Pablo de la Riva Jan 17, 2018 6 min read

Behavioral biometrics in cybersecurity: real time & session protection

The relentless headway made by digital transformation in increasingly critical areas is driving the cybersecurity industry to revise the identification process of citizens who use services that expose data as sensitive as their bank accounts.

In this respect, continuous reports of credential theft on a diverse array of platforms remind us that traditional “user plus password” identification, as the sole level of protection, became obsolete a long time ago.

Cybercriminals invest a great deal of time, money and effort into seeking alternative ways to steal credentials or take over someone’s bank accounts through the well-known tactics of phishing, malware, remote access Trojans, Account Takeover, …

In addition, the increasingly creative and disruptive social engineering tactics they apply to gain control of them force users to be constantly on high alert, something that cannot be achieved all the time. Once a cybercriminal has obtained a user’s credentials or taken over their account, they can put them to a wide range of uses:

  • They can create repositories to sell the credentials to other cybercriminals. In this case, they can even use them as an advertising ploy so that potential customers buy their database.
  • They can supply them directly to other members of the cybercriminal group they belong to and who will take charge of carrying out the theft.
  • They can use them, for example, for authorizing their own fraudulent bank transfers, making purchases, etc.

Furthermore, the latest credential theft leaks reveal that users continue to use very weak passwords, such as the notorious “123456”, among other reasons because they are tired of having to create tens of credentials for every online platform. In fact, a 2015 Accenture survey showed that users would rather use easy-to-remember passwords and were even willing to use ones that could be easily compromised.


So, what other options can be deployed to protect digital platform access and sessions such as, for example, online banking? Biometrics, without a shadow of a doubt.

For some time now, discussions have been taking place on “physical” access control biometrics (digital fingerprint, face and iris recognition, etc.) as a new, safer, user identification system. But the biometrics field offers a whole host of possibilities, including behavioral biometrics.

This type of technology serves to analyze the behavior of users in real time in order to check whether they are themselves, not only on entering their access codes but also throughout the time the entire session lasts while they are logged on to the digital platform.

However strange it may seem, we human beings do not behave alike when interacting with the different devices at our disposal: the keyboard, the mouse, the touchscreen, etc. This behavior can be analyzed separately by using some of the following parameters such as, for example,

  • How fast we write our password.
  • How hard we press the keyboard.
  • How we operate the mouse to move the cursor where we want.
  • How long we take to move the cursor.
  • Etc.

In order to analyze this behavior, one or several algorithms are applied that can be processed by using different technologies. In the case of bugFraud, Machine Learning and Deep Learning are our chosen techniques on account of the millions of fragments we analyze in real time every day for our customers.

Some of the main benefits of using behavioral biometrics are as follows:

  • Theft prevention: it prevents someone else or a bot from passing themselves off as the user and/or using their passwords. In this respect, it prevents any potential identity theft, whether through password hacking or via remote access to a user’s account.
  • User non-intrusiveness: users will be unaware that a cybercriminal is attempting to access their account so they will continue browsing the web naturally.
  • Easy deployment: no special hardware is needed as a mouse and a keyboard or a mobile phone screen suffice to conduct the analysis.

Another advantage of this type of technology is that it evolves with the user; unlike robots our behavior is not always exactly the same. In this way, biometric analysis adapts accordingly in order to protect the user throughout the whole session.


Pablo de la Riva

Pablo de la Riva founded his first company when he was 21 years old – a security consulting firm – and Revelock was his first software startup experience. He has been working in the anti-fraud sector for almost 15 years, first as a cyber-security analyst, then as a team leader, later as CTO with almost 200 people reporting to him and now as CEO.