate and confirm the right user is present, again without any extra input from the user. Continuous authentication assesses user behavior on an ongoing basis to determine who they are rather than asking them to log in again or confirm a location change.
Behavioral authentication will likely appeal across all industries, but sectors where it would be especially effective include:
- Healthcare and the remote services industries where accurate identity verification is of the utmost importance.
- Banking and e-commerce industries are always looking for the most effective methods to stop fraud in its tracks.
- IoT and smart devices where authentication and privacy have proved a challenge thus far.
Ethics and concerns
Every exciting new technology has pros and cons, and behavioral biometrics is no exception. While many of my contacts are excited about behavioral biometrics, others can’t help but find it a little creepy. They’re already uncomfortable with how they’re currently monitored online via cookies and other less delicious-sounding trackers. Monitoring potentially more intimate aspects of behavior understandably raises the discomfort level for some. Key concerns relate to privacy and the potential misuse of data.
In an online landscape where a large percentage is concerned about privacy, not everyone will feel comfortable with a company tracking every element of their behavior to build a profile or template of who they are. A study from the EU’s Policy Department for Citizens’ Rights and Constitutional Affairs highlights how any kind of biometrics data collection has the potential to interfere with human autonomy:
“Once this template is created and stored, anyone who comes into possession of it in the future has the power to trace and recognize that individual anywhere in the world and potentially for any purpose.”
The data collected is also at risk of being abused, from discriminating based on certain kinds of profiles to surveilling all aspects of employee behavior under the guise of improving productivity. (Interestingly, such surveillance tends to backfire on employers while making workers anxious and unhappy. People don’t like being spied on all day and having limited toilet breaks. Who knew?) There is also the potential of “function creep,” which is when user data is used for another purpose than what they initially agreed to.
Then there’s the issue of accuracy. Like all developing technologies, behavioral biometrics isn’t always foolproof, and the risk of false negatives and positives exists. For instance, if someone’s behavior changes because of an injury or illness, the system may identify them as a malicious actor.
Because of these potential downsides, I advise companies to weigh the potential risks and challenges of behavioral biometrics before they adopt it.
Key players in the behavioral biometrics market
If you’re interested in potentially adopting behavioral biometrics, let’s take a quick look at a few of the major players and what they offer:
- Biocatch: Biocatch offers advanced fraud protection through a combination of behavioral insights, device fingerprinting, and network analyses.
- LexisNexis: The LexisNexis BehavioSec solution promises to reduce fraud, complexity, and consistency while improving trust, customer experience, and business.
- SecureAuth: Their MFA tool analyzes keystrokes, mouse movements, and other behaviors to create profiles for users.
Biometrics with boundaries
Behavioral biometrics is undoubtedly an exciting solution with countless possibilities for improving authentication and strengthening cybersecurity across the Internet. An authentication method rarely provides an advanced level of security while being user-friendly. But like any other technology, it’s not foolproof, and there is some abuse potential. So companies should consider whether behavioral biometrics would make sense with their particular business models and security practices before taking the plunge.