Behavioural biometrics – the users private friend

OWI is an independent advisory firm focused on trust and the data economy. The company aims to help businesses, investors, and governments stay ahead of market trends so they can build sustainable, forward-looking identity-enabled products and strategies. OWI accomplishes this by building community and facilitating dialogue through the KNOW Conferences, as well as services the community with their educational content, news, media, and client services.

When talking about behavioural biometrics, we are looking at a wide range of solutions and technologies. What exactly is the potential of this tech in regards to its advantages and developments?

It may be instructive to first establish a working definition for behavioural biometrics, as contrasted with behavioural analytics. Behavioural analytics focuses on observing patterns in the actions taken by a given user when interacting with a website or application, for example how many clicks a user typically takes to move from browsing an item to placing it in their online shopping cart. Behavioural biometrics, on the other hand, is focused on identifying users based on the patterns and behaviours that underlie their actions, for example how a user’s fingers interact with their touchscreen, the angle at which a user holds their smartphone, or the frequency of typing errors when entering information into forms.

There is great potential for the application of behavioural biometrics technology by cybersecurity and Trust & Safety teams due to the seamless nature of its implementation. With user experience a major battleground in the fight for consumer dollars, strengthening authentication without additional friction is a major competitive advantage. Further, this obfuscation helps to keep malicious actors guessing, as the exact criteria being used to evaluate the authenticity of a login attempt remain obscured.

Considering GDPR, behavioural biometrics offers anonymity and privacy as it does not rely on personally identifiable information (PII). However, how do consumers respond to this technology? Are they concerned or willing to embrace it?

Although the principles underlying behavioural biometrics solutions date back to the telegraph era, widespread implementation of behavioural biometrics in consumer-facing applications did not rise to prominence until 2017. Additionally, few of the enterprises that have currently implemented behavioural biometrics into their consumer authentication flows, openly discuss the use of this technology outside of industry publications and conferences. Based on these factors, consumer awareness of their touchpoints with behavioural biometrics technology and the data it requires remain low.

Based on existing research into consumer attitudes about data sharing, and authentication methods, we expect consumers to embrace the increased cybersecurity, and reduction in friction, offered by behavioural biometrics solutions. The key for enterprises deciding to go public with their use of this technology is clear communication regarding which data is being collected, and the specific ways in which it is being used to protect consumer accounts.

What exactly are the limitations and challenges of this solution for both clients and companies? What can be done to fight or improve on the limitations?

Effectively implementing behavioural biometrics solutions on resource-constrained devices, such as smartphones remains a challenge, as the collection of sensor data may negatively impact battery life and stress device thermal management. It is also important to note that there is no such thing as a silver bullet when it comes to cybersecurity.

While behavioural biometrics platforms can offer valuable signals to identify account takeover attempts and stop fraudsters, layering with additional authentication technologies is necessary to ensure adequate protection from malicious actors. When behavioural biometrics signals indicate that an account may have been compromised, higher-friction fallback authentication methods must be available to provide additional confirmation as to the identity of the user.

How does behavioural biometrics pay a role in preventing the existing types of identity fraud?

The steady drip of consumer data breaches has given fraudsters access to billions of valid username/password combinations for use in automated credential stuffing attacks. While consumers can help to protect themselves with proper password hygiene, behavioural biometrics can play a key role in detecting account takeover with valid login credentials, before any value can be extracted from the compromised account.

You are scheduled to attend the 2019 KNOW Identity conference (24-27 March in Las Vegas). Aside from behavioral biometrics and its applications to the payments industry, what other topics and panels are you looking forward to?

What excites me most about the KNOW Identity Conference is how it brings together experts from across a truly diverse set of industries to confront shared challenges in identity. Breaking down the silos preventing collaboration across sectors was a foundational goal for KNOW, and we have been thrilled with the results. At this year’s show, we have added additional focus on data privacy, security, and regulation, as the impact of GDPR is still being felt across the globe. For your readers concerned with the upcoming impact of the California Consumer Privacy Act (CCPA), key CCPA contributor Ashkan Soltani’s keynote is a must-attend.

About Cameron DAmbrosi

Cameron is a Director of Client Services at OWI, a market intelligence and strategy firm focused on identity, trust, and the data economy. Cameron applies a methodical approach to deriving identity industry market insights and intelligence. Prior to OWI, he was an engagement Manager at Deloitte, focused on assisting financial institutions and licensed money transmitters improve user onboarding journeys while reducing cost and conforming to state and federal regulations. Cameron holds a B.A. from Fordham University in history.