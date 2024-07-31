Frictionless user experiences in the face of growing cyberthreats: Could behavioral biometrics be the answer?

July 2024 by Anthony Eaton, Chief Technology Officer, IDEX Biometrics

A recent McKinsey article confirmed that the global cost of cyberattacks could reach $10.5 trillion by 2025. Meanwhile, the identity access management market is now around $14 billion, with the potential to rise to $49 billion in the next 10 years. Bridging the two exists the rapid development of behavioral biometrics.

Behavioral biometrics represents the next phase in the evolution of biometric technologies, leveraging users’ actions and behaviors to determine their access credentials, their devices’ security, and even their personal preferences. It is a solution that offers more seamless and secure user experiences and authentication protocols, as well as improved customer understanding.

It was initially deployed to trigger an automated and immediate response to suspicious physical behaviors and actions. However, it has the potential to be explored from a perspective of customer service and personalization, allowing companies to gather consumer data, identify footfall and consumption trends, and build a more relevant offering.

As such, this next phase of biometric technologies can help companies challenge both competitors and cyberthreats, provided it is deployed responsibly.

Adaptive authentication: determining if business is usual

Typically, behavioral biometrics has been adopted within business contexts to build a profile of users and employees, learning their behaviors and actions to an extent where a deviation from the norm can be automatically flagged as suspicious or risky. In this context, it is on the passive side of the adaptive authentication spectrum. Active authentication, conversely, encourages the input of passwords or PINs, the swiping of cards, or the recurring request for biometric input (fingerprints, retina scans, etc).

Passive authentication through the lens of behavioral biometrics sees a more constant background analysis of users based on their already established and recognized ways of behaving. Anything ‘abnormal’ suggests an unauthorized user that may warrant a double check of that person’s credentials.

How fast do they type? How often do they pause when typing? Are they right- or left-handed? Is this their usual finger pressure or keystroke pattern on the touchscreen? What is their usual gait when walking?

Whether it’s on a digital device, or through video monitoring, the idea is to make a non-invasive risk-based decision about a person’s credentials, theoretically pre-empting any possibility for an unauthorized person to access the wrong file, space, room, or account.

Analyzed using the power of AI processing, this continuous and automatic risk assessment not only safeguards against threats but does so without introducing any friction to the user – a primary benefit when more stringent and thorough security measures aren’t needed. Having to continuously log in or out, to present your access card, or to remember PINs and passwords might not seem strenuous, but removing some of those instances on a daily basis soon becomes noticeable.

In essence, for businesses, it is the exact level of risk-based monitoring required for seemingly routine operations and actions. Nothing more, and - given the current, volatile cybersecurity landscape - certainly nothing less.

Suitable for all industries, not all processes

Behavioral biometrics might be an evolving form of biometric technology, but its foundations are already quite well established. For retail and ecommerce, for example, the lines blur slightly between the terms, ‘behavioral biometrics’ and ‘risk-based authentication’. Behavior in this sense isn’t just how people interact with their device, but the location they’re ordering from and to, or the time zone and time of day they’re looking to make a purchase. The extent of risk rises up and down relative to what is deemed ‘typical behavior’ in the broader sense and for that individual transaction.

‘Risk’ refers to the degree of confidence in authentication accuracy and will be key to the rise of behavioral biometrics in other industries too, including healthcare and banking where it is already being deployed to varying extents. It is more about the use case and whether the risk posed is suitable for passive authentication in these cases. In healthcare, for example, passive authentication wouldn’t be sufficient to access patient databases, but once logged in, it could help confirm that the same user is still active or online.

In these data-sensitive industries, using behavioral biometrics as a default securitization tool won’t always be sufficient, but it does have value for more routine user protection or admin.

Another example from the banking sector, sees many providers requesting customers to reconfirm their email addresses, to log their keystroke pattern while typing their details. It is very difficult to replicate the cadence or pattern of a detail that’s so familiar and seamless to each individual. The typing of the address itself immediately becomes a layer of risk-based authentication. One that carries far less friction than alternate security layers such as 3D Secure in ecommerce, which historically required manual password input for payments.

Aside from the securitization element, behavioral biometrics can also enable improved personalization and marketing strategies. If the actions of users or customers can help determine their digital identity, it can also give insight into their preferences. The idea of a smart store has already triggered a stronger relationship between retailers and the supply chain as they use video technology and sensors to better understand where customers look, their footfall and routes around a store, or what products they’re veering towards. Behaviors and interactions on company websites, on social media, or in response to marketing outreach also point to the use of AI-driven behavior analytics as a means to elevate ultimate service.

A line worth walking

Across markets in public and private sectors the ability to reduce user friction, gain a better understanding of consumer preferences, and prevent unauthorized access in real-time, ticks three timely boxes. The issue of privacy intrusion still lurks, however. A recent UK survey confirmed that 70% of consumers take steps to limit cookies over a weekly period. Statista confirmed that fewer than one-third (32%) of US consumers always accept them, compared to 43% that always decline them.

The idea of having their very movements digitized and analyzed might not be appealing to all. Consumers and users are clearly running their own risk assessments when it comes to technology. While improved security as a benefit will undoubtedly appeal, losing our personal privacy to achieve it is a tightrope to be walked by those looking to leverage behavioral biometrics.

On balance, a more frictionless experience designed to safeguard people’s credentials and assets is likely to outweigh any fears of personal intrusion, especially given behavioral biometrics’ status as a passive strand of adaptive authentication. In many cases, it’s not a password to remember or type in. It’s not a card to swipe. It’s not even a fingerprint to place or a retina to scan. It’s simply, you. Your behaviors confirming your legitimacy, your security, and your preferences. Combined with secure authentication, behavioral biometrics can provide frictionless user experiences in a world of increasing cyberthreats.