Most online identity security today is based on what you know (like a password, social security number, or mother’s maiden name) or something you have (like a code sent to your mobile device, fingerprint, or voice pattern).
But what if you could prove your identity without doing anything at all? That’s the idea behind Biocatch, a startup that’s observing people’s online behaviors and creating a unique signature for each account holder.
“Essentially, it’s a way to authenticate your mind by observing what you do and how you do it,” says Uri Rivner, Biocatch’s co-founder and vice president of cyber strategy.
Biocatch works with its customers, which are mostly a handful of large banks right now, to help them detect real fraud and identity theft and also to make it easier for genuine account holders to log-in without triggering a fraud alert, even when traveling to unusual places or making strange purchases. But the system could prove useful in a wider range of sectors, especially as businesses and governments cope with increasingly sophisticated malware attacks that often enter through the log-ins of employees who have access to sensitive information.
To create its biometric “cognitive signature,” BioCatch analyzes as many as 450 physical parameters that describe a customers’ interaction with a computer, web browser, and mobile device.
For example, on a mobile device, it can use sensors like the accelerometer and gyroscope to measure whether someone has a hand tremor or, say, the level of pressure an individual typically applies when clicking a button. On a computer, it measures a person’s hand-eye coordination in using a mouse and precise ticks in how it’s dragged, as well as other browser habits like whether a person always opens new tabs or uses the keyboard to scroll or always corrects typos with a backspace.
No one of these factors by itself will identify any given individual, but by piling on hundreds of tests, within a few seconds of using the account, its algorithms can issue a score on the likelihood that the person logging on is the account holder (or one of several account users).
Rivner came to Biocatch, a company based in Israel and the U.S., after working as head of new technologies at RSA, a leading network security firm whose own security was infamously penetrated by hackers in 2011. After the incident, Rivner was tasked with finding new ways to detect when someone was accessing a computer remotely, as hackers do after they penetrate a computer system’s defenses. That’s when he came across Biocatch, then a fledgling startup founded that same year and he was impressed enough with the idea that they succeeded in recruiting him.
The Biocatch program isn’t designed to replace passwords. Like more traditional biometrics, it’s another tool that companies can use to add more security or simply make it easier for people to complete an online transaction without jumping through hoops such as annoying CAPTCHAs or the need to have their mobile device nearby.
“When Apple introduced its fingerprint scanner, people considered it a security play. It’s not a security play. It’s a convenience play. It’s more convenient to use the fingerprint than to type a four digit PIN,” says Rivner. “The race today is to reduce friction. That’s the number one thing: to make it more convenient.”