Forget your first pet's name, now you can prove your identity with the unique way you use your mouse

Forget your first pet's name, now you can prove your identity with the unique way you use your mouse

Summary: A startup is using the quirks of how users interact with their devices to do away with all those annoying security questions that appear when you log in from somewhere new.

TOPICS: Security

It might have happened to you while you were travelling abroad, or connecting from a new location with a different IP address. Suddenly, your webmail service provider — be it Microsoft, Google, or Facebook — asks you to verify your identity, by answering some security questions or identifying a few pictures of your friends.

Even though It's your account, you have to prove you are who you say you are, because according to your webmail service, you're doing something out of the ordinary.

In security people lingo it's called false positive, or friction — when a legitimate connection to the service is identified as an attempted hack, fraud, or ID theft. It happens a lot, frustrating both end users and IT system managers alike.

Israeli startup BioCatch is seeking to eliminate false positives through what it calls 'cognitive biometrics'.

When I sat down with Uri Rivner, BioCatch's business development manager, he handed me a tablet and asked me to perform what seemed a rather simple task: to drag an object on the screen from point A to point B, several dozens of times.

But that simple task of clicking and dragging, the kind of thing that computer users do dozens of times every single day, can teach BioCatch a lot about users.

It turns out that the way we click and move objects, the entire way that we use the human-machine interface embedded within each and every modern computer, browser or website, is like a unique fingerprint.

Lefties will operate a mouse differently to right-handed people, for example, and each user 'grabs' an icon at a different point, angle, and so on.

By analysing user sessions, and creating a personal profile (10 sessions for each user are enough), BioCatch can unearth anomalies and quickly decide if it's the user it should be on the computer, or a hacker or fraudster, eliminating friction and false positive cases by 80 or 90 percent, according to Rivner.

BioCatch's user profile consists of hundreds of variables, on four layers. The first one is device and network, comprising IP address, the type of hardware, user's location and other traditional variables companies usually check.

BioCatch's real interest is in the next layers. On the physical profile layer, the company measures things such as motion (the way we move around objects on the screen — do we do it in straight lines or more arching paths?), hand-eye coordination, and similar variables arising from the way we operate the pointing device, be it finger (on touchscreens) or mouse.

The next layer is the cognitive profile layer. On that layer, speed (how fast we do things), average session length, typical connection times and the "application flow" are measured, among other variables. For example, when a certain user usually logs into his bank account, he usually checks his balance and then his stock portfolio. If that user logs on and goes straight to money transfer, that would raise a flag with BioCatch.

The last layer being used to authenticate a user's identity is called invisible challenges, and it's kind of cool — BioCatch plants deliberate obstacles within the session like the momentary disappearance of the mouse cursor, or certain traction to the cursor movement and angle. It turns out that the way each of us react to those obstacles is unique, and can be used to verify our identity, without asking us questions such as our mother's maiden name or the name of our first pet.

All of these parameters are given a score and that score is displayed on gauges with green-yellow and red zones. Too many gauges going red, and a human security manager will be alerted.

BioCatch is even measuring the way we interact with the user-password login boxes, which produces a lot of fun, useful data — for example: 57 percent of us use the Tab key to move between fields, 46 percent use the mouse, and only one percent of us press Enter to move from one field to another.

Since these are the kinds of statistics that UX and hardware interface designers would kill for, is the company looking to monetise data is gathers along the way?

"Good point," Rivner says. "Banks asked us about it. We can already generate a heat map of what the user is doing on tablets or mobile phones. With one of the banks we showed them that users spend too much time scrolling up and down, which means the information isn't readily available. We plan to develop some UX tracking capabilities in 2015.

"We plan on developing a functionality that will track it and let the UX team watch either the entire user population or specific sessions they want to analyse. This will be an add-on functionality. So we don't sell the data itself, we develop an optional module."

Currently integrating into web and Java environments, BioCatch is focusing on cloud services, with clients in industries including banking and online retail.

"We are not here to replace the user password login", Rivner says. "We are here to replace everything that comes after – the security questions, the authentication by text messages and so on… The competition is not about who is the safest. It's about comfort."

Read more on security

Topic: Security

Niv Lilien

About Niv Lilien

Niv Lilien is a senior technology writer, and the former technology section editor for ynetnews. Currently, Niv writes regularly for several of Israel's most prominent media outlets.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Too sensitive?

    Not sure if this system be too sensitive. Injure a finger or use a different finger begets different actions. Holding the device begets different actions.
    Way too many variables where you'll be unable to use YOUR device.
    Does this need an override function?
    Then again, if it gets to frustrating to use, people will not use it.
    I kinda like the "Pick a Picture" idea but go one step further. A large photo has millions of pixels. ZOOM-IN on that picture your chosen area and click on your security square. That square can be adjustable, if for say 9 pixels is too sensitive. (eg: Zoom in on a seascape pix and click on the seagulls nostril or left foot, 3rd toenail)
    Another level could be, choose from a dozen pictures. That way your multiplying the pixel count exponentially.
  • It's called a false negative...

    That is, the system rejects a legitimate user.

    A false positive would be when the system admits someone it's not supposed to.
    • False positive vs false negative

      Usually I see the term false positive being considered from the security point of view, meaning, positive for virus infection, positive for hacking attempt, and so on. False positive will be when a virus infection or a hack attack was not in fact that. False negative will be when the system allows someone to access when in fact it was a hacker.
  • Thinking About How I Do Things

    I think I'm pretty haphazard. I don't do things the same 2x in a row. Sometimes I use tab. Sometimes I use the mouse. It depends how I feel at the moment. Sometimes I use copy and pate in the menu. Sometimes I right-click and use that. Very rarely will I drag-and-drop. It all depends on the moment. This would not work for me. I broke my thumb a few years ago and sometimes the plate in there is painful. So I don't do things the same when it is. I still remember the name of my first Guinea Pig. Or was it my hamster?
  • Back to (old) school?

    Way back in the days of dumb printing terminals, some mainframe security people discussed the idea of using one's KEYBOARD rhythm profile for identification. This would have obviously been impossible for networks like the ones running IBM's 274x printer (or later 327x CRT), since they sent entire messages to the host computer in a burst when polled after the user pressed the ENTER or SEND button. But for networks operating, for example, dialup ports for Teletype KSR/ASR-33, if the operating system was involved in echoing every character (commonly, the keyboard was not connected to the printer and they relied on the echo to print user input), if the echo logic was actually in the application, it would have been feasible, subject to the slower CPU speeds of the day even for larger computer systems and the number of ports that could log in simultaneously.

    The point about not always doing exactly the same movements is a valid one, and to some extent the model of the pointing device also matters. I know I tend to use the built-in touchpad on my laptop, when I do, a bit differently from the way I use my mouse, and on a public computer there might be even more differences. I suspect they use the unique COMMON parts of the pattern, like handwriting analysis. One's handwriting has common personal elements, even though using different pens (or that frustrating stylus on POS terminal screens that turns everyone's signature into chicken scratches), and I suppose mouse movement patters, combined with keyboard rhythms, could also have common personal signature patterns.

    It's a lot nicer than looking into a laser that MIGHT be programmed to blind you if you aren't the right person, or KISSING a touch panel!