Enhancing mobile app security with behaviour-based biometrics

Understanding behaviour-based biometrics

Behaviour-based biometrics is a method of authentication that identifies individuals based on their unique patterns of interactions, instead of permanent physical aspects. Thus, this approach focuses on how users behave when using their devices.

These interactions create a unique “behavioural fingerprint” for each user, which can be compared against real-time behaviour to detect anomalies and potential security threats. 

What type of behaviours can be tracked and analysed? 

Most laypeople think of behaviour-based biometrics as an amorphous blob that’s to be observed as a single entity. Instead, it’s more of a puzzle that allows apps to determine the identity of the users, using a multi-step verification process, consisting of: 

• Typing rhythm: The system analyses the unique way a user types, including the speed between keystrokes, the duration of key presses, the pressure applied to the touchscreen, and even the frequency of typing errors. 
• Device handling: This examines how a user physically interacts with their device, including the angle at which they typically hold the phone, whether they use one hand or two, and even subtle movements like hand tremors. In particular, accelerometers and gyroscopes in the device capture this data. 
• Walking patterns: By utilising the device’s motion sensors, the system can analyse a user’s gait. This includes the rhythm and pace of steps, the bounce in their walk, and how the device moves in their pocket or hand while walking. 
• Usage patterns: This focuses on how a user navigates their device. It includes the sequence in which apps are typically opened, how long they’re used, and at what times of day. It also considers how a user navigates within apps and tries to establish correlations.
• Scrolling behaviour: The device analyses the speed and style of scrolling, whether a user tends to scroll smoothly or in quick flicks, how often they pause, and where on the screen they typically touch to initiate scrolling. 

Each of these patterns, while not necessarily unique on their own, combine to create a complex behavioural profile that’s highly individual and extremely difficult to replicate. 

Advantages of behavioural biometrics over traditional biometric methods

To the untrained eye, irises and fingerprints seem like the pinnacle of biometric authentication, but there are plenty of issues surrounding them, especially pertaining to storage, lack of continuity, or even sensor quality. On the other hand, a behaviour approach provides: 

Continuous authentication vs. point-in-time verification

Traditional biometric methods like fingerprint scans or facial recognition typically provide point-in-time verification, usually when a user logs into an app or device. Once this initial authentication is complete, the system assumes the authorised user is still in control. 

In contrast, behaviour-based biometrics constantly monitors user behaviour throughout the entire session, providing real-time security. This approach can detect unauthorised access immediately, even if it occurs after the initial login, significantly reducing the window of opportunity for potential attackers.

Difficulty of replication or theft

Physical biometrics, while unique, can potentially be replicated or stolen. Fingerprints can be lifted from surfaces using simple adhesive tape, and facial-recognition systems can sometimes be fooled by high-quality photos or masks. 

Behavioural biometrics, however, are exceedingly difficult to replicate or steal. Mimicking a person’s typing rhythm or how they handle their device is much more complex and requires detailed, ongoing observation – and even then, it’s impossible to mimic someone’s subconscious mind.

Adaptability to changing user behaviours

One of the most powerful features of behaviour-based biometrics is its ability to adapt to gradual changes in user behaviour, thus preventing security incidents due to false positives. People’s interactions with their devices can evolve over time due to factors like age, injury, or simply changing habits. 

While traditional biometrics might require manual updates (like rescanning a fingerprint), behavioural systems use machine learning algorithms to continuously learn and adjust to these changes. This adaptability keeps the system accurate and effective over the long term, reducing false rejections while maintaining high security standards.

Direct impact of behaviour-based biometrics on mobile app security 

Initially, behavioural biometric systems were used only in large manufacturing facilities and government premises, but have since become a viable way of monitoring how, why and when someone uses a particular app, thereby allowing for: 

Fraud prevention

The ability of behaviour-based biometrics systems to continuously analyse user behaviour patterns and quickly detect anomalies makes them very effective at identifying potentially fraudulent activity. 

For instance, if a banking app detects unusual typing patterns or unfamiliar device handling during a transaction, it can flag the activity for additional verification or temporarily block the transaction. This real-time fraud detection capability can significantly reduce financial losses and protect users from unauthorised transactions.

Unauthorised access detection

Unlike traditional security measures that only verify identity at login, behavioural biometrics continuously monitor user interactions throughout the entire session. This ongoing authentication process can quickly identify if an unauthorised user gains access to an app after the initial login.

For example, if a device is left unlocked, the system can detect changes in typing patterns, scrolling behaviour, or app navigation habits that don’t match the authorised user’s profile. Upon detecting potential unauthorised access, the app can take immediate action, such as logging out the user, requiring re-authentication, or alerting security personnel.

Enhanced user experience 

While security is the primary area of focus, behaviour-based biometrics can also significantly enhance the user experience of mobile apps. Since the system operates in the background, it provides seamless and unobtrusive authentication without requiring users to repeatedly verify their identity with password entry or fingerprint scans. 

This creates a more seamless and frictionless user experience, particularly for frequently used apps. For instance, a banking app might use behavioural biometrics to allow users to perform routine tasks like checking balances or making small transfers without requiring additional authentication steps. 

The app would only prompt for explicit verification for more sensitive actions or when it detects significant deviations from normal behaviour patterns.

Securing API access 

For apps that rely on APIs to gain access to sensitive data, behavioural biometrics is the best way to continuously maintain a high level of security when interacting with external services. For example, if someone is using an app to chat with a PDF file or transcribe a private video, behaviour-based biometrics can continuously verify the user’s identity throughout their interaction with the app. This ensures only the authorised user has access to their sensitive information. 

Challenges of implementing behaviour-based biometrics

While behaviour-based biometrics offers significant advantages for mobile app security, it also faces several challenges and limitations that need to be addressed:

Accuracy and false positives/negatives

One of the primary challenges in implementing behaviour-based biometrics is achieving and maintaining high accuracy levels. The system must strike a delicate balance between security and usability. 

False positives (incorrectly flagging authorised users as potential threats) can lead to user frustration and decreased app engagement. Conversely, false negatives (failing to detect unauthorised access) can compromise security.

Privacy concerns

The collection and analysis of detailed behavioural data raise significant privacy concerns. Users may feel uncomfortable with the level of monitoring required for behaviour-based biometrics, perceiving it as invasive or excessive. 

There are also concerns about the security of this data and how it might be used for purposes other than security, such as targeted advertising or user profiling.

Addressing these concerns requires a combination of robust data protection measures, along with the application of secure-by-design principles, adherence to privacy regulations such as GDPR or CCPA, and clear user communication.

Technical implementation hurdles

Implementing behaviour-based biometrics in mobile apps presents several technical challenges:

• Resource consumption: Continuous monitoring and analysis of user behaviour can be computationally intensive, potentially affecting device performance and battery life.
• Integration complexity: Incorporating behaviour-based biometrics into existing app architectures and security systems requires significant development resources.
• Cross-device consistency: Ensuring consistent performance across different device types, operating systems, and app versions can be challenging due to variations in hardware capabilities and software environments.
• Data management: Handling the large volumes of behavioural data generated requires efficient data processing and storage solutions, both on-device and in the cloud.

Overcoming these technical hurdles requires ongoing research and development, collaboration between app developers and security experts, and the development of standardised frameworks or APIs for behaviour-based biometric implementation.

Wrapping up

It’s clear that behaviour-based biometrics will potentially revolutionise mobile app security. By continuously authenticating users based on their unique interaction patterns, this technology offers robust protection against fraud and unauthorised access. Its ability to resist replication clearly sets it apart from traditional biometric methods.

That said, the key to the widespread adoption of behavioural biometrics lies in striking the right balance – harnessing the security benefits of this technology while respecting user privacy and maintaining transparency.