Forget Passwords: This Startup Wants To Authenticate Your Mind

Biocatch detects fraud and identity theft based on your online behaviors.

Forget Passwords: This Startup Wants To Authenticate Your Mind

Most online identity security today is based on what you know (like a password, social security number, or mother’s maiden name) or something you have (like a code sent to your mobile device, fingerprint, or voice pattern).


But what if you could prove your identity without doing anything at all? That’s the idea behind Biocatch, a startup that’s observing people’s online behaviors and creating a unique signature for each account holder.

“Essentially, it’s a way to authenticate your mind by observing what you do and how you do it,” says Uri Rivner, Biocatch’s co-founder and vice president of cyber strategy.

Biocatch works with its customers, which are mostly a handful of large banks right now, to help them detect real fraud and identity theft and also to make it easier for genuine account holders to log-in without triggering a fraud alert, even when traveling to unusual places or making strange purchases. But the system could prove useful in a wider range of sectors, especially as businesses and governments cope with increasingly sophisticated malware attacks that often enter through the log-ins of employees who have access to sensitive information.

Biocatch looks for the unique patterns of how people use a touch screen.

To create its biometric “cognitive signature,” BioCatch analyzes as many as 450 physical parameters that describe a customers’ interaction with a computer, web browser, and mobile device.

For example, on a mobile device, it can use sensors like the accelerometer and gyroscope to measure whether someone has a hand tremor or, say, the level of pressure an individual typically applies when clicking a button. On a computer, it measures a person’s hand-eye coordination in using a mouse and precise ticks in how it’s dragged, as well as other browser habits like whether a person always opens new tabs or uses the keyboard to scroll or always corrects typos with a backspace.

No one of these factors by itself will identify any given individual, but by piling on hundreds of tests, within a few seconds of using the account, its algorithms can issue a score on the likelihood that the person logging on is the account holder (or one of several account users).

Biocatch subtly messes with people’s mouse to measure how they respond.

Other companies are starting to develop similar behavioral metrics, but what makes Biocatch unique, according to Rivner, is that, in addition to its passive analysis of user behavior, it also issues a person subtle “challenges” every time they log-in. For example, the company’s Javascript code may make a person’s mouse skip a bit or put up a slight resistance to movement, and then measure how the person responds. “If you are not a human, you won’t respond,” says Rivner. “It’s almost like an invisible CAPTCHA.” He also says the company can detect when someone is logging on from a remote system, even when they make attempts to disguise that.

Rivner came to Biocatch, a company based in Israel and the U.S., after working as head of new technologies at RSA, a leading network security firm whose own security was infamously penetrated by hackers in 2011. After the incident, Rivner was tasked with finding new ways to detect when someone was accessing a computer remotely, as hackers do after they penetrate a computer system’s defenses. That’s when he came across Biocatch, then a fledgling startup founded that same year and he was impressed enough with the idea that they succeeded in recruiting him.

The Biocatch program isn’t designed to replace passwords. Like more traditional biometrics, it’s another tool that companies can use to add more security or simply make it easier for people to complete an online transaction without jumping through hoops such as annoying CAPTCHAs or the need to have their mobile device nearby.

“When Apple introduced its fingerprint scanner, people considered it a security play. It’s not a security play. It’s a convenience play. It’s more convenient to use the fingerprint than to type a four digit PIN,” says Rivner. “The race today is to reduce friction. That’s the number one thing: to make it more convenient.”

About the author

Jessica Leber is a staff editor and writer for Fast Company's Co.Exist. Previously, she was a business reporter for MIT’s Technology Review and an environmental reporter at ClimateWire.