Google Plans to Kill Passwords With This Tech, but Scandinavia Is Way Ahead of It

Evan Lorne/Shutterstock.com

Norwegian and Swedish banking customers use it for everyday transactions from logging in to bank accounts to filing taxes.

Tech companies have been trying to kill the password for years. Last week, Google announced its latest scheme to get rid of those pesky alphanumeric strings with something called Project Abacus, which will let Android smartphones identify a user by the way they type, their location, facial recognition and other biometric markers.

The project is being worked on by Google’s Advanced Technology and Projects unit, and the company hopes to introduce the scheme by the end of the year. As it happens, millions of average Scandinavians have been using this technology for over a year to log in to their online bank accounts.

The tech is called behavioral biometrics, and in Sweden, Denmark and Norway, it’s integrated into a system called BankID, which major banks use to identify their customers. In Sweden, the system has 6.5 million active users. In Norway, it’s used by over 75 percent of the adult population. Banking customers use it for everyday transactions from logging in to bank accounts to filing taxes.

BankID tracks the the speed at which users type, and the angle by which they swipe their touchscreens, among other measures, to build up a profile of the user over time. If the user’s behavior is consistent, she won’t need to constantly punch in a password.

But if the user’s behavior changes by a certain threshold, the system prompts the user for a password.

“Most people don’t mind a challenge if it’s legitimate,” says Neal Costigan, whose firm BehavioSec, based in Sweden, supplies the behavioral biometrics layer of BankID. “But you don’t want it all the time.”

As applications and passwords have proliferated, so too have security breaches. Weak passwords provide some of the biggest breaches, but people consistently use them out of convenience. Behavioral biometrics isn’t entirely novel. It’s similar to the way credit card companies send a text message or phone a card-holder who makes a transaction in a new country, for example. Both systems rely on passive monitoring of user behavior.

BehavioSec grew out of a project at the Luleå University of Technology, located in the city of Luleå, in Sweden’s north. It has raised over $8 million in funding from European VCs like Octopus Ventures and Partners Invest Norr, which is partly funded by the EU. It has also received grants from DARPA, the U.S. military agency that researches emerging technologies.

BehavioSec says its technology been used by over 50 million users to conduct 1.2 billion transactions so far. BehavioSec won’t say precisely when it integrated its tracking technology with BankID, citing nondisclosure agreements, but it ran a trial with Danske Bank, Denmark’s biggest bank, in 2013, with a plan to deploy it more widely by the end of 2014.

In the Danske Bank trial, BehavioSec said it could detect an impostor using stolen credentials to access a bank account from a single log-in attempt more than 97 percent of the time. Over the duration of a user’s session within the online banking system, it claimed to have detected an impostor in over 99 percent of cases. That trial involved 18,000 users and over 500,000 transactions.

Privacy implications

An application that tracks your interactions with your phone may also violate your privacy rights. BehavioSec’s Costigan says that when the tech is integrated with a bank’s app, it operates within the bank’s systems, meaning it’s as secure–and private–as any other financial data stored by the bank. European data protection laws prevent companies like his from being cavalier with user data.

Because BehavioSec tracks the way a user interacts with a phone, not the results of that interaction, it’s not as invasive as it might sound, Costigan says.

“We’re talking about swiping across the screen; the way you type,” he says, “It’s not about the things you’re typing.”

That logic is similar to arguments made by governments defending the mass collection of anonymized communications metadata–not the contents of any electronic communications–but which have turned out to be easily correlated with real-world identities.

Of course, it’s not as if data collected by BehavioSec has been handed over to surveillance agencies, or been compromised by hackers. As Costigan has pointed out to Forbes, even if the data were to be abused, it would still take massive amounts of computational power to correlate a person’s typing speed in a banking app with their physical identity.

A number of other startups, like Israel-based BioCatch and Canada’s NuData, compete with BehavioSec. But BehavioSec’s technology is gaining traction. It’s formed a behavioral biometrics partnership with TeleSign, which provides security services like two-factor authentication to large internet companies like Tinder, Salesforce and Evernote. TeleSign claims its technology works on 3.5 billion user accounts.

Jess Leroy, a senior vice president of product management at TeleSign, says customers such as payment processors and lending agencies are demanding a behavioral biometrics product. The technology can be deployed into consumer tech in general, he says, as Google is trying to do with its Project Abacus.

“There are broad consumer internet opportunities here as well for TeleSign customers, such as ensuring that users on dating platforms are the users they claim to be, that sellers on marketplaces are the right seller, or that drivers in ride-sharing applications are verified drivers,” Leroy says.

With 1.4 billion Android smartphones in use, Google’s Project Abacus could bring keystroke-tracking and swipe-monitoring into the consumer technology mainstream. If that happens, behavioral biometrics won’t just be the preserve of technologically sophisticated Scandinavian banks.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.