Home / Blog / Biometrics and dynamic authentication

Biometrics and dynamic authentication

Posted on 06/10/2015, by Antonio López (INCIBE)

Multi-factor authentication and biometrics

Nowadays, our lives are surrounded by electronic systems whose access is normally protected with simple authentication methods: passwords, pins or patterns. These traditional authentication methods are generally vulnerable to social engineering, spyware, brute force and dictionary attacks that have forced more robust methods to be developed.


. From the basic use of passwords, the evolution of authentication mechanisms has brought great improvements, with the incorporation of multi-factor elements to guarantee the identity of a user. Specifically, the use of biometrics is one of the factors, which with the aim of combining user comfort and security, has grown in strength as a complementary element in the authentication mechanism but which, must absolutely be viewed as just one single factor in the process.

Multi-factor authentication methods are based on covering two or more independent routes when identifying a user. The following criteria are generally used in order to select the factors required:

1. Something that is known: password, pin, pattern

2. Something that you have: mobile, security token..

3. Something that you are: biometrics (iris, fingerprint, etc.)

Security token

- Security token -

As a complement to the three main criteria in the selection of an authentication factor, biometrics again contributes to defining another criterion based on dynamic biometric patterns and behaviours, that is, something inherent in the individual but which is analysed continuously during the session. Dynamic verification introduces a new criterion to us:

4. Something that you do or normal behaviour: dynamic biometrics

Some authentication factors within the latter criterion could be, for example, browsing behaviour, mouse movements, keyboard use or touches on touchscreen devices and even physical locations of the individual in certain time periods.

Moreover, by using these dynamic biometrics methods, user authentication doesn’t have to be limited exclusively to the specific moment of the access or login request, but rather the behaviour reflected during the session will continually be compared to the patterns that are expected and stored, in order to detect any discrepancy that would indicate the impersonation of the legitimate user.

Biometrics and continuous authentication

The analysis of dynamic parameters such as keystrokes when using a keyboard or touches when using touchscreen devices, are examples of the use of biometrics in a dynamic and continuous identification process.

These mechanisms follow an analysis scheme in real time that monitors the keystrokes or touches of the user, which are compared with the previously registered patterns. These registries store various parameters that characterise the behaviour patterns expected for each individual, such as typing speed, pauses, the length of time that keys are held down for, pressure, etc.

Touches in touchscreen devices as a means of identification

- Touches in touchscreen devices as a means of identification -

The dynamic analysis of behaviour patterns contributes an interesting function by continuously monitoring the individual’s identification. Thus, after the initial authentication of the individual, it covers the possibility that, in the event of absence or distraction, a session initiated may be taken over by another person with close access. Moreover, this type of authentication is very comfortable for the user, who only has to work as they normally do in order to be identified.

Is dynamic authentication a reliable method?

Numerous studies show that the use of keystroke dynamics must be applied in favourable settings and under specific conditions for its precision to be acceptable. This is the case because there are factors that can interfere with keystroke monitoring, such as different types of keyboards and the chosen form of monitoring.

There are also static keystroke analysis methods, in which the user is requested to type a set text selected at the time of registering their account, a text that will be requested when subsequent sessions are initiated. However, this mode is not favourable in terms of usability, and is normally used to reinforce the password authentication. By contrast, dynamic modes function continuously during the session and are much more comfortable for the user since they are transparent.


the accuracy of a biometric system

The evaluation of the accuracy of a biometric system is determined through three error parameters:

  • Mean False Acceptance Rate (FAR): the percentage of false users authorised by the system.
  • Mean False Reject Rate (FRR): the percentage of legitimate users rejected
  • • Equal Error Rate (EER): the mean in which the FAR is equal to the FRRli>

Evaluation of a continuous authentication mechanism in mobiles- Source: An Experimental Study on Smartphones. University of Hong Kong

- Evaluation of a continuous authentication mechanism in mobiles- Source: An Experimental Study on Smartphones. University of Hong Kong -

The conclusions obtained in studies evaluating the performance of dynamic biometric systems (keystrokes, touches, etc.), show that the mean errors are slightly above other static criteria such as fingerprints. However, a continuous method that monitors the identity of an individual during the whole session covers the circumstance of protecting against access to neglected sessions.

Future of biometrics

Biometrics and, specifically, behaviour-based dynamic methods are a very interesting future option, particularly in the case of touchscreen devices, in which the analysis of movements such as manual writing, keystrokes and the actions of pinching and sliding are very specific parameters that contribute to providing greater precision and reliability to the identification of an individual.

The wealth of input factors is even greater in terms of mobile devices, which also have cameras, environmental light sensors, GPS, and gyroscopes that contribute a large amount of data to analyse.

Lastly, we should say that, as was mentioned in the article The issue of biometrics as an authentication method, biometrics must not be considered to be a single authentication mechanism, but rather, it must be used as a complement along with other factors, in order to increase the security of a system.

Although a lot of progress is yet to be made in the precision of biometric systems, it is evident that their use, particularly in terms of dynamic methods, represents a major route for research with a very bright future with regard to authentication and identification mechanisms.