As noted in our last blog, Why multi-factor authentication is doomed to fail, the reality is every type of authentication a person has or is (known information, or physical characteristic) can be copied with the technology available today. So, any authentication techniques based on those will fail. That's where behavioral biometrics come into play. Everything else can be copied or stolen, but when it comes to behavioral biometrics it’s not that easy.
That’s because it’s based on the unique behaviors of an individual – which are extremely difficult to copy, especially when aggregated and developed over time and across varying situations. It’s something you are, instead of something you know. While most people don't behave the same from 6:00 AM till midnight, the same person will show similar characteristics of their behavior. There will always be deviances – it’s human nature – but it's consistent. This means only that person can deviate from patterns and still maintain consistency in their behaviors. Anyone else pretending to be that individual may be able to fake it up to a certain point, but eventually it will fail because no one can mimic the complexity of deviances within consistent behavior of a specific person.
How can organizations move away from password-based authentication?
The more data that’s captured at the individual level, the more complete the profile – with no gaps in data and no gaps in behavior. It’s an end-to-end view of the user. It doesn't matter if the person’s a bit tired today because they had a long night, it doesn't mean it's not them. Their behavior shows they’re still the same person, just behaving a bit differently at this moment.
In addition to authentication, this is key when it comes to scam detection and prevention. Identity resolution based on behavioral biometrics tells you it’s still that individual, but it also tells you the person is behaving differently today. Now the technology behind the system can decide whether they’re behaving differently because they had a long night last night, or because they’re being influenced by a fraudster on the phone. Is it a natural deviance or an unnatural one?
Even behavioral biometrics, the superior approach to authentication, can’t stand alone in detecting and preventing fraud. The only solution is a layered approach. Yes, you need authentication techniques, but ultimately you need a system that detects the behavior, and captures everything else prior to the send or pay action, and immediately sends signals to the system that either it’s the legitimate user or it’s not.
The goal is to make it as difficult as possible for fraudsters without interrupting the user experience. Unlike all those other things customers must go through (save it, write it down, wait for the OTP), behavioral biometrics is done seamlessly in the background. And it’s automatically stitched to the comprehensive identity profile of that user.
Think of a user who gets locked out of accounts often – they forget their password or forget which answer they gave to a question. With typical MFA when they input the wrong answer, they get locked out of their account.
With a comprehensive fraud defense solution, a genuine customer who inputs the information wrongly can still be identified because you know it’s them based on their identity profile. The behavioral biometrics are confirmed, and within that identity you also know that customer does this often. It’s part of their pattern. You know how they type, how they scroll, and how they swipe. This eliminates a lot of the typical fraud situations – you know it’s not account takeover or identity theft because as soon as that individual landed on your site or your app their identity was matched. You know it's the customer trying to put the right password in there and they’re just not remembering which best friend they used when they set up 2FA. That's the only problem so you can eliminate friction for the customer in real time.
Picture identifiers are another great layer of defense – for example a picture the customer chooses ahead of time and it’s only accessible to them. It’s easier to remember an image they chose two months ago as their identifier than it is to remember a password. They click on that and they’re in. Since pictures are part of Captcha, fraudsters avoid it because there’s no way for them to know which picture was chosen. It's more difficult to intercept (for now) than passwords and trivia.
Of course, in the previous example, with the incorrect 2FA response, the bank should still analyze the session in its entirety – what’s the customer doing? Are they transferring money? Have they been on the phone to someone? Are they adding a new payee? Are they transferring a large sum of money for something? How much? Are they trying to send money to overseas? How often do they do that? Are they trying to transfer money to a known mule account? This is why it’s essential to have a comprehensive fraud detection solution that activates all possible alert mechanisms. All these little signals come in behind the interaction and identity data to inform whether everything is OK or if you need to either send an alert to the customer or log them off and call them.
At the end of the day, it doesn't matter which authentication techniques you have, without behavioral biometrics it won’t be sustainable – and scammers will find a way around it.
Adding more factors won’t work – not only does it add friction to the customer experience, but it’s also ineffective unless you know how to work with behavioral biometric techniques to make them smarter. You need to introduce another dimension to the layered approach to authenticate legitimate users and build a better picture to identify them based on their past behaviors. Without behavioral biometrics you’ll always be playing cat and mouse.