Banks are becoming interested in behavioral biometrics, or turning a consumer's unique physical handling of a mobile device into a security profile, but the more appealing use case could be for payment acceptance.
Biometric authentication is already making headway in payments through systems such as Apple's Touch ID and the upcoming Android Pay.
Behavioral biometrics are commonly used to authorize a mobile banking session, but online payment providers are "even bigger fish than the banks," said Johan Dalnert, chief marketing officer at BehavioSec, a Stockholm-based provider of behavioral biometrics.
Behavioral biometrics take into account things like the rhythm of a person's handling of their mobile device, how their fingers move over the keyboard or screen, and how long and hard each button press is.
Shopping cart abandonment is a huge problem for online merchants, especially when customers are shopping on mobile devices. Part of the problem is that providing authentication and payment details is a cumbersome process with an on-screen keyboard, and simpler alternatives like scanning a card's information with a smartphone's camera interrupt the experience.
Behavioral biometrics are less disruptive, so conversions will likely increase, said Dalnert.
BehavioSec is able to identify a person's unique mannerisms by observing between three and ten sessions, depending on the length of each interaction. And because people's behavior changes over time, BehavioSec's machine-learning algorithm was designed to evolve with them, keeping data from only the user's last 15 sessions. This also allows the algorithm to sift through stored data faster to get a risk score to the bank, enabling quicker authentication decisions.
While BehavioSec has spoken to payment providers and card networks, the banking sector "is the vertical that's the most risk-averse" and thus the most receptive to its technology, Dalnert said.
BehavioSec works with about 20 banks in northern Europe and is working on pilots with several high-street banks in New York and London.
After securing 5.5 million euros in funding last year, the company expanded its footprint, opening an office in the U.K. and Germany. BehavioSec also plans to open an office on the east coast of the U.S. and expand its small branch in Palo Alto, Calif.
While the U.S. lags behind northern Europe in terms of behavioral biometrics, "in the last six months, the level of knowledge our [potential] customers come in with is much more profound," Dalnert said. "They're more aware of the need for usability and that authentication needs to be frictionless from the user standpoint."
Non-financial software companies have also come to BehavioSec in an effort to eliminate the sharing of licensed software products among several people or even a whole sales force.
BehavioSec reported a 99.8% accuracy rate during a pilot with a financial institution. But ValidSoft, a London-based security company that focuses on voice biometrics, cautions that rates from pilots come from very controlled experiments.
The solution to this concern is to use layered authentication, said Dave Birch, director at Consult Hyperion.
"If you're combining multiple biometrics they don't have to be that accurate, individually," Birch said. "If a keyboard logger has a 90% accuracy rating, 90% accuracy is useless to a mass market bank. But if the bank has three different biometric features that all have 90% accuracy and they put them together in the right combination for 99.9% accuracy, that's good enough for the mass market."
Otherwise, tens of thousands of good customers could get rejected, Birch said.
BehavioSec agreed multi-factor authentication is needed for both security and accessibility. Behavioral biometrics are "an additional layer, not the primary source of authentication," Dalnert said.