TL;DR Biometric theft is permanent, essentially rendering that biometric (e.g. thumbprint) useless for the lifetime of that user. Behavioral biometrics use ephemeral data, meaning theft would only be a temporary disability.
Biometric authentication provides an attractive way of authenticating users into high-risk infrastructure. Think about the Touch ID on your phone, or face and eye-scanning technology As opposed to usernames, passwords and security questions, the patterns of your thumbprint are so complex that they are almost impossible to guess, and they can’t be stolen through fake websites, and you never have to remember them. Your thumbprint is unique to you, remains the same over your lifetime, and can’t be stolen on the web. Or can it?
What happens when a fingerprint is stolen? Can we still count on it to uniquely identify ourselves?
In the past, hardware flaws in some phones were exploited to allow attackers to steal the fingerprint images directly from the scanner on the device. Even scarier, hackers in Germany stole the German Defense Minister’s fingerprints using only hi-res photos taken at a press conference. Other forms of Biometrics are even worse. Due to the prevalence of social media, pictures and videos of us abound on the internet, allowing attackers to easily spoof face and voice biometrics. So what happens when a biometric is stolen? Since a thumbprint is permanent, a thumbprint that is stolen is essentially permanently rendered useless for authentication purposes: you can no longer use your thumbprint to prove you are who you say you are, ever. It’s not like a Credit Card number that can be replaced.
Behavioral biometrics is a new form of biometric that allows you to verify your identity with the way you behave, as opposed to some aspect of your physical body. The behavioral cues range from a swipe gesture you remember or a routine you do, but also can include passive aspects of your behavior such as your gait, typing speed, the order of the buttons you usually use as you interact with an app, the way you travel around, where you spend your time, etc. One of the biggest challenges in behavioral biometrics is what we call “Behavioral Drift,” where the user’s behavior changes over time. For example a ski injury makes you walk differently, you change neighborhoods for a new job, or an app update means you interact differently with your phone. Behavioral drift means that the biometric must continually be updated to account for behavioral changes, potentially limiting accuracy if it is not handled correctly. Recent advances in Deep Learning make it possible to build behavioral biometrics models that can accommodate behavioral drift while maintaining accuracy, but that’s a different topic. However the drift also has the distinct advantage making the biometric ephemeral in nature: if it ever should be stolen, the threat to you, the user, is only temporary.
While behavioral biometrics as a tool is still in it’s infancy, the ephemeral nature of behavior itself presents huge potential for low-risk, high-accuracy user authentication. To be clear, there has never been a known instance of theft of a behavioral biometric.