Behavioural biometrics – the future of security

How does typing recognition work?

"The technology profiles how a person interacts with a website on their mobile device by analysing their typing rhythm, how they hit and release the keys," says Dr. Neil Costigan, CEO at Swedish IT and security company BehavioSec, which has a patented technology called BehavioAion that can be integrated into an app or a smartphone OS. "In addition it measures the pressure someone puts on the screen as they type, the angle they're holding the phone, and how quick they move across the screen."

Mixed with data from a smartphone's built-in accelerometer and gyroscope, it's possible to come up with a profile of each person. "We can monitor typing in real-time to verify a person is who they say they are just by watching their typing behaviour," says Costigan. "Computationally what we do is quite light, so it's not as if we need faster and better phones."

Typing recognition analyses how you type, not what you type

Typing recognition analyses how you type, not what you type (Image: BehavioSec)

The patented BehavioSec technology has its roots in academia – it was a spin-off from research at Lulea University in the far north of tech hotbed Sweden that began in 2006.

"It's not what you type, but how you type – this isn't an eavesdropping technology and when there's an exception, it's flagged," adds Costigan. "The tech works on all models and makes of smartphone, it doesn't require extra hardware."

Frictionless security

This could be the kind of non-invasive verification banks have been looking for. The explosion in the use of mobile devices makes a smartphone-specific security system essential, of course, but putting security hurdles in front of users is never a good idea.

"It's frictionless – you're not adding extra security screens, steps or pop-ups," says Costigan, adding that the banking industry is wary of the fact that security steps lead to drastically reduced completion rates. Online banking fraud is on the rise and must be stopped, but complicated passwords, one-time SMS verification codes and endless security questions only drive people away.

As well as being invisible, typing recognition is continuous, so the tech is working to check your identity as you inspect your balance, transfer funds or request withdrawals. It's like having your finger on the fingerprint sensor on your phone throughout the whole process.

Who is using it?

This kind of continuous process of verification has already convinced most major banks across Denmark, Sweden and Norway to use BehavioSec's typing recognition tech to authenticate online and mobile banking customers, as well as in Germany and the Benelux countries. There's also currently a live pilot trial with 1.8 million users at a major UK high street bank.

"Interest in the technology has exploded in the last year," says Costigan, referring to BehavioSec's work with DARPA and its showcasing as possible future-phone tech at Google's I/O 2015 two-day annual conference on next-gen tech. "It has the potential to be in every phone, not just in banking apps," says Costigan. "When we do typing recognition at the OS level, everything you do – from sending messages, looking at maps or whatever – all that rich information helps build up a security profile that can protect your phone." We could be looking at a future part of the Android OS.

Apple Watch's Force Touch feature could have behavioural biometric uses

Apple Watch's Force Touch feature could have behavioural biometric uses (Image: British Airways)

Could it be used elsewhere?

It could soon work on a smartwatch, too. "We're prototyping a system using the sensors on smartwatches, such as the Force Touch on an Apple Watch, which can tell the difference between a tap and a push on the screen," says Costigan. "Smartwatches have more sensors, and we're investigating what we can do with them." Force Touch is probably an in-bound tech for iPhones, which can only improve behavioural biometrics applications.

There's also a chance that typing recognition could be used more widely in areas where passwords tend to be shared, such as with software licences in large offices, website paywalls, any kind of online accounts, or any system holding sensitive, confidential information, such as patient data in a hospital.

However, typing recognition and behavioural biometrics aren't just about security; this is part of making a smartphone become aware of its own context. And when that happens, the personalisation revolution can begin.

TOPICS
Jamie Carter

Jamie is a freelance tech, travel and space journalist based in the UK. He’s been writing regularly for Techradar since it was launched in 2008 and also writes regularly for Forbes, The Telegraph, the South China Morning Post, Sky & Telescope and the Sky At Night magazine as well as other Future titles T3, Digital Camera World, All About Space and Space.com. He also edits two of his own websites, TravGear.com and WhenIsTheNextEclipse.com that reflect his obsession with travel gear and solar eclipse travel. He is the author of A Stargazing Program For Beginners (Springer, 2015),