A lot of my clients want to talk to me about behavioral biometrics. “What is it?”, “Does it really work?”, “Is it worth the investment?”
Whilst I’m not keeping strict count, there has definitely been an uptick in the number of client inquiry calls on this topic over the last year or so. I see more and more organizations evaluating it as a way to bolster their defenses against fraudulent account opening and preventing account takeover.
So what is it?
In short, behavioral biometrics (called behavioral analytics by some or for some use cases) analyzes a user’s interactions with a given user interface (UI) to build up a profile for that user. Aspects being assessed include how a user navigates around a page, their typing cadence when entering their username or password, how they swipe a screen or move a pointer, how long they dwell anywhere on the UI, etc. After a few interactions a reliable profile can be created. This can then be used to passively authenticate the user when they return. “Hey, this person logging into Akif’s bank account doesn’t look like Akif because he isn’t typing the password in the same way that Akif does!”
The example above was a 1:1 use case – assessing behavior associated with an existing account, and using that profile to passively authenticate a user accessing that account. Another example is a 1:N use case, where the behavior of a user at account opening is compared to the behavior of all users at account opening. Most genuine new users will behave broadly similarly. A fraudster may behave anomalously – for example by displaying a level of navigational fluency that suggests they’ve filled out your application form many times already, or copying and pasting data into fields that most users would type in from memory.
So behavioral biometrics can help reduce risk at account opening (1:N) and account access (1:1).
So what’s driving the demand?
A few things, I think:
First, as I described in a previous blog post, device fingerprinting is becoming more difficult as time goes by. Many organizations are looking for additional capabilities to add to their passive authentication layer to augment device fingerprinting.
Secondly, UX is king. Many security teams are under pressure to reduce the number of users having to go through active MFA (OTP via SMS etc.). Behavioral biometrics fits neatly alongside device fingerprinting as a way for you to passive authenticate a user. The pragmatic reality is that many organizations still rely on password plus an additional factor (typically possession of phone or access to email account) – if the password if correct, it’s the same device the user always logs on with, and their behavior matches their profile, then maybe you’re comfortable enough to not invoke the MFA.
Thirdly, pesky attack vectors like RATs and scams (aka authorized push payment fraud in banking) are challenging to detect and prevent. Behavioral biometrics has shown some efficacy in being a useful tool in this respect.
Finally, with the ever present challenge of (synthetic) identity fraud it’s harder than ever to ensure the integrity of the account opening process without going down the full identity proofing route.
Does it work?
Apparently so (I won’t share actual metrics given to me by vendors in confidence). Many of my clients get a lot of value from using the capability. It’s worth noting that no client I’ve spoken to has deployed behavioral biometrics purely in isolation. It’s often combined with device fingerprinting, and that’s where 1+1=3 as based on the vendor data that has been shared with me it’s the combination of behavioral and device data together that seems to give the most reliable insight.
What’s the catch?
Well, it’s another service you need to pay for and integrate and orchestrate (security vs cost…). Many vendors now offer both device fingerprinting and behavioral biometrics together so that overhead can be mitigated somewhat. Also, it’s not appropriate for all use cases. If your users typically only log in once or twice a year, it’s going to take a long time to build a behavioral profile, and it’s reliability would be questionable. Behavioral profiles are fairly specific to given device form factors. My behavior when logging onto a website on my laptop is not going to be the same as my behavior when logging on via my mobile browser on my phone.
I expect the interest in behavioral biometrics to continue and to grow. It’s an increasingly important part of the ATO prevention stack – I have a research note coming out later in May about what the ATO prevention stack should look like, so more to come on that.
Source: Gartner Hybrid Cloud