Stolen account credentials can be abused by hackers in a variety of ways. They can be accessed without your knowledge to scan your entire inbox for more profitable data. They can be used to create a fraudulent account using your identity. They can be sold to the highest bidder on the dark web. And so on. All because someone, somewhere knows your username and password.
But what if there was a way to make stealing your account credentials useless? A way to make sure that you are the only person able to access your accounts? That your login, even with a password as stupid and careless as “password123,” was not one of billions like it, but truly and uniquely yours? All without the hassle of having to use traditional multi-factor authentication?
Well, looks like we’re in luck, because the technology to do just that is actually out there.
Enter behavioral biometrics, the authentication method that will make logging in more secure and efficient than ever.
How behavioral biometrics works
With behavioral biometrics, your password is no longer a what. It’s a how.
It’s the number of milliseconds between your keystrokes. The amount of pressure your fingers apply on the keyboard as you type. The geometry of micromovements you make as drag your mouse. The exact angle at which you hold your phone. The dozens of other identifying and quantifiable little patterns that you’ve developed throughout your life.
All calculated against your unique behavior profile established over a period of time. All done by an app in the background, without you having to do anything extra, like enter a set of numbers or pose for a face ID. Sounds like the future? You bet it does.
And so far, behavioral biometrics looks impossible to replicate. Which is what makes so many businesses and government institutions eager to adopt this new technology, especially in the banking and retail sectors.
Is behavioral biometrics secure?
So far, the short and simple answer is “yes.”
And when it comes to the why, the magic buzzword is “dynamic.” As opposed to static authentication methods like passwords, retinas, or fingerprints, the many data points that make up your behavioral patterns are regularly updated to match your constantly evolving user profile. This means that whatever data attackers manage to steal from you will be instantly rendered obsolete because you never enter your password in a carbon-copy identical manner twice.
Needless to say, all of your biometric data is also encrypted during both collection and verification, adding another layer of security to an already seemingly watertight authentication technique.
Is behavioral biometrics 100% impenetrable? Probably not. After all, two-factor authentication (2FA) and traditional biometrics were also hailed as bulletproof for years. And look how that turned out. With that said, behavioral biometrics has one undeniable advantage over other forms multi-factor authentication: convenience. Everything’s done passively in the background, so there’s no need to break your routine in order to secure your authentication. And as we all know, convenience is usually the difference between actually embracing positive change and repeatedly putting it on your new year’s resolutions list.
Security, but at what cost?
Securing your authentication is great and all, but how is your behavioral data collected and stored? Well, the answer might surprise you.
Banks and retailers already collect your behavioral data (via their apps on your phone or during your visits to their websites) and store it on their servers. While this may make your account more secure, do you remember these companies explicitly asking for your consent to do it?
With fingerprint scanning, at least you’re fully aware of the fact that your fingerprint data will be collected for authentication purposes. With behavioral biometrics, on the other hand, it’s almost impossible to tell when and what is being gathered, or where it’s being stored (hint: they don’t tell you).
Fortunately for users in the EU and California, their biometric data is protected by the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), respectively. For everyone else, it may as well be security at the cost of privacy.
That being said, countries around the world are slowly starting to put more focus on user data and privacy protection, which might signal more GDPR-like legislation in the near future.