ed-amoroso-6.28.18For the past seven decades, Americans have enjoyed a television game show called To Tell the Truth. On the show, three contestants appear before four celebrities who try to determine which was the 'actual person' portrayed in a description that was given to the panel. The show, which included hosts such as Alex Trebek and Joe Garagiola, was created back in 1956, but if it had been created today, I think it would be a mobile cyber security app starring Alice and Bob. 

The idea of using collected information to make some educated, analytic judgment about the actual identity of a person or thing is perhaps the central notion in computing security. It has evolved from the simple (albeit stubbornly persistent) use of passwords to advanced schemes using contextual, adaptive, and intelligent algorithms for accurately determining whether Alice or Bob is on the other end of a session. Increasingly, this process uses behavioral biometrics.

I had the pleasure last week to discuss this topic with Frances Zelazny, Chief Strategy and Marketing Officer for cyber security firm BioCatch. Frances comes to BioCatch amidst a career ranging from participating on the Federal Reserve Secure Payments Task Force, to running strategic operations at L-1 Identity Solutions. She is also my New York neighbor and a member of the NYU community where I serve. We had an enjoyable chat - and here is what I learned:

"The use of behavioral biometrics provides an advanced and effective means for companies to prevent fraud, and the overall process can be continuous," Frances explained. "What we do at BioCatch involves real-time observation and analysis of specific human-device interactions to determine the actual identity initiating use of online applications or services. The goal is to stop online fraud, while also preserving a frictionless user experience."

I asked Frances how companies were using this technology, and she pointed to the account lifecycle as the most typical context. When new accounts are created, biometrics can be used to detect use of stolen or synthetic identities being employed to enter user data into on-line applications in predictable ways. Similarly, during the familiar account takeover step, the use of continuous bio- authentication enables detection of anomalies indicative of unauthorized use. 

"Our technology can recognize behavioral anomalies after some user has established a login session, and we can identify and detect the presence of malware, automated attacks, and other exploit conditions in real-time," Frances said. "The overall cyber-related goal, obviously, is to prevent fraud before it can occur. And even if an account has been hijacked, behavioral biometrics can now be the real-time remedy that gets enabled to prevent damage."

I asked Frances how business customers were deploying BioCatch technology and she quickly jumped to SaaS, which she described as the primary means for delivery of the technology. What happens is that BioCatch customers embed a few lines of JavaScript into their website, and this connects site usage and behaviors via an API to the BioCatch security algorithms. This scheme currently generates live information for roughly six billion transactions per month.

"We use the data from this massive number of transactions, which has been growing exponentially, to learn to differentiate between legitimate behaviors and fraudulent activity," she explained. "This allows us to minimize false positives and rejections, and to ensure a good user experience. For credit card applications, money transfers, micro-purchases of coffee, and on and on, this turns out to be a useful security control."

BioCatch has recently closed a $30M round backed by Maverick Ventures, with participation from American Express Ventures and others. The roughly one hundred-person company was founded in 2011 and maintains a presence in the United States and Israel. CEO Howard Edelstein is a well-known entrepreneur with an illustrious career, so one can only predict continued success for BioCatch. 

If there are challenges ahead, I'd suggest that most of them lie in the increasingly crowded space around biometric application to cyber security. While BioCatch is happy to differentiate their clear position in the sector, one might be concerned that customers could have more trouble identifying the differentiators. So, BioCatch - and all participants in the bio-for-cyber sector, are advised to create crystal clear messaging on their specific value proposition.

Now that I think of it, perhaps a good way to help customers understand how behavioral biometrics can be used for identity security would be to hire Alex Trebek (Garagiola died in 2016) to host a new cyber security gearhead version of To Tell the Truth. Maybe the new show could be called API Collection of Identity Confirmation or something like that. I don't see how any television executive could resist a title like that.