Tell me how you walk and I’ll authenticate who you are: behavioral biometrics

A bank’s app receives an access request from a customer. The person in question has biometric access enabled (fingerprint, for example) and makes use of it with the fingerprint he registered at the time. But the system is suspicious and denies access, while activating all the alarms to warn of a possible case of fraud. And just as well, because the user trying to log in had the appropriate fingerprint (stolen) and the signature key (also obtained illegally) of the customer he was trying to impersonate, but he is not the customer. In a matter of seconds the cybercriminal would have emptied that checking account, but behavioral biometrics verification capabilities , sometimes known as behavioral biometrics, acted in time.

This advanced verification system has evolved the most commonly used to date to a new level. And the best way to understand it is to briefly review the most common authentication modes to date for cases such as, for example, performing a digital onboarding in a financial institution (to open a current account, for example), or accessing, as in the example, the private area through a seamless and secure user experience. The classic factors are:

• Something you have: that is, that the user can carry with him. Like a cell phone carrying an OTP or even the famous and still in use, by some entities, coordinate card.
• Something you are: pure biometrics. Fingerprint, facial recognition, retina scanner…
• Something you know: what the person carries in his or her memory (or written down, although this is not a good option). A password or PIN, for example.

Behavioral biometrics is in rapid and continuous development, and therefore is not always defined or grouped in the same way, but one way is: Something you do (how, where and when you do it). One thought that comes up quickly is “let’s see, that involves a lot of things.” And that’s the key, many that, in combination and sometimes by themselves, are virtually impossible to fake. A system that takes into account user behaviors (and access to analyze them, with the consequent consents) will create a database with details such as the person’s typing speed, pressure on the screen, the inclination with which he usually uses his mobile device, his signature dynamics (not only the signature itself, but how he makes it, how long it takes, how he starts and finishes it…), his dominant hand, the pace at which he walks when accessing on the move, and many more. The possibilities are not infinite, but very numerous. And to the above we can add others that are easier to imitate, but are always useful for a complete authentication, such as the location from which you access the app (some people do it only from home and work), the usual schedules, the IP from which you connect…

Data collection can last for the entire life cycle of the client. And therefore, the extension of the person’s behavioral pattern, too. The more complex, the more secure, because it will be easier for the system to detect anomalies in their behavior when accessing or while the session is in use (continuous verification). And these anomalies, when they become minimal suspicions, lead to the activation of the necessary security measures. Before concluding, we have just discussed the concept of the “behavioral pattern of the person”. Cybercriminals are also people. And sometimes behavioral patterns can be obtained from them. That is, this technology is two-way: if they have fraud case analysis and the thief tries to impersonate a different identity, then behavioral biometrics will verify that the person is who they are: a recognized criminal. And it will thwart their attempts forever.

A final thought, but as it is always said, it is no less important, even less so when we are talking about such potentially serious situations as those caused by phishing. Behavioral biometrics solutions are very useful for use or analysis in every user interaction. This conclusion is reached from several prisms. One is particular. This time of measures can guarantee to the extreme the security and the idea that the person-is-who-he-says-he-is at every moment and invisibly. Why not take advantage of these benefits and launch a behavioral analysis (or as we said, do it continuously) every time the user performs a relevant interaction? And even more so when these security checks are frictionless for customers as they navigate their private areas in banking, insurance or other sectors. A system based on behavioral biometrics can analyze and monitor silently, manifesting itself only when something catches its attention and thus arouses suspicion.

. Esta capacidad para actuar en segundo plano ofrece evidentes ventajas en seguridad, en las posibilidades de las compañías para ofrecer experiencias de usuario atractivas y también para vencer situaciones de exclusión digital o reducir la brecha de ciertos perfiles who are less comfortable with technology. Here the key is the key concept is to accompany invisibly without the need for the user to do anything special. Just feel safe.