(Part I in a series on behavioral biometrics)

The various types of biometrics have been lingering above our networked societies as its continuous technological development promises secure, easy and cost effective “authentication” in a transaction geared world. Technological and hence cost advances have been huge over the last couple of years. The big potential it holds though is still to be realized.

At the same time using intrinsic elements of our bodies to authenticate also brings new dangers. In a world which is strive of hacks into systems of companies and governments a centralized repository of e.g. fingerprints and iris scans is asking for trouble for instance. You cannot swap your irises and fingerprints, so if breached this poses a huge problem for many. And this is just one example of the inherent weaknesses of systems based on biometrics.

Many biometric approaches now aim not to store the print itself, but have an algorithmic approach that uses the biometric input to create a unique but replicable code which therefore can be used for authenticating purposes. Apple’s iTouch does this for instance and stores the unique number locally only. With this approach the fingerprint sensor, the secure element, the algorithm and the storage are all within a closed system on a chip, trying to circumvent many of the problems attached to using fingerprints securely on a large scale. (NB An other example Sign2Pay based on our signature is discussed at RPD here.)

I see a clear divide in two types of biometrics:

  1. Physiological biometrics involving intrinsic and therefor (basically) static elements of the human body like fingerprints, irises, face characteristics, DNA etc.
  2. Behavioral biometrics involving the patterns of the behavior of a persons body; like typing/swiping rhythms, angle of holding a phone, signatures etc etc.It is not something you HAVE in combination of something you KNOW – as is the basis of most authentication methodes in mainstream payments -, but something you DO (and only YOU can DO).

NB to me “heartbeat patterns” and voice patters are static and physiological based, hence should be considered to be part of the first group.

I explicitly put “body” into the definition as a person has other means of expressing behavior which could be used for authentication or other identifying purposes but which in my eyes cannot be considered biometrics being in essence only body centric. As an example: in his booklet “Identity is the new money” David Birch (2014, London Publishing Partners) agues that the behavior of a person in a network can be regarded as a way to identify a person as well (both in the sense of trustworthiness and in authentication).

Biometrics have been around for some time now. Could be several decades? At least as long as I have been professionally involved in technologic intensive areas like Mobile Telephony and Electronic Payments over the last 20 years. It seems a general rule that we overestimate the tempo of their introduction and adoption but clearly underestimate the impact of new technologies.

As an innovation and business development professional I have been following the developments in biometrics with curiosity. A few weeks ago I listened to Richard Perry of Biocatch who was pitching his companies behavioral biometrics capabilities (at the ABNAMRO Startup Friday meeting 28 November). He boasted Biocatch could identify a person based on his behavior with phones, pad, and computers, regardless whether this appliance was used routinely or just for once everywhere. They apparently have 400+ parameters they use to build up a behavioral signature of a person.

Sometimes the potential impact of a development sinks in at a very specific moment and it hits you with a big bang. For me the horrific potential societal consequences of behavioral biometrics where every electronic device, just by using it and making use of the sensors on board could establish where you are and what you do became evident. I asked Richard after his pitch:

“Is there still a place to hide?”

His triumphant answer was:

“No, we will find you everywhere!”