Behavioural Biometrics

Inherence Factor

Analyses unique behavioural patterns and device fingerprints.

Low Friction

Invisible to cardholder-no additional input required.

Second Factor

Must be combined with another method for SCA compliance.

⚠️
Behavioural Biometrics only works for browser-based transactions. It does not support app-based transactions because JavaScript is disabled in those cases.

How It Works

Behavioral Analysis

Apata analyzes how the cardholder interacts with their device:

Typing patterns and speed
Mouse movements and clicks
Scrolling behaviour
Touch gestures (mobile)

These patterns are unique to each individual and difficult for fraudsters to replicate.

Device Fingerprinting

Apata generates a unique fingerprint using device characteristics:

Canvas rendering (shapes, colors, text)
Browser configuration
Hardware characteristics
OS and version

Each device produces consistent, unique results that are nearly impossible to fake.

How canvas fingerprinting works:

JavaScript asks the device to draw shapes (circle, star, text)
The exact colors, line thickness, and spacing are unique to the device/OS/browser combination
The same device produces identical results each time
Images are rendered invisibly with no user impact

Multi-Device Support

Apata maintains separate behavioral profiles for each device:

Mobile behaviour compared only to past mobile transactions
Desktop behaviour compared only to past desktop transactions

This ensures accurate profiling across different devices.

Configuration

Basic Settings

Field	Description
Name	User-friendly identifier
Alias	Unique identifier (alphanumeric, dashes, underscores). Cannot be changed after creation.
Description	Optional details about the method

Authentication Method

Field	Description
Default Value	`(10) Other` - reported to payment schemes
Matchers	Override auth method value based on Protocol Version

📘
Behavioural Biometrics has minimal configuration options because it operates automatically in the background during other challenge methods.

Usage Requirements

⚠️
Important: Behavioural Biometrics must be combined with another challenge method to meet SCA requirements.

Recommended combinations:

Primary Method	Why It Works
SMS OTP + Behavioural Biometrics	Best UX-SMS provides possession, biometrics provides inherence
Email OTP + Behavioural Biometrics	Alternative possession factor
Static Password + Behavioural Biometrics	Password provides knowledge, biometrics provides inherence

Failure Handling

What happens if Behavioural Biometrics fails?

Failure does not block the transaction. Instead:

The ACS falls back to another authentication method (e.g., KBA)
This allows the system to learn and adapt to new or changing behaviours
Two factors are still assessed

Common failure reasons:

JavaScript disabled in browser
Insufficient behavioral data collected
New device not yet profiled
Browser extensions interfering

Performance

Expected Performance

Metric	Expected
Device Fingerprinting Accuracy	90%+
False Positive Rate	< 1% (industry benchmark)

📘
Performance improves over time as the system gathers more behavioral data. Accurate fraud metrics depend on Fraud Reporting from issuers.

Fallback Configuration

To configure fallback from Behavioural Biometrics:

In your Challenge Profile, add Behavioural Biometrics as a second factor
Click Add challenge method with fallback
Configure KBA or another method as the fallback

Example flow:

SMS OTP (1st factor)
    ↓ success
Behavioural Biometrics (2nd factor)
    ↓ failure
KBA (fallback 2nd factor)

Limitations

Limitation	Description
Browser only	Does not work for app-based transactions
JavaScript required	Must be enabled in cardholder's browser
Learning period	Accuracy improves as behavioral data is collected
Must combine	Cannot be used as a standalone method

Behavioural Biometrics