Behavioral Biometrics

What is behavioral biometrics?

Behavioral biometrics analyze the way a person interacts with their mobile device, such as how they hold their phone or how fast they type. As a result, behavioral biometrics create a pattern of behavior that is unique to a person. In contrast to active methods of authentication, such as a face scan or a PIN, behavioral biometrics are considered passive because they do not require any additional action from the customer, which improves their digital banking experience. It is important to distinguish between behavioral biometrics and physical biometrics even though the reasons for using them are similar. Biometrics measure a person’s unique physical characteristics to verify their identity and could include a fingerprint, face recognition, palmprint or palm veins, iris or retina recognition or hand geometry.

How behavioral biometrics work

Unlike biometrics based on static, or unchanging, biological traits like a fingerprint, behavioral biometrics analyze a customer’s actions for continuous authentication behind the scenes. This is why behavioral biometrics are often described as passive. Behavioral biometrics look at a person’s unique movement patterns to allow for constant comparison to past behavior and constant authentication throughout the banking session, strengthening fraud protection. This kind of analysis results in a score evaluating the probability that the person performing the actions is the legitimate customer. The greater the similarity score, the less the financial institution has to worry about the person’s identity and intent, enhancing the user experience. Conversely, a lack of similarity between a customer’s behavior compared to their historical profile justifies additional layers of authentication, such as a fingerprint scan. Behavioral biometrics combined with machine learning, which can analyze vast amounts of data to spot anomalies in real time, and risk assessment techniques can help reduce fraud. Behavioral biometric data are challenging to duplicate because each person has a specific profile of their habits and movements, which are constantly compared to activity they are performing during a banking session. There are few privacy concerns because a customer’s behavioral data is converted to a mathematical representation within their profile, which would be meaningless to a fraudster who had access to it. Behavioral biometrics algorithms can ensure that the person actually in the banking session is the person presumed to be doing it.

Types of behavioral biometrics

Behavioral biometrics are changing customer authentication, adding another seamless layer of security without the customer needing to actively participate. By analyzing the way an individual interacts with their mobile device, behavioral biometrics is used to identify a customer’s unique pattern of behavior during a banking session.

• How you hold your phone: Behavioral biometrics analyzes the angle at which you hold your phone and the dominant hand you use when on your phone.
   
• Swipe or scroll patterns look at whether you swipe right or left on the touchscreen of your device and how you scroll up or down on your device.
   
• Keystroke rhythm analyzes the manner and speed of your typing to determine distinctive patterns. The amount of finger pressure used when you are typing can be put into a recognizable pattern, which can help prevent identity theft and minimize the risk of online fraud.
   
• Your gait, or how you walk, is also a behavioral trait that can be studied for a pattern.
   
• Finger pression on keypad and typing rhythm analyze how hard you press on the keys, how fast you type and pauses in typing to establish a cadence.

How behavioral biometrics help prevent fraud in financial services

Behavioral biometrics address security requirements, allowing financial institutions to verify a customer’s identity on a continuous basis, regardless of their device, location, or entered data. In short, it’s a discreet way to verify user actions, while shifting the burden of security away from the customer to passive fraud detection by a financial institution. Behavioral analysis can detect deviations from the user’s typical behavior by comparing against historical data related to time of the login, transaction amounts, new payees, and address changes, among others. Behavioral biometrics have emerged as an important cybersecurity technology that identifies people by how their habits, or what they do, identifying behavioral patterns of legitimate end users against would-be fraudsters. Financial institutions increasingly need state-of-the-art measures such as behavioral biometrics that provide continuous, adaptive authentication while reducing costly administrative headaches and end-user friction

Behavioral biometrics can be used to detect different types of fraud

• Application fraud is usually the result of data breaches, which have spiked in 2020 largely due to the COVID-19 pandemic. The growing number of data breaches give cybercriminals a trove of personally identifiable information (PII) to impersonate existing individuals and also to build synthetic identities, which use a combination of real and stolen personal information. In this case, behavioral biometrics perform several continuous checks during the application process. One of the checks will define how fluently a user navigates through the application process. Does the customer use keyboard shortcuts such as copy and paste, or a script to automate the process to fill out the application quickly or are they taking a longer amount of time to fill in personal information? If the representative peer group didn’t do that, it may indicate that the fraudster is already familiar with the process. This kind of check also can be tailored to a specific region and use case. For example, if a region’s population doesn’t generally use the copy-past feature to enter their ID number or other information, but the applicant does, behavioral biometrics can flag this activity as potential fraud.
   
• New account fraud happens when a fraudster has successfully passed a bank’s onboarding process and the fraudulent account appears to be legitimate. Best practice is to compare the new user’s behavior against a representative pool of customers. During that analysis, a bank’s anti-fraud system can analyze indicators such as spending behavior compared to the average; sequence of actions; and navigation data related to machine-like or bot behavior, to help detect fraudulent accounts.
   
• Account takeover fraud occurs when a cybercriminal gains access to the victim’s login credentials to steal funds or information through phishing, malware or other attacks. Behavioral biometrics can help financial institutions protect legitimate customers from becoming victims of account takeover (ATO) fraud because it performs user-specific anomaly detection by comparing current behavior with past activity.

How behavioral biometrics is part of risk-based authentication

A financial institution can positively verify a customer’s identity at the beginning of a banking session, but 10 minutes later they could be trying to do a large monetary transaction that might not fit past behavior. While multi-factor authentication or MFA (something you know, something you have, something you are) is an essential part of a modern authentication approach, asking customers to take additional steps can be annoying and frustrating for them. The use of behavioral biometrics as part of risk-based authentication (RBA) works as passive fraud prevention to capture multiple data points and analyze them without affecting user convenience to determine whether the customer is the legitimate user performing a transaction.

Behavioral biometrics analyzes the customer’s interactions with their mobile device in comparison to a previously developed user profile. The greater the similarity score, the less the bank has to worry about the customer’s identity and intent. A lack of similarity between a customer’s behavior in comparison to their profile justifies the application of additional layers of authentication.

According to Aite Group analyst Shirley Inscoe, behavioral biometrics give financial institutions an effective tool to improve customer authentication and fight account takeover attempts. “Behavioral biometrics scores activity and enables financial institutions to take action when scores indicate suspicious activity,” she says. “For example, if a customer is moving funds out of the institution, a higher score can be required than if an account balance is being checked.”

How Behavioral Analysis Complements Behavioral Biometrics in Fraud Prevention

While behavioral biometrics generate a score to asses how data matches a customer’s historical behavior with their current behavior or with a representative peer group, behavioral analytics considers a broader context. A person’s usual behavior across banking channels and transaction habits can also be part of a behavioral pattern. Therefore, behavioral analysis takes into account the way the user interacts with the account – what time they usually log in, whether they add new payees at unusual times, what they have done in the past, whether their cross-channel behavior is consistent, etc. All of this data is evaluated to generate a consistent behavioral profile, which is used to assess the risk of fraud. This way, behavioral analysis can even detect unknown fraud scenarios since it relies on the user’s typical behavior.

What analysts say about behavioral biometrics?

Lower costs and improved customer experience are driving the increasing interest in biometric authentication. “Security and risk management leaders responsible for identity and access management (IAM) and fraud prevention continue to seek approaches for identity corroboration that balance trust and accountability against total cost of ownership and UX/CX,” said Ant Allan, research vice president at Gartner. “Implementing this via smartphone apps provides more consistency in UX/CX and is technically simpler than supporting it directly on a variety of different endpoint devices.”

Infosecurity magazine says behavioral biometric authentication methods have risen in popularity because they provide a mechanism to passively authenticate people without their knowledge. “Another factor which works in favor of this type of authentication is that the collection of data points required for authentication is dynamic. Other authentication types like passwords, PINs or fingerprints have static data or static templates stored at the point of enrolment. This data can be used by people who manage to steal them. With dynamic data points, behavioral profiles are adjusted continuously rendering any stolen data useless.”

According to Aite Group analyst Shirley Inscoe, “Methods such as behavioral biometrics enable FIs to authenticate their customers in a transparent manner with no negative impact to the consumer. This also improves the customer experience, which is a goal of many FIs in addition to preventing fraud.”

Finally, Gartner predicts that by 2022, 70 percent of organizations using biometric authentication for workforce access will implement it via smartphone apps, regardless of the endpoint device being used. In 2018, this figure was fewer than 5 percent.

How behavioral biometrics improve customer experience

Behavioral biometrics work in the background without asking the customer to perform any additional authentication steps. As a result, behavioral biometrics are a seamless and positive experience for customers, but are challenging for fraudsters because each individual has a specific profile of their habits and movements, which are constantly compared to activity they are performing during a session and are difficult to duplicate.