Anyone familiar with the world of authentication knows there are three main methods for identifying a user.
What they know (a password).
What they are (fingerprint, voice or iris).
What they have (a mobile phone).
Each has its well-documented pros and cons. Criminals can steal a password. They may even be able to steal a fingerprint. And users don’t always log in from a device that can be uniquely identified like a phone.
This is why Swedish startup BehavioSec has come up with another means of authentication.
What you do.
The Swedish company has devised a behavioral biometrics technology that observes how the user interacts with a device or browser, analysing the rhythm of typing, the key pressure, swipe speed, finger positioning and typing velocity.
In other words: it’s not what you type, it’s the way that you type it. That’s what gets results.
Here’s how it works: BehavioSec’s behavioral biometrics software is embedded in a bank’s website or app so it can scan a user’s activity fingerprint. Thereafter, its machine-learning algorithm builds up a unique profile and a biometric score.
Every time a user logs in, it compares his or her activity with the what’s in the database.
It takes around nine interactions for behavioral biometrics to identify someone, with touch pressure being the most instantly accurate of all the parameters.
Ironically, it’s familiar passwords and PINs that offer the quickest means of identification. When someone knows a word or phrase well, they are more consistent in the way they type it.
When they are given a randomly generate passcode, they deliberate over it.
Because the system is confident of a person’s identity, legitimate users can enter a secure service with the minimum of fuss.
Anyone the behavioral biometrics system flags up as questionable is diverted to more stringent security processes – they’re asked to answer questions or use a card reader for example.
BehavioSec says the success rate of the technique is extremely high. In a pilot trial with Danske Bank, the product distinguished between legitimate users and imposters in 99.7 per cent of cases.
The behavioral biometrics tech also scores with end users because it’s invisible. There’s no extra security that the user knows about. As far as they’re concerned, they’re just typing and swiping as normal.
Neil Costigan, CEO at BehavioSec, says it’s this combination of speed and unobtrusiveness that appeals to clients.
“The real plus is the user experience. If a consumer is taking 60 seconds to make a payment, you don’t want 30 seconds of that to be the log-in.”
Banks seem to like it. Costigan says most Nordic banks now use its system and that further launches are under way with financial firms across Northern Europe. Corporate customers pay on a per user per year basis.
The firm has tens of millions of end users. At present they are nearly all bank customers. However, Costigan can see many more sectors taking an interest in behavioral biometrics. These include government and education.
He says: “Banks tend to be easy adopters of security tech, but we are getting interest from more verticals now. There are plenty of industries where the person with the licence isn’t necessarily the person who logs in.
“In these scenarios the system has to ask: who is it? Our tech can do this.
“And there are other situations like in education where it may be that some people try to cheat and attempt to log in as someone else. That’s another area we can look at.”
The fact that BehavioSec has a proven behavioral biometrics tech and a scalable business model is not lost on investors.
In 2014 BehavioSec announced a $6.2 million round led by Northzone and Octopus Investments. Existing investors, Conor Venture Partners and Partner Invest Norr, also contributed.
That followed a 2011 round of $500k and a 2008 round of $1.2 million to bring BehavioSec’s total funding to almost $8 million.
The funding is helping BehavioSec scale its sales and marketing into new regions, and to build out its tech.
The firm is already talking to handset makers about embedding behavioral biometrics technology into smartphones so the entire device becomes contextually aware of who’s using it.