User Behaviour Based Biometrics: The New Frontier

biometric scanning

Ryan Wilk from NuData Security tells us why a new approach to biometrics could provide better and more effective security than ever

Gone are the days when online security could be trusted to a simple username and password combination or simple identity checks. As fraudsters got better at bending and breaking the system, e-commerce and digital banking initiatives had to keep pace, creating tough rule-based systems to check for fraud and adding new technology like IP detection and Device ID. But even these measures are no longer enough. The next great leap in digital security isn’t based on a device or a password, but on the user themselves.

User Behavioral Biometrics combines a biometric and behaviour-based analysis of the user. Until recently, security technology looked solely at what data was entered and what device was connected. But you can only understand so much about the user with only two pieces of information.  And what if the user changes or upgrades their device? You would lose half the visibility. User Behaviour Analytics (UBA) adds multiple layers of nuanced information of passively observed behaviour that goes beyond what data they input and what device they use and really understand how the user interacts with the mobile or web portal.


Iris-ScanBut how exactly do we define behaviour in this context? It’s how the user interacts with the website in passive, yet very specific ways that are unique to every person – akin to a fingerprint. Information like typing speed and patterns, how they habitually navigate the website, patterns of online usage, or even how they hold their mobile device. These behaviours and hundreds of others, coupled with traditional passwords and connectivity details, offer multiple layers of information, and a more complete picture of the user.

When you start passively observing multiple layers of user behaviour and biometrics, from the moment they land on your site, create an account and across every interaction on the website, you build a profile for that user that doesn’t rely on the device they use or password they enter. Every time they return to the environment, you can measure that behaviour against their unique historical data. You can finally answer, “Is this the real user?” with confidence. You can compare that behaviour with other good users to broaden your understanding of how your good users behave and you can even answer with the same certainty, “is this user behaving like a human being?” and “is this user acting safely” and take action accordingly in real-time.

User Behavioral Biometrics helps e-commerce businesses fight fraud by bringing a wider context to every transaction decision. Most e-commerce merchants simply look at the transactions and use knowledge-based fraud prevention techniques that rely on PII and PCI even though that data is too freely available to be secure. Moving beyond easily compromised PII and instead relying on a user’s unique behaviour protects both your site and your users.

Fraudsters know that traditionally e-commerce merchants and financial institutions have relied on KBAs for their fraud prevention strategy, which means they authenticate by the user having the right answer to pass the test. So long as the fraudster has the cheat sheet, they don’t have to worry about getting the answers right.

Ryan_Wilk 2That’s why UBAs are so important. Even if the fraudster has the correct password, their behaviour on the site before the transaction is a dead give away that something’s wrong. They behave completely different from a good user, so different that it gives security teams a sneak peak at fraudsters plans because it becomes strikingly evident when they are testing stolen accounts in bulk before an upcoming brute force attack. And since all of these transactions are monitored in real time, it’s easy to determine which accounts at are risk right now and what future interactions are highly likely to be fraudulent.

By observing behaviour from the point of login, to registration to point of purchase, companies are able to better understand when a purchase may not be legitimate, even when a “user” is successfully logged in using stored payment information. And while fraudsters are just starting to realise their tactics of yesterday don’t work anymore, user behavioral biometrics will continue to hold them back because user behaviour can’t be copied, stolen, or spoofed.

User Behaviour Analytics layered with Behavioral Biometrics combined with traditional security measures gives the industry the ability to understand their users like never before. Knowing who the user is based on how they behave protects business and users alike in a passive, unobtrusive, invisible way with a success rate second to none.

Ryan Wilk is director at NuData Security

How much do you know about biometric technology? Take out quiz to find out!