Skip to main content

Static vs behavioural: what’s the future of biometric authentication?

(Image credit: Image source: Shutterstock/Anton Watman)

With data continuing to play an increasingly prominent role in our daily lives, the way we are authenticating ourselves – from our desktops and smartphones to our mobile apps and online accounts – is being revolutionised.

Widespread calls for the death of the traditional password have now become commonplace, primarily because we simply have too many devices and accounts to remember separate passwords for each one. Recent research suggests that the average number of passwords registered to a single e-mail address is 130, presenting obvious issues for most users.

As a result, the majority of consumers (59 per cent) use the same password – or slight variations of the same password – across multiple accounts. What’s more, 62 per cent of people reuse the same password for work and personal accounts, while 53 per cent admit to not changing their passwords despite being aware of a data breach involving password compromise.

These behaviours all play into the hands of hackers and cyber-criminals, who have become more and more adept at exploiting Personally Identifiable Information (PII) to carry out fraudulent transactions.

To combat the password problem, biometric authentication is being hailed as a far more secure and convenient option for securing accounts and personal data. For example, by 2020, Gartner predicts that those enterprises that invest in new authentication methods such as biometrics will experience 50 per cent fewer identity-related security breaches than those that don’t.

As the technology has continued to develop, two types of biometrics have emerged: static and behavioural. So, what are the key differences, are there any potential weaknesses and, most importantly, what is the future of biometric authentication?

Which biometrics are best?

Although similar, there is a crucial distinction between static and behavioural biometrics. Static biometrics is the more established and most well-known type of biometric authentication, generally considered to be very consumer friendly and offer a positive user experience. It uses physical features such as fingerprints or facial recognition and is increasingly being used in all types of situations, whether that be to unlock smart devices, log into mobile banking accounts, or to actually complete transactions.

This year alone, there have also been a number of developments in regulation, standards and technologies to pave the way for biometrics as standard, including Microsoft and Chrome’s password-less authentication as part of WebAuthn.

However, despite the ease of use, static biometrics does have security flaws. The most obvious issue is that, if stolen, the data can’t be reset – presenting opportunities for fraudsters if they are able to deceive the technology. For example, in 2013 a group of German hackers successfully spoofed the German defence minister’s login using high-definition photos, while researchers at Tokyo’s National Institute of Informatics recently managed to reconstruct a fingerprint from a photograph.

Even more worrying is that fraudsters don’t always need access to sophisticated technology to overcome static biometrics. Just last year, Vietnamese security firm Bkav claimed to have hacked the FaceID technology on the latest iPhone X by constructing a $150 mask of 3D-printed plastic, silicone and makeup.

These vulnerabilities have led to many people questioning the effectiveness and security of static methods alone, helping to pave the way for the increased adoption of behavioural biometrics. This technology introduces a new, dynamic approach to authentication by analysing complex patterns in behaviour such as a user’s swipe speed.

In essence, behavioural biometrics analyses internal characteristics rather than simply external features. It weaves in patterns of use and examines how a user normally behaves when using his or her device, building a unique behavioural profile consisting of a huge number of variables - from movement within a site or app to the user’s interaction with a device including finger pressure and swipe patterns.

The complexity and level of detail involved means the profile created is virtually impossible to mimic, even for the most sophisticated of fraudsters. It also offers convenience for users in that it functions discreetly in the background and they are continually authenticated simply through how they use their device.

Of course it isn’t perfect. User behaviour frequently changes depending on where they are – such as at an office desk or lying in bed – and people also tend to act differently when they’re tired or in a hurry. But, with software becoming ever-more proficient at analysing complex data in real time, some extremely compelling use cases are emerging.

Putting behavioural security to use

With concerns being raised as to whether static biometrics is as invincible to attack as once assumed, behavioural authentication is quickly emerging as a more secure alternative and certain industries have started to take notice.

For example, the banking sector is embracing behavioural biometrics as a way to combat the massive financial crimes market, where fraud and money laundering are estimated to cost the global economy approximately $2.1 trillion per year.

In its simplest form, financial institutions can use behavioural analysis to quickly detect potentially suspicious login attempts by looking at the time and location where users log in to their mobile banking apps. That way, unusual transactions – such as someone trying to transfer a large sum of money in the middle of the night from the other side of the world – can be immediately flagged and blocked until additional verification has taken place.

And the power of this type of authentication can extend far beyond just time and place. The Royal Bank of Scotland, for example, is using behavioural biometrics to monitor visitors to its websites and apps. When customers log in to the mobile app, advanced software starts recording more than 2,000 gestures and movements, including the amount of pressure applied, which fingers are used to swipe and tap, and even the angle at which users hold their device.

On a laptop of desktop computer, the same software collects data on factors such as how users move the mouse and the rhythm of the keystrokes.

But behavioural biometrics isn’t just applicable to banking. Although these types of high-risk environments have the most obvious need, it can be used to authenticate users of any online services that contain some form of sensitive personal information, improving the customer experience and reducing privacy concerns.

Looking forward, it’s becoming increasingly evident that behavioural biometrics will be key to helping businesses keep up with rising fraud levels and increasingly sophisticated cyber-criminals. It’s the cutting edge of making biometrics frictionless, collecting data points from users in the background and scoring them. But it’s also key to note that the right level of security requires additional technologies to keep up with the emerging threat vectors. The best security is a combination of multiple, layered authentication technologies. For example, facial recognition can be combined with other biometrics (such as behavioural biometrics and fingerprint scanning), or other security techniques like pins/passwords, use of trusted devices, or by analysing context based on location, transaction data and device characteristics.

David Vergara, head of security product marketing, OneSpan (opens in new tab)
Image source: Shutterstock/Anton Watman

David is the Head of Global Product Marketing at VASCO and has over 10 years of experience in the software security space.