6 November 2019
Behavioral biometric authentication: the most user-friendly authentication solution in the near future
The field of online authentication has been subject to the long-standing battle between ease of use and strong security. After all, developers face a dilemma because strong security can lead to friction, causing users to quit before they even completed the authentication process. According to Wael Elloumi, researcher at CTO/R&D/Trusted Services at Worldline, the search for the right identification method has led to a proliferation of authentication possibilities. This confuses consumers, because they have to identify themselves differently for each online service, which makes it difficult to distinguish between real and fake. In this blog he explains why.
Reducing criminal opportunities
Criminals make use of this lack of knowledge. They are stealing data from customers, for example via phishing: with personally written e-mails that are similar to e-mails from well-known and trustworthy companies, criminals try to retrieve log-in data. To reduce fraud opportunities for criminals and to ensure that banks, merchants and customers can pay safely, the European Union introduced Strong Customer Authentication (SCA) as part of PSD2 (Payment Service Directive 2 - 2015/2366), which is effective since January 2018.
So how does SCA work? In order to approve a payment, customers will have to verify themselves using at least two safety factors. There are three types of factors that can be used. The first factor is the knowledge factor (something you know), like a password or PIN code. The second factor is the possession factor (something you have), such as a smart card or mobile phone. The last factor is the inherence or biometric factor (something you are), such as a fingerprint.
Each factor has its advantages and disadvantages. The knowledge factor is currently the most commonly used form of authentication, but it is also vulnerable because it can be stolen, shared or even obtained through direct observation, such as looking over the shoulder. The possession factor must be carried by the user at all times and entails the risk of loss and theft.
This leaves us with (physiological) biometric authentication; in which the user actually has to be physically present to comply. Think about face recognition or fingerprints, for example. Physiological biometric authentication has a lot of potential as it is user-friendly and relatively secure, but this method also faces serious challenges in terms of safety. Spoofing is one of these challenges. It is a way for criminals to copy biometric data in order to gain unauthorized access. This is possible via voice recording or silicone reproduction of a fingertip. But the developments around biometric authentication are moving in the right direction, mainly because of artificial intelligence (AI) and machine learning.
New developments make it possible to identify consumers via their unique behavior when communicating with a device. How? By the creation of a behavioral profile that consists of several parameters: from movement within an app to the user's interaction with a device, including finger pressure and swipe patterns. Due to the complexity of these behavioral profiles, they are impossible to spoof. Besides that, this method is almost frictionless.
Developers increasingly embrace behavioral biometric authentication. Solutions are already on the market and at Worldline we are also working on behavioral biometric authentication solutions. This has led to two pilot projects with measurable evidence (proof of concept) that the ideas have enough potential to be fully integrated.
BioTyping and continuous behavioral biometric authentication
We managed to improve the security of PIN-based authentication on mobile devices by adding a transparent and non-intrusive additional layer of security control based on BioTyping behavior. Our solution collects and analyzes patterns based on collected data that consists of keystroke-timing, touchscreen pressure, touchscreen surface and touchscreen motion. In total, 540 patterns were collected when the user is typing his PIN code and then used to build his behavioral profile. Obtained results showed the average accuracy of our method is 99.52 percent.
In the context of 3D Secure 2.0 - the new authentication protocol for online card payments based on risk decisions - we are now testing continuous behavioral biometric authentication. This allows us to make more accurate risk decisions by collecting contextual factors such as location, device and network pattern and different characteristics of the user's behavior, such as swipe, scroll or touch pressure. In order to identify the user, contextual and behavioral characteristics are continuously compared with the existing profile of the user. Depending on the risk score, the user may be asked to identify him- or herself with a second authentication factor. Our solution is frictionless because it works passively, in the background, without disrupting the user experience.
These future-proof solutions also comply with new important European regulations, such as the PSD2 requirements for SCA and the General Data Protection Regulation (GDPR) for privacy, as the biometric data never leave the user's device for both storage and matching. This makes behavioral biometric authentication the most user-friendly authentication solution for the near future.