Introduction, static and behavioural biometrics

The jury is out on whether the humble alphanumeric password is dead, but the popularity of '123456', 'password' and 'qwerty' doesn't exactly breed confidence. Cue biometrics, in the form of a fingerprint sensor on an iPhone to power Apple Pay. But such 'static' biometrics is last year's tech…

What is static biometrics?

It's all fingers, faces, eyes and even ears, with the theory going that while a credit card number, a password or a PIN number can be stolen, something unique to your body cannot.

Nobody is going to steal your face (although it does change over time, reducing accuracy), but like all static biometrics, there are serious shortcomings. For starters, fingerprint sensors and face recognition tech only tends to be on high-end smartphones, such as the latest iPhone and Samsung Galaxy S devices. Such phones are popular in certain markets, but they're certainly not ubiquitous, and the biometric systems themselves use proprietary technology that limits their use.

As well as requiring significant hardware, static – also known as physical – biometrics don't offer ongoing security. You face or finger might get you into your phone to do a spot of internet banking, but is it still you using the handset five minutes later? The banks need constant reassurance of your identification, which is why they're turning to a new technology that monitors the way you use your phone, whatever the model. This is behavioural biometrics, and it's devastatingly simple.

What is behavioural biometrics?

The search is on to find a uniquely identifying characteristic not of what you are, but of what you do. An example is gait – analyse someone's walking style and you can easily determine their identity. However, that's not going to work on a smartphone. The next example is rather ironic; a person's signature – once the only security layer in banking – can be analysed since exact handwriting style is unique to everyone. It's possible that devices could soon analyse the speed, style and exact position on the screen of how you sign your name, probably using a stylus.

However, it's the recognition and analysis of something all of us do all the time on our smart devices that is quickly gaining traction as a new way of establishing identity. Some banks are turning to typing recognition on smartphones as an extra layer of security against fraud, and Google is showing an interest, too.

Typing recognition and frictionless security

How does typing recognition work?

"The technology profiles how a person interacts with a website on their mobile device by analysing their typing rhythm, how they hit and release the keys," says Dr. Neil Costigan, CEO at Swedish IT and security company BehavioSec, which has a patented technology called BehavioAion that can be integrated into an app or a smartphone OS. "In addition it measures the pressure someone puts on the screen as they type, the angle they're holding the phone, and how quick they move across the screen."

Mixed with data from a smartphone's built-in accelerometer and gyroscope, it's possible to come up with a profile of each person. "We can monitor typing in real-time to verify a person is who they say they are just by watching their typing behaviour," says Costigan. "Computationally what we do is quite light, so it's not as if we need faster and better phones."

The patented BehavioSec technology has its roots in academia – it was a spin-off from research at Lulea University in the far north of tech hotbed Sweden that began in 2006.

"It's not what you type, but how you type – this isn't an eavesdropping technology and when there's an exception, it's flagged," adds Costigan. "The tech works on all models and makes of smartphone, it doesn't require extra hardware."

Frictionless security

This could be the kind of non-invasive verification banks have been looking for. The explosion in the use of mobile devices makes a smartphone-specific security system essential, of course, but putting security hurdles in front of users is never a good idea.

"It's frictionless – you're not adding extra security screens, steps or pop-ups," says Costigan, adding that the banking industry is wary of the fact that security steps lead to drastically reduced completion rates. Online banking fraud is on the rise and must be stopped, but complicated passwords, one-time SMS verification codes and endless security questions only drive people away.

As well as being invisible, typing recognition is continuous, so the tech is working to check your identity as you inspect your balance, transfer funds or request withdrawals. It's like having your finger on the fingerprint sensor on your phone throughout the whole process.

Who is using it?

This kind of continuous process of verification has already convinced most major banks across Denmark, Sweden and Norway to use BehavioSec's typing recognition tech to authenticate online and mobile banking customers, as well as in Germany and the Benelux countries. There's also currently a live pilot trial with 1.8 million users at a major UK high street bank.

"Interest in the technology has exploded in the last year," says Costigan, referring to BehavioSec's work with DARPA and its showcasing as possible future-phone tech at Google's I/O 2015 two-day annual conference on next-gen tech. "It has the potential to be in every phone, not just in banking apps," says Costigan. "When we do typing recognition at the OS level, everything you do – from sending messages, looking at maps or whatever – all that rich information helps build up a security profile that can protect your phone." We could be looking at a future part of the Android OS.

Could it be used elsewhere?

It could soon work on a smartwatch, too. "We're prototyping a system using the sensors on smartwatches, such as the Force Touch on an Apple Watch, which can tell the difference between a tap and a push on the screen," says Costigan. "Smartwatches have more sensors, and we're investigating what we can do with them." Force Touch is probably an in-bound tech for iPhones, which can only improve behavioural biometrics applications.

There's also a chance that typing recognition could be used more widely in areas where passwords tend to be shared, such as with software licences in large offices, website paywalls, any kind of online accounts, or any system holding sensitive, confidential information, such as patient data in a hospital.

However, typing recognition and behavioural biometrics aren't just about security; this is part of making a smartphone become aware of its own context. And when that happens, the personalisation revolution can begin.

• Key trends for retail technology in 2015: the rise of hyper-personalisation

source TechRadar: All latest Mobile phones news feeds http://ift.tt/1Q0AJOf