SCA and Behavioural Biometrics (2023 Update)

Fundamentally, behavioural biometrics can be used for strong customer authentication by analysing patterns of behaviour unique to an individual, such as typing rhythm or mouse movement. These patterns can then be used to verify the identity of a user during the authentication process. 

This has been a helpful mechanism on Windows and Mac computers, as on these platforms, it is possible to implement software that continuously monitors and records a user’s interactions with their device, such as keystrokes and mouse movements. This kind of recorded data creates a unique “behavioural fingerprint” for the user. Then, when the user attempts to log in, their behaviour is compared to their previously recorded fingerprint to verify their identity. The main difference between common biometry and behavioural biometrics is that behavioural biometrics uses how a person interacts with technology to identify them, while standard biometrics uses physical characteristics. 

Some authentication methods span both, such as when the user has to draw a path on the screen. Exactly which points you touch in what order is a knowledge element (similar to a password), but exactly how you do it is a behavioural element.

The key benefit of pure behavioural biometrics is that this can be authenticated without the end user having to do anything - they are certified simply by who they are, doing what they normally do, without even having to use an ordinary biometric sensor such as a fingerprint reader.

On a mobile device, behavioural biometrics can (in theory!) work similarly to how it works on a desktop or laptop computer. In addition, mobile phones have even more sensors, such as a touchscreen and accelerometer, which can be used to track patterns of behaviour unique to the user. It is also possible (in theory!) to use the camera, GPS or microphone to further track the user’s movements or speech patterns. But, this raises significant privacy concerns, not to mention how regulations such as the GDPR (General Data Protection Regulation) would have an impact.

In terms of GDPR compliance, companies that collect and use behavioural biometric data must ensure that they have obtained valid consent from the individuals whose data they are collecting and that they are processing the data in accordance with GDPR’s requirements. They must also be transparent about the data they are collecting and how they use it. They must also have appropriate technical and organisational measures to protect the data from unauthorised access or use. My impression is that having your bank or fintech do detailed tracking of your behaviour is unlikely to be accepted by many people, even if you explain how it can help secure your account.

But there are also practical matters that make biometry harder on mobile devices. For example, the main operating systems, Android and iOS, are much stricter with access to interfaces that can be used to analyse the user’s keyboard and touch activity outside a specific app. It is also battery-consuming to have biometry recording and analysis continuously running in the background. But, by limiting the behavioural biometric data collection only to when an app is running, spoofing attacks become a lot simpler, as there would be fewer data points to analyse.

In general, behavioural biometrics can be vulnerable to these spoofing attacks, in which an attacker attempts to imitate the behaviour of a legitimate user to gain access to their account. Plus, behavioural biometrics may not work well for users with certain physical or cognitive impairments or those using assistive technologies (such as screen readers). 

When we look at the market over the last year, there has been some adoption of behavioural biometry, but not for strong customer authentication. The adoption has happened mostly to lower fraud rates by analysing sessions after the customer has been authenticated to identify potentially malicious behaviour by an attacker. An example is how the Polish bank ING allows customers to opt-in to behavioural analysis, but only while banking through the app or online front-end. In this case, the collected behaviour might help identify someone trying to exploit the banking app through remote device control. Still, it needs to be clarified that this tracking form is enough to approve or deny a transaction. 

Many banking operations can involve a small number of touches. An example is confirming a “request to pay”. In my case, it is clicking on the notification, using a fingerprint, and then pressing “approve”. That doesn’t leave much for analysing my behaviour. SCA solutions like ours have been doing similar analyses for years, as analysing movement during a transaction approval can be an excellent way to identify if a device is being remotely controlled. 

In conclusion, behaviour biometrics adoption and technology have progressed over the last few years. However, there are still some fundamental challenges before it can be used for genuinely frictionless authentication. Needless to say, this is a topic we at Okay are quite interested in, so follow us on LinkedIn and sign up for our newsletter if this interests you as well.