Forget your first pet's name, now you can prove your identity with the unique way you use your mouse

A startup is using the quirks of how users interact with their devices to do away with all those annoying security questions that appear when you log in from somewhere new.
Written by Niv Lilien, Contributor

It might have happened to you while you were travelling abroad, or connecting from a new location with a different IP address. Suddenly, your webmail service provider — be it Microsoft, Google, or Facebook — asks you to verify your identity, by answering some security questions or identifying a few pictures of your friends.

Even though It's your account, you have to prove you are who you say you are, because according to your webmail service, you're doing something out of the ordinary.

In security people lingo it's called false positive, or friction — when a legitimate connection to the service is identified as an attempted hack, fraud, or ID theft. It happens a lot, frustrating both end users and IT system managers alike.

Israeli startup BioCatch is seeking to eliminate false positives through what it calls 'cognitive biometrics'.

When I sat down with Uri Rivner, BioCatch's business development manager, he handed me a tablet and asked me to perform what seemed a rather simple task: to drag an object on the screen from point A to point B, several dozens of times.

But that simple task of clicking and dragging, the kind of thing that computer users do dozens of times every single day, can teach BioCatch a lot about users.

It turns out that the way we click and move objects, the entire way that we use the human-machine interface embedded within each and every modern computer, browser or website, is like a unique fingerprint.

Lefties will operate a mouse differently to right-handed people, for example, and each user 'grabs' an icon at a different point, angle, and so on.

By analysing user sessions, and creating a personal profile (10 sessions for each user are enough), BioCatch can unearth anomalies and quickly decide if it's the user it should be on the computer, or a hacker or fraudster, eliminating friction and false positive cases by 80 or 90 percent, according to Rivner.

BioCatch's user profile consists of hundreds of variables, on four layers. The first one is device and network, comprising IP address, the type of hardware, user's location and other traditional variables companies usually check.

BioCatch's real interest is in the next layers. On the physical profile layer, the company measures things such as motion (the way we move around objects on the screen — do we do it in straight lines or more arching paths?), hand-eye coordination, and similar variables arising from the way we operate the pointing device, be it finger (on touchscreens) or mouse.

The next layer is the cognitive profile layer. On that layer, speed (how fast we do things), average session length, typical connection times and the "application flow" are measured, among other variables. For example, when a certain user usually logs into his bank account, he usually checks his balance and then his stock portfolio. If that user logs on and goes straight to money transfer, that would raise a flag with BioCatch.

The last layer being used to authenticate a user's identity is called invisible challenges, and it's kind of cool — BioCatch plants deliberate obstacles within the session like the momentary disappearance of the mouse cursor, or certain traction to the cursor movement and angle. It turns out that the way each of us react to those obstacles is unique, and can be used to verify our identity, without asking us questions such as our mother's maiden name or the name of our first pet.

All of these parameters are given a score and that score is displayed on gauges with green-yellow and red zones. Too many gauges going red, and a human security manager will be alerted.

BioCatch is even measuring the way we interact with the user-password login boxes, which produces a lot of fun, useful data — for example: 57 percent of us use the Tab key to move between fields, 46 percent use the mouse, and only one percent of us press Enter to move from one field to another.

Since these are the kinds of statistics that UX and hardware interface designers would kill for, is the company looking to monetise data is gathers along the way?

"Good point," Rivner says. "Banks asked us about it. We can already generate a heat map of what the user is doing on tablets or mobile phones. With one of the banks we showed them that users spend too much time scrolling up and down, which means the information isn't readily available. We plan to develop some UX tracking capabilities in 2015.

"We plan on developing a functionality that will track it and let the UX team watch either the entire user population or specific sessions they want to analyse. This will be an add-on functionality. So we don't sell the data itself, we develop an optional module."

Currently integrating into web and Java environments, BioCatch is focusing on cloud services, with clients in industries including banking and online retail.

"We are not here to replace the user password login", Rivner says. "We are here to replace everything that comes after – the security questions, the authentication by text messages and so on… The competition is not about who is the safest. It's about comfort."

Read more on security

Editorial standards