As we sit hunched over our keyboards, it is hard to believe that the way we peck at the keys and swish the cursor around is unique. But several companies believe this could be used to prove our identity, doing away with one of the most annoying aspects of digital life: passwords.
From e-commerce sites to social media profiles, passwords protect all kinds of sensitive information. But recent security breaches show just how vulnerable the system is. Earlier this year, the Heartbleed bug sent people scurrying to change passwords across a huge swathe of the internet. And in May, eBay announced that over 200 million accounts may have been compromised in a security breach.
This has boosted interest in behavioural biometrics, says Uri Rivner of Biocatch, a firm based in Tel Aviv, Israel. Behavioural biometrics is based on the idea that individuals subconsciously use their mouse and keyboard in predictable ways – and that these behaviours can reliably identify them. Examples of these actions include how quickly a user selects buttons that pop up on screen, how long they hover over menus, how fast they move the mouse and whether they scroll using the cursor keys, the scroll bar or the mouse wheel. Not all of these need to be used, though.
"We don't need to find behaviours unique to each person on the planet," says Neil Costigan, CEO of Behaviosec in Luleå, Sweden. "We just need enough of a spread of behaviours to verify that someone is who they say they are. We look at the behaviour to see if it matches that person's previous behaviour."
Plenty of companies are already beginning to implement this technology. Biocatch ran successful trials on the networks of two different banks, which it announced on 17 June had helped it to raise $10 million in venture capital funding. In the US, IBM is starting to deploy the technique in online security software it sells to banks. And Behaviosec has been funded by the Pentagon's research arm, DARPA, to adapt its desktop behavioural biometrics systems to tablets and smartphones.
IBM's system monitors behaviour only after a person has logged in using their password. This can prevent a fraudster making transactions, pretending to be an authenticated user who has, for example, gone to make coffee without logging out. When behaviours are detected that are out of character, the software will ask them to log in again with some extra security questions.
Biocatch aims to replace passwords entirely, although at the moment its software is also only used after logging in. The system is more active than IBM's, presenting people with what it calls subconscious "challenges" that garner distinctive responses. For instance, the software makes the cursor disappear for a few seconds and the type of mouse motion people use to recover it – clockwise, anticlockwise, large arc, small arc – is recorded.
Rivner says that by building a model of how individuals respond to these challenges, and then monitoring actions while banking or shopping online, the software can tell within a few keystrokes if the user is the same person who originally logged in. He says this is well on the way to ridding us of the hassle of passwords, PINs, captchas and other login methods.
Similar advances are on the way with mobile technology. Touch behaviours like finger pressure, swipe speed, angles of swipe, gyroscope and accelerometer readings can all be harnessed to authenticate a user, says Costigan. "The smartphone has an amazing array of inputs for behaviour recognition."
Syndicated content: Paul Marks, New Scientist