It’s about what you do, not who you are

November 3, 2021

Behavioural biometrics offers organisations a unique method of securing transactions with customers, based on how they carry, handle and utilise their personal device. By Richard Craig, Practice Lead: Digital Experience at Altron Security.

In an increasingly digital world, organisations are seeking new ways of handling their customers’ data, as well as verifying who they are. Security has only become more critical as our increasingly connected world finds itself targeted by a host of scammers, hackers and cyber criminals.

While the password has been the traditional form of defence for centuries, this is no longer enough within the digital space. Between social engineering to steal password-related information and people’s own challenges with remembering passwords, the difficulties inherent in maintaining a strong security profile while using an archaic security method are manifold.

It is for this reason that we are witnessing a move away from knowledge-based entries like passwords and security questions, towards one where biometrics – facial and fingerprint scanning – holds sway. Of course, even these can potentially be stolen by dedicated criminals, which is why a further shift in the direction of behavioural biometrics is now taking place.

Behavioural biometrics focus is much harder to replicate than personal biometrics; everything from how tightly we grasp our phone to how evenly we walk while holding it. In an age of multi-factor authentication (MFA), this technology offers organisations a way to passively authenticate users with minimal effort on the part of the customer.

For an enterprise, behavioural biometrics adds significant value to its security posture, particularly in terms of fraud prevention. Moreover, it makes sense, since a growing number of people now interface with their device for everything from banking to shopping.

The way it works is that everyone is different in respect of how they, as an end-user, interface with their personal device. Each individual is different in terms of the speed, power, pressure and angle of their touch – whether it is related to how you click between items, how you swipe or the pressure you place on the screen when touching it.

Essentially, a behavioural biometrics profile is created of the individual user, which helps them secure their device against cyber criminals. This means that even if the device is stolen and the thief accesses the user’s banking app, merely the unique way they use the device will be enough for the system to understand it is not the owner, and thus block the transaction.

Thus, behavioural biometrics is another key line of defence in an organisation’s security plan. It adds to the mantra of ‘defend in depth’, since by the time this particular security measure kicks in, it is almost a given that the user’s other defences, such as their password and fingerprint scan, have already been compromised.

Ultimately, of course, this is about a lot more than just protecting an individual user’s device – at an organisational level it helps to prevent things like voucher fraud via the use of bots. Then, in an e-commerce scenario, it can stop ‘inventory hoarding’, where people might hoard hard-to-acquire items in a cart, to prevent others from buying them. A good example here is during the Black Friday sales, when there are limited amounts of high value items available online.

The real beauty of this technology is that the user doesn’t even need to know about it – it is a solution that simply runs in the background and uses a ‘trust score’ to determine if the users are who they say they are. Furthermore, there is a continuous re-evaluation of trust, unlike a password or fingerprint, where, once access is granted, that is it. This technology not only looks at what you do when logging in, but continues to check as the device is used whether the user remains trustworthy or not.

This type of solution is ideal for e-commerce retailers, whose goal is to create a frictionless shopping experience. Perhaps they don’t want biometric authentication at the start of the process, which would make it more difficult – but this solution sits behind everything and ensures a continuous security process is running, without making life tougher for shoppers.

An acceleration in adoption of these new security methods is anticipated, simply because traditional usernames and passwords no longer offer adequate protection. Just as castles were great defensive structures until the invention of the cannon, these security measures have been made outdated by the evolution of cyber crime.

Behavioural biometrics will add to the eventual peace of mind of the user, as they understand that while biometrics is about who you are, it is not just your physical attributes, but also how you do things – and this makes it that much more difficult for the criminals to fake.

After all, people are increasingly aware of their data as an asset and are protective of this – whether it’s their personal or geographic information. Behavioural biometrics suits this more protective attitude as it offers a whole new level of security that is more capable of protecting both the company implementing it and the end-user.