Tech companies have been trying to kill the password for years. Last week, Google announced its latest scheme to get rid of those pesky alphanumeric strings with something called Project Abacus, which will let Android smartphones identify a user by the way they type, their location, facial recognition, and other biometric markers.
The project is being worked on by Google’s Advanced Technology and Projects unit, and the company hopes to introduce the scheme by the end of the year. As it happens, millions of average Scandinavians have been using this technology for over a year to log in to their online bank accounts.
The tech is called behavioral biometrics, and in Sweden, Denmark, and Norway, it’s integrated into a system called BankID, which major banks use to identify their customers. In Sweden, the system has 6.5 million active users. In Norway it’s used by over 75% of the adult population (pdf). Banking customers use it for everyday transactions from logging in to bank accounts to filing taxes.
BankID tracks the the speed at which users type, and the angle by which they swipe their touchscreens, among other measures, to build up a profile of the user over time. If the user’s behavior is consistent, she won’t need to constantly punch in a password. But if the user’s behavior changes by a certain threshold, the system prompts the user for a password. “Most people don’t mind a challenge if it’s legitimate,” says Neil Costigan, whose firm BehavioSec, based in Sweden, supplies the behavioral biometrics layer of BankID. “But you don’t want it all the time.”
As applications and passwords have proliferated, so too have security breaches. Weak passwords provide some of the biggest breaches, but people consistently use them out of convenience. Behavioral biometrics isn’t entirely novel. It’s similar to the way credit card companies send a text message or phone a card-holder who makes a transaction in a new country, for example. Both systems rely on passive monitoring of user behavior.
BehavioSec grew out of a project at the Luleå University of Technology, located in the city of Luleå, in Sweden’s north. It has raised over $8 million in funding from European VCs like Octopus Ventures and Partners Invest Norr, which is partly funded by the EU. It has also received grants from Darpa, the US military agency that researches emerging technologies.
BehavioSec says its technology been used by over 50 million users to conduct 1.2 billion transactions so far. BehavioSec won’t say precisely when it integrated its tracking technology with BankID, citing non-disclosure agreements, but it ran a trial with Danske Bank, Denmark’s biggest bank, in 2013, with a plan to deploy it more widely by the end of 2014.
In the Danske Bank trial, BehavioSec said it could detect an imposter using stolen credentials to access a bank account from a single log-in attempt more than 97% of the time. Over the duration of a user’s session within the online banking system, it claimed to have detected an imposter in over 99% of cases. That trial involved 18,000 users and over 500,000 transactions.
An application that tracks your interactions with your phone may also violate your privacy rights. BehavioSec’s Costigan says that when the tech is integrated with a bank’s app, it operates within the bank’s systems, meaning it’s as secure–and private–as any other financial data stored by the bank. European data protection laws prevent companies like his from being cavalier with user data.
Because BehavioSec tracks the way a user interacts with a phone, not the results of that interaction, it’s not as invasive as it might sound, Costigan says. “We’re talking about swiping across the screen; the way you type,” he says, “It’s not about the things you’re typing.”
That logic is similar to arguments made by governments defending the mass collection of anonymized communications metadata–not the contents of any electronic communications–but which have turned out to be easily correlated with real-world identities. Of course, it’s not as if data collected by BehavioSec has been handed over to surveillance agencies, or been compromised by hackers. As Costigan has pointed out to Forbes, even if the data were to be abused, it would still take massive amounts of computational power to correlate a person’s typing speed in a banking app with their physical identity.
A number of other startups, like Israel-based BioCatch and Canada’s NuData, compete with BehavioSec. But BehavioSec’s technology is gaining traction. It’s formed a behavioral biometrics partnership with TeleSign, which provides security services like two-factor authentication to large internet companies like Tinder, Salesforce, and Evernote. TeleSign claims its technology works on 3.5 billion user accounts.
Jess Leroy, a senior vice president of product management at TeleSign, says customers such as payment processors and lending agencies are demanding a behavioral biometrics product. The technology can be deployed into consumer tech in general, he says, as Google is trying to do with its Project Abacus. “There are broad consumer internet opportunities here as well for TeleSign customers, such as ensuring that users on dating platforms are the users they claim to be, that sellers on marketplaces are the right seller, or that drivers in ride-sharing applications are verified drivers,” Leroy says.
With 1.4 billion Android smartphones in use, Google’s Project Abacus could bring keystroke-tracking and swipe-monitoring into the consumer technology mainstream. If that happens, behavioral biometrics won’t just be the preserve of technologically sophisticated Scandinavian banks.
Correction: An earlier version of this article named BehavioSec’s Neil Costigan as Neal Costigan.