Behavioral biometrics: Websites and apps are learning from how you type, hold your phone, and use your mouse

Posted on Aug 19, 2018 by Danica Sergison
Share Tweet Plus

How often do you hold your phone in your left hand?  How big are your hands?  Do your hands shake when you type or move a mouse?  If your pointer disappears from your screen, what do you do?  You might not know the answers to these questions – but chances are, your bank does.  These details are known as “behavioral biometrics”, and are increasingly being used to identify and authenticate users when they interact with banks, retailers, and other organizations through their websites and applications.

What behavioral biometrics are & how they work

Behavioral biometrics involves the creation of unique user profiles, gathering and analyzing data such as how you swipe or use a mouse, how hard you press the screen or keys, and the rhythm of your key presses.  This data is often used as a security and authentication measure, attempting to identify fraudulent account activity through variances in the user’s behavior.

For example, if a user applying for a credit card has significant delays before entering personal data into the online application such as name, date of birth, and SSN, this may be an indicator that the user is taking time to look up this data, rather than recalling it personally.  If the user also is able to navigate the bank’s page and the online application with a greater speed and familiarity than the average user, it may also indicate that they have completed this action frequently in the past, and may indicate fraudulent activity.

User concerns & risks

While behavioral biometrics are nothing new, the availability of affordable computing power and the vast array of sensors available on modern smartphones have led to a wide increase in its usage, according to an excellent article by Stacy Cowley published by the New York Times this week.  In addition to providing an overview of the technology and how it’s being used, the author highlights three main areas of concern for the privacy-conscious user:

  1. Behavioral biometrics can reveal sensitive personal and health information.  Whether it’s a sudden decrease in hand-eye coordination or the appearance of a hand tremor, behavioral biometrics can provide insights into our personal health and ability.  Especially where data might be collected by insurance providers and other organizations with a commercial interest in our well-being, this can have broad and substantial ethical implications.
  2. Few companies are admitting to the use of behavioral biometrics – much less, actively seeking consent from its users to gather and analyze this information.  In a follow-up article, Stacy Cowley discussed her difficulty researching the use of behavioral biometrics.  While vendors were willing to discuss their technology, how it worked, and talk about use cases, few banks or retailers were willing to admit that behavioral biometrics were part of their security strategy.  If they are unwilling to disclose the use of these tools, they certainly aren’t seeking consent from their customers for the use and analysis of this data.

  3. There are few laws that govern or even address the collection and use of behavioral biometric data.  While some laws cover physical biometric data, such as fingerprints, facial recognition data, and iris scans, most laws were drafted at a time before artificial intelligence and technology had advanced to the point that behavioral data could provide personal and sensitive insights that would be unique and identifying.  Where laws do address or would cover behavioral data, these laws often have an exception from disclosure and consent requirements where this data is used in security and fraud prevention.


Although behavioral biometrics offers promising implications for online security and fraud prevention, it is evident that this is an area that would benefit from increased awareness and research.  With the collection of data that can be so specific and sensitive, the private and the public sectors should also move towards adopting laws, guidelines, and practices that protect the interests of the public.  Especially as behavioral biometric technology becomes more widespread, it’s important to ensure that our data is used in a transparent and ethical manner by the companies that we trust with our banking and our business.

About Danica Sergison

Danica is a Canadian lawyer, online community manager, and tech enthusiast. She writes about the law, privacy and the intersections between tech and social issues. Twitter: @DanicaSergison

VPN Service