Exploring Behavioral Biometrics in Authentication
Following the introduction to physiological biometrics, in this article?we’ll be discussing?the next category of biometric technology:?behavioral biometrics. Let’s get into it.?
What is behavioral biometrics?
Behavioral biometrics, or behaviometrics,?are our habits and how we usually do things. How we walk, how we speak, how we articulate, and so on, are all examples of behavioral biometrics.
Our?digital fingerprint?belongs here as well. Let’s say you log in to your online bank account to initiate a transfer. Do you copy-paste the beneficiary’s bank account number, do you type in the numbers with the numpad, or do you use the numbers above the letters on your keyboard? That specific habit is a metric that can be observed and tied to your digital fingerprint.?
In other words, we all have our own unique quirks. Behavioral biometrics is about?analyzing and codifying those quirks for the purpose of identity recognition. It works by analyzing a user’s physical, digital, and cognitive behavior to distinguish between legitimate users and bad actors.?
For one very critical reason, behavioral biometrics is fast becoming a?popular tool in the fraud prevention arsenal. Unlike static forms of biometrics, like physiological biometrics, it doesn’t rely on what a user knows or has access to. As we discussed in?Part I, stealing or faking physiological biometrics is no easy task. Still, it’s certainly possible for sufficiently motivated hackers. Getting access to your fingerprint might require some effort, but once they’ve got it, they’ve got it forever.?
However, behavioral biometrics works differently, making faking or stealing your online identity even harder.?Behavioral biometrics leverage machine learning to analyze patterns in your activity?and determine whether you really are who you say you are. The data used for recognition in behavioral biometrics is more?complex and information-dense, and therefore harder to imitate.?
Behavioral biometrics also has another?significant advantage: its potential for a frictionless user experience.?For example, behaviometrics such as mouse activity, keystroke patterns, touchscreen swipes, and device movement can work passively in the background of a user session. This means a user can be authenticated without disrupting their digital experience. While we’re all used to login screens, that doesn’t mean we find them fun.
Examples of behavioral biometrics
Forensic experts can tell with high confidence whether a signature or a handwriting sample belongs to a specific individual. Although forensic experts only inspect and verify the authenticity of paper-based documents, contracting and other signature-demanding documentation are shifting towards?digitization.
With the development of signature recording devices, other,?previously not-examinable data became available. For example,?time, pressure, velocity, etc. Be careful with the device data, though (we discuss our findings about the challenges of raw device movement data in more detail?here).?
Thoughtfully implemented, dynamic handwriting and signature recording can lead to great products. We at?Cursor Insight already have a product capable of?biometric e-signature verification.
The first patent for the acquisition of dynamic signature information was awarded in 1977. Veripen, Inc. published a “Personal identification apparatus” that was able to acquire dynamic pressure information. This device allowed the digital capture of the dynamic characteristics of an individual’s signature.
Handwriting possesses, however,?limited space for application: processes where a signature or a handwriting sample is required. Moreover, because of the?entry barriers?(hardware needed), the technology has experienced?modest adoption.?
Voice
A Swedish professor, Gunnar Fant, published a model describing the physiological components of acoustic speech production in 1960. His findings were based on the?analysis of X-rays?of individuals making specified phonic sounds. These findings were used to better understand the biological components of speech, a concept crucial to speech recognition.
The original model of acoustic speech production, developed in 1960,?was expanded?upon by Dr. Joseph Perkell, who used motion X-rays?and included the tongue and jaw. The model provided a?more detailed understanding?of speech’s complex behavioral and biological components.
The problem with voice recognition is that?it can be faked?with modern technology.?Two years ago?hackers used “deep voice” technique?during a heist.?A bank manager?failed to realize he had been duped as part of a well-coordinated attack when he’s?received a fraudulent phone call asking him to authorize transfers of $35 million.
Gait Recognition
Gait recognition software?analyzes the precise movements an individual makes as they walk, including the angle of their arms and stride length. Cursor Insight has created a prototype of gait recognition software.
领英推荐
Reportedly, the?Pentagon is also testing?a solution that enables a smartphone to determine who’s carrying it based on their gait. Applied correctly, this technology could be used to automatically deactivate stolen devices being carried by criminals.?
Mouse and keystroke dynamics
Fine motor movements captured while?moving the cursor, tapping a phone, or typing on a keyboard?also provide a level of uniqueness that cannot be exactly repeated.?
The first record was J. Garcia’s identification apparatus patent, the keystroke dynamics?in 1986.?
In 2019,?researchers have proven?that?the fusion of instance-based and free-text keystroke dynamics?methods doesn’t require so many keystrokes as the previously used pdf-matching technique to be accurate. The new method produced?better results after 78 keystrokes than the old one after 134 keystrokes.
Unlike static identity verification systems?in use today, a verifier based on dynamic keystroke characteristics?allows continuous identity verification in real-time throughout the work session.?
But?according to a study?that analyzed employees’ computer use across 95 organizations, the?average weekly use of the mouse is 6.9 hours. On the other hand, the average weekly use of the keyboard is 23,800 keystrokes.?Experts say?that the standard is that a person types between 190 and 200 characters per minute. Quick math (with 195 keystrokes/minute): 23,800/195=122 minutes. So, the?average weekly use of the keyboard is around 2 hours.?
It means?we use the mouse about three and a half times more than the keyboard. Speaking of which…
From Cursor Movement to User Identity
Behavioral biometric technology is primed to play a critical role in?fraud prevention, especially in the era of remote work?and rising corporate account takeover attacks. This is where Graboxy Sentinel comes in – a behaviometrics cybersecurity solution developed by Cursor Insight.
Graboxy Sentinel?is a motion-based authentication solution, meaning it?uses digital movement biometrics to authenticate users. A machine learning tool processes your cursor activity (the fine motor movements being as unique to you as your fingerprint) to create a comprehensive biometric profile. Another AI algorithm then uses this biometric profile to verify users.
The other?main advantage?of cursor movement analysis is that?cursor movement has more measurable dimensions?than keystrokes. Moreover, monitoring cursor movement doesn’t pose a risk of leaking sensitive data, unlike logging keystrokes while typing.
How does Graboxy Sentinel work?
Graboxy Sentinel uses?machine learning algorithms to analyze unique human movements, categorizing the thousands of tiny behavioral quirks that make you, you.
Combining mouse movements with machine learning algorithms offers several advantages when it comes to cybersecurity and fraud prevention. For example, machine learning algorithms?become more powerful over time as they are fed more data. This means that biometric profiles become increasingly intricate and almost impossible to counterfeit. Additionally,?users can be continuously authenticated?during their session.
If the real-time cursor movement analysis shows a?divergence from the user’s biometric profile, Graboxy Sentinel?flags the fraudulent user?accessing the account. Flagged users?can be locked out or re-verified?using traditional multi-factor authentication methods.
The result is an?ultimate protection software against account takeovers.
Final thoughts on behavioral biometrics
While?physiological biometrics?undoubtedly offer increased security over passwords and PINs, they?are limited by their static nature. Essentially, even when combined with passwords, static biometrics are still?less secure than?dynamic solutions like?behavioral biometrics.?
As we advance further into the 2020s and beyond,?we expect to see increased adoption of behaviometrics?by security-conscious governments and enterprises across the globe. Motion-based authentication, in particular, will likely experience a steep rise in popularity?due to its efficacy and ease of implementation.?