Biometrics enables hassle-free, invisible, yet highly accurate user authentication, says Uri Rivner, head of cyber strategy at behaviourial profiling security firm BioCatch.
“A lot of security mechanisms are being piled on users that cause hassle and frustration, but do not really stop the bad guys,” he told Computer Weekly.
Rivner left security firm RSA to join the Israeli startup because he believes the company’s behavioural biometrics technology has the potential to be a game-changer in the fight against cyber threats.
The technology works by injecting subtle deviations as users interact with applications such as online banking.
The deviations are too small to notice, but require correction, the way users make those corrections are unique to them, providing a set of measures that can be used to authenticate that user.
For example, if an application requires users to click on a button, the BioCatch technology will shift the button by a few degrees and measure the unconscious adjustments a user makes.
In mobile devices, such as tablet computers, these parameters include the way users hold the device.
More on biometric security
- Video: Smartphone biometrics
- Biometric authentication methods: Comparing smartphone biometrics
- Barclays streamlines phone banking with voice biometrics
- Is Apple's Touch ID tapping at the window of a biometric future?
- Government funds biometric cyber security research at Southampton University
- Government expands biometric identity scheme
- Emerging vulnerability markets, mobile biometrics prompt security concerns
“Below a certain threshold, the brain makes the adjustment without the user being aware,” said Rivner.
The technology is designed to measure more than 350 different parameters, with 20 on average being distinct and consistent for a specific user over time.
Any hacker’s response pattern to the invisible challenge will be different, raising an alert to the bank in the context of online transactions.
The technology enables “invisible biometrics” with no hardware or software, allowing continuous authentication throughout the session, for mobile and web, said Rivner.
BioCatch’s first products focus on online and mobile fraud mitigation, and although the technology is at the beta stage, it is already in use by banks in Canada and the US.
According to Rivner, research has demonstrated accuracy of greater than 90%. If the interaction pattern does not match that of a genuine user, only then will the bank interrupt with a challenge.
“The technology is proving to be extremely useful in detecting advanced threats, including man-in-the-browser (MITB) attacks, remote access attacks, and automated account manipulation,” he said.
Applying the technology means a user can be authenticated with a high degree of accuracy, regardless of device or location.
“Even if attackers are able to make the device, location, browser and operating system appear legitimate to the application, BioCatch can detect remote access by looking at the user interactions,” said Rivner.
The technology can even identify if interactions are human or automated, eliminating the need for anti-botnet challenge-response technologies such as Captcha, he said.
BioCatch is hoping to meet the growing demand for ways of authenticating users that are not based on what users know, such as their mother’s maiden name and what they have, such as a security token.