Behavioral biometric technology is having a moment in the spotlight, thanks to new European banking rules, the rise of machine learning and artificial intelligence, and the never-ending drive to replace passwords.
Recent investment and at least one major acquisition signal even brighter times ahead for the authentication method, but there is still a long way to go. As well, privacy advocates are expressing concerns about the spread of the technology, appeals that could fall on receptive ears given recent pressure from consumers and lawmakers that companies do more to protect data.
News earlier this week demonstrated the growing appeal of behavioral biometrics — that is, using consumer body movements instead of voice, fingerprint, iris or other static data to authenticate consumers — among major players in the payments world.
The Royal Bank of Scotland is among the increasing number of banks and merchants using behavioral biometrics to monitor visitors to their websites and apps. Two years ago, the U.K.-based bank started using the technology for its wealthy clients. Now, that authentication method is expanding to all of the financial institution’s business and retail accounts.
Here’s how the Royal Bank of Scotland uses behavioral biometrics: As soon as customers log in, software starts recording 2,000-plus movements on the keyboard, mobile app and/or website. On a smartphone, the software will measure the angle at which a customer holds the device, what fingers are used to swipe and tap and how hard or light the customer applies pressure. On a computer, the software collects data on the rhythm of the keystrokes and how they use the mouse, according to a report in The New York Times.
Software from Israel-based BioCatch serves as the foundation for the bank’s authentication tool. It builds profiles based on customers' gestures, using them as comparison tools whenever a consumer revisits the site. “Some people move the mouse side to side; some people move it up and down,” said Frances Zelazny, BioCatch’s chief strategy and marketing officer. “Some bang on the keyboard.”
BioCatch said it uses its founders’ expertise in big data, machine learning and AI “to address the next generation of cyber threats by focusing on the behavior of the fraudster as opposed to adding new endpoint security layers,” according to a statement. “The company monitors more than five billion transactions per month and generates real-time alerts when behavioral anomalies are detected, stopping fraud at the source and reducing the significant operational costs associated with managing the fraud.”
BioCatch reportedly is among a dozen or so significant sellers of behavioral biometrics technology, a group that includes IBM as well as relatively unknown startups.
So what’s fueling all this behavioral biometric activity?
One factor is the second Payment Services Directive — known as PSD2 — which has come into effect in Europe, with additional rules set to start in September 2019.
The general aim of the PSD2 is payments innovation. Security, though, is another goal.
PSD2 rules also include requirements for SCA, an identity verification procedure that leverages multifactor authentication. SCA pulls in factors such as ownership (i.e., the transaction is coming from a device that is recognized as belonging to the consumer) and inherent traits (such as biometric identifiers). In addition, there will be further requirements for contactless payments, including asking the user to enter their PIN (or use their fingerprint) to verify every fifth transaction made on the card.
Observers see a lucrative opening for biometrics within the new PSD2 regime.
“More customers would trust using a biometric than having to remember a password,” reads one such analysis. “In part, the amount of data breaches has been responsible for this trend as well as the explosion of smart devices.”
Payments players are trying to make the most of that opening. For instance, Mastercard has a plan for fingerprint-scanning cards in the U.K. The payments firm is reportedly already testing the card in South Africa. The product combines chip technology with a fingerprint scanner to verify the cardholder’s identity when making purchases in-store or online.
Mastercard also made a move specifically into behavioral biometrics via its 2017 acquisition of NuData Security, a global technology company that helps businesses prevent online and mobile fraud using session and biometric indicators. NuData's flagship product, NuDetect, helps organizations form digital trust by identifying users based on their online interactions — behavior that can’t be mimicked or replicated by a third party. The information collected enables merchants and issuers to make near real-time authorization decisions.
One of the largest B2B buyers in the world — the U.S. military — is reportedly also getting into behavioral biometrics in a “big way,” showing the potential appeal of the technology beyond payments.
An unnamed private company with funding from the U.S. Department of Defense is at work on a project that involves tying together military hardware with such authentication factors as “hand pressure, wrist tension and gait while walking,” according to the report. “These behavioral biometrics will then be linked to a risk assessment score, which will enable services, applications and even secure facilities to determine their own thresholds for access.”
Expect more such activity.
One recent estimate predicted that the global behavioral biometric market will exceed $2.5 billion by 2023, up from $871 million this year. “The key factors driving the behavioral biometrics market include growth in online transactions and online fraudulent activities, and higher compatibility with emerging AI technologies,” the report said.
Expect a backlash, too.
So far, few countries have any laws about how to collect and use data captured by behavioral biometric authentication technology, according to The New York Times. That has privacy advocates — already emboldened by Europe’s recent enactment of the GDPR, and similar efforts in California and elsewhere — concerned.
“This is the kind of data that usually has some kind of consumer protections around it, but here there’s none at all,” Pam Dixon, the executive director of the World Privacy Forum, told the newspaper. “Companies are using these systems with no notice of any kind.”
Growing tension about privacy appears likely as behavioral biometrics gains more attention and use in the coming months and years. There is little doubt that it will continue to attract investment as its use cases accumulate.