The pandemic has introduced completely new challenges, as entire workforces began working remotely with little or no time to prepare. In 2021, organizations must now ensure security of systems, software, and data outside of well-controlled corporate networks, while still meeting data privacy and security requirements for employees, consultants, and customers. Yet despite the fact that over 140 jurisdictions have passed some form of privacy law, a recent Cisco study found that 87% of consumers expressed concerns about the privacy protection on tools they needed to work, interact, and connect remotely.
Luckily, a proven solution exists. Behavioral biometrics is an amazing multifaceted technology that is quickly emerging as a must-have tool when defending against both old and emerging threats. What people might not know is that behavioral biometrics also brings great data privacy and regulatory compliance benefits.
To showcase these benefits and the regulatory status of behavioral biometrics, at BehavioSec we worked with the renowned UK-based analyst firm Goode Intelligence to produce a comprehensive report, the 2021 Global Data Privacy Regulation of Physical & Behavioral Biometrics.
It presents a thorough review of the legal landscape on the use of these biometrics technologies, with specific references to the laws and even enforcement in different regions. But if you are looking for quick overview on the outcome, here are 4 reasons behavioral biometrics is a better solution to meet security, compliance, and privacy needs:
1. Behavioral biometrics is a dynamic solution that’s hard to compromise
Behavioral biometrics is a collection of an individual’s behavior in a specific application or website. In essence, a behavioral profile is a statistical sample of how a person behaves at a specific time, in a specific user journey.
It may be sad to think that the process of aging is actually what contributes to a dynamic profile, but from a security and privacy perspective, it is a win! Whereas static personal information or knowledge-based security can remain valuable to an attacker for years – possibly even throughout the victim’s whole life – behavioral biometrics has a limited shelf life. In the same way that our speed and agility slow down with age, our swipe speed, screen pressure, hand agility, and typing rhythm all change with time.
In addition, our behavioral biometrics profiles will only remain current at the sites users interact with. This means that even if criminals somehow manage to breach a vulnerable organization, the only thing they will gain is an imprint of how a user swiped and typed on that particular user interface, at that user journey, and at that point in their life.
2. Behavioral biometrics offers an excellent way to meet multifactor requirements
Step-ups, challenges, and other security interruptions are often considered a necessary evil – the friction price we have to pay to remain somewhat safe. In fact, President Biden’s recent Executive Order on Improving the Nation’s Cybersecurity called out mandatory multifactor authentication (MFA) as one of the ways the federal government will encourage strong cybersecurity by leading by example.
While strict MFA regulation can bring great security and privacy benefits to both consumers and businesses, it can also have a negative impact on user experience when implemented poorly. For example, the European Commission’s Payment Service Directive 2 (PSD2) contains a strict requirement to enforce MFA on most financial transactions. The regulation stipulates that the consumer must identify themselves with at least two of the following three factors:
These multifactor elements are making it much harder for fraudsters to bypass security defenses, but the use of cumbersome and friction-based elements to meet PSD2 requirements are also projected to cause more than 100 billion euro in churned transactions in 2021 alone.
Luckily, using transparent behavioral biometrics, PSD2 does not have to be a mandate for customer churn or poor user experience. Instead, behavioral biometrics can be silently collected throughout the user journey, enabling a transparent and continuous multifactor authentication from entry to exit.
With behavioral biometrics, any organization can adhere to MFA regulations and reap the security rewards without the traditional step-ups or friction-based challenges of yesteryear.
3. Behavioral biometrics does not rely on passwords and sensitive, static information vulnerable to theft
A huge advantage of behavioral biometrics is that the data collection can be done without capturing actual passwords, PIN codes, personal identifiable information (PII), or other sensitive data – only the behavior of how they are being entered. Behavioral biometrics is all about dynamic observations, like how a person types on a keyboard, moves a mouse, holds a phone or swipes on a touch screen. These observations are then compared with the person’s previous behavior, as well as screened for traits common to bots, automation, malware, and human fraudsters.
Unlike static PII or knowledge-based authentication (KBA), where credentials, social security numbers or personal questions might remain relevant long past a breach, behavioral biometrics profiles are useless for an attacker. The criminal would find themselves with a collection of seemingly random timing data, and any attempt to use this in an attack would just trigger a replay attack, as no genuine person acts exactly the same way twice.
This anonymous collection gives behavioral biometrics an edge against static information and KBA and makes it especially helpful for meeting strict privacy regulations like the US California CCPA and the EU GDPR.
4. Behavioral biometrics is a more neutral and unbiased technology that is hard to use for inappropriate actions
Physical biometrics technology is now capable of everything from matching billions of fingerprints a second to recording unique patterns of blood vessels to live facial recognition across CCTV systems. These examples of highly personal information easily processed at massive scale highlights the importance of protecting increasingly sensitive databases, as even seemingly harmless social media accounts can be weaponized against us – and that the question of ethics in biometrics is here to stay.
While static biometrics can be convenient as it is far easier to lose a password than say, your own face, they do bring risks. Static biometrics are just that, static – and in the wrong people’s hands they can be used for a lot of wrongdoing. We have already seen facial recognition lead to controversies, misuse and fines, from California to Sweden.
With behavioral biometrics, this is not an issue. Whereas static and physical biometrics may inherit ethical and cultural biases from poor intentions or flawed or limited data sets, behavioral biometrics profiles are based on each unique individual – removing wider data set bias from the equation. At BehavioSec, our technology does not assume or identify sensitive or personal information about an individual, like their race, ethnicity, or gender identity.
In addition, unlike some other biometrics companies, we do not buy or sell behavioral data, we do not scrape or source the internet for behavioral data, and we do not pay people to create or generate behavioral data. Additionally, the data we collect is used for one-to-one verification purposes, simply confirming that the person interacting within an application is the expected person. This is very different from identification, where CCTV or biometrics scanners try to match an unknown person against a vast database – and it therefore removes the incentives for governments, businesses, and criminals to steal or misuse behavioral biometrics data.
In summary …
The attacks against Colonial Pipeline and Washington, D.C. police are proof that we remain unprepared for the cyber threats that threaten our infrastructure, public records, financial information, and even our very identities.
Never assume it will not or cannot happen to you or your business. Complacency is the easiest way to increase your vulnerability to attacks. Remember, security and privacy are really about trust and once a customer loses faith in a company or its products, no amount of reassurance will restore that trust or relationship.
Behavioral biometrics can help you build trusting, lasting relationships without threats to privacy, violations of rights and personal freedoms, potential data theft and other crimes.
For a deeper look into the current state of privacy laws and how behavioral biometrics is different, read the full report.