FindBiometrics President Peter O’Neill recently spoke to Deepak Dutt, President and CEO of Zighra. The conversation begins with the Canadian behavioral biometrics company’s origin story and an overview of its innovative identity technology. After differentiating Zighra’s technology from other behavioral biometrics solutions, Dutt speaks about the major factors generating interest in the behavioral authentication space before identifying three key vertical markets his company is targeting. The interview concludes with a discussion of behavioral biometrics and privacy regulations like GDPR, and a preview of Zighra’s next steps.
Read our full interview with Deepak Dutt, President & CEO, Zighra:
Peter O’Neill, President, FindBiometrics: Can you please tell us about the genesis of Zighra? When did you start and how did this all come about?
Deepak Dutt, President & CEO, Zighra: The idea of Zighra started back in 2009 when we saw that authentication methods and security mechanisms had become a hassle and were full of ‘friction’ from both the user and enterprise perspective. The industry was crying out for a better solution. We had this vision of making security and authentication invisible and seamlessly applicable to everybody all the time by leveraging something we all have and natively use all the time, that being our behaviors. This would enable all users to be seamlessly protected without explicit mechanisms. With this vision we approached some of the leading professors at the University of Waterloo and Carleton here in Canada. We then brought together technologies from AI, behavioral biometrics and sensor analytics to pursue answering the question “who is the real user?” behind a device and a transaction. That was the genesis of our journey.
After several years of research, testing and perfecting in market POCs, we put together 14 patent applications and brought the solution to market. During our research, we ran a large-scale experiment to prove that our goal was achievable across geographies in real world environments. In 2014 we created an application to replace the typical lock screen using better technology. It was downloaded across 25,000 users, in 70 different countries, on 700 different device types – and what I mean by device types are Samsung S5 as a device type, Samsung S6 as another device. You name it, we tested it. This allowed us to validate our models across many different device types and sensor manufacturers and their varying sensor capabilities all while measuring the quality of data. In the end, we collected over 6 billion data points with users interacting with our technology around 100 times a day. The basic context being that if they interacted, taking their phone and doing a swipe on the screen, and based on that interaction pattern and the context they were in, we would let them bypass their lock screen. From these early results we confirmed, without a doubt, that each and every one of us has a unique behavioral pattern in the way we execute. The way we interact with our apps, phones and tablets is as unique as our DNA or let’s say the muscle memory associated with our golf swings, tennis swings and such. It is this uniqueness that formed the core of Zighra’s technology.
We then took a look at the contextual perspectives, the way you interact with these devices, the way you walk, the way you sit, the way you hold your phone, the angle you hold it, the pressure you apply on the touch screen and so on. Within the context of being inside a lock screen, our thought process was driven towards a completely decentralized model with assumed offline support. This in turn drove the need for very efficient AI algorithms and a defining point for our overall design; ensuring it was highly efficient, very light on battery usage with an ultra-fast learning engine for it to be practical for the mobile world.
FB: Was the decentralized move more to do with privacy or security? What was the pressing view there?
Zighra: I think it was a bit of both, but also to serve the practical need for things to run offline in circumstances where users may not have reliable Internet connectivity. We wanted the solution to be applicable to everybody, support online or offline conditions, and also support varying perspectives on privacy. We wanted to offer choice, to collect and store tons of data on the server for analytic purposes at the same time offer the option to run a light weight ‘on-device’ model. As a result, we ended up with three deployment models, two centralized models; either on a cloud or on-premise appliance, and the third decentralized on-device version. Today the industry is still learning and evolving on this front. We think our ability to offer both centralized and decentralized authentication and data stores is important for our customers going forward for both privacy and security.
FB: Behavioral biometrics is a very hot space right now. We’re writing an awful lot about it. How does your AI engine differ from others, and can you tell us why that’s important and talk a little bit about growth in behavioral?
Zighra: Absolutely. In the early days of behavioral biometrics there was a lot being done in the area of keyboard typing patterns and mouse movement from a web perspective. The biggest luxury in this context was the lack of pressure on the time-frame to learn. They could have thousands of interactions, run heavy algorithms and learn over time from that environment. When you come from a mobile mindset, from day one we had to be cognizant that you can’t be constantly hitting the sensors as it will kill battery life. Mobile and IoT is a more constrained environment. You also have to work very quickly given the interactions on these devices are minimal. You don’t have the luxury to learn from thousands and thousands of interactions. Based on this, we decided upon a completely different approach from deep neural networks. We also knew that predictive AI was not going to be sufficient for modeling human behavior because it could be easily replicated. We asked ourselves, how do we learn very fast on a smaller form factor, model unpredictable human behavior and create a system that could continue to learn over time?
This specialized AI allowed us to eventually learn a human profile with only fifteen interactions and keep the model very efficient and lightweight. We specialized in a form of behavioral biometrics called Task Based Behavioral Biometrics- focusing on how the user completes a specific task; be it making a payment, completing a transfer of funds and modeling the muscle memory of that specific task. We avoided the ‘always on’ model running in the background because of heavy battery consumption and higher false positive ‘noise’ levels. We also designed a modular architecture such that if a new or better signal is invented tomorrow, we can add that to our model.
We believe other players in the industry rely on predictive analytics based on discreet feeds of past data patterns. The problem with this approach is that fraudsters can easily leverage this same technology as we are seeing in today’s sophisticated bots mimicking human behavior.
There are also players in the secondary behavioral biometric market who place behavioral on top of existing PINs, passwords and patterns. We observed this model causing more user frustration because of higher levels of false rejects.
Users have to complete a task anyway, say a swipe, to execute a transaction. So why not take our technology and execute it on top of that task to authenticate them while they are completing a task? If they are the genuine user, why put them through additional steps of friction? That is how we arrived at the implicit task based behavioral biometric capability as a different model.
At the center of our solution is an ultra-fast and patented AI engine that combines several layers of intelligence from device to network to location to biometrics to social and behavioral to create a highly personalized model of the user. This technology can be extended exponentially, to provide an N-dimensional approach to authentication in verticals such as IoT and autonomous vehicles. The proprietary learning algorithms that Zighra uses enable the platform to be more accurate and much faster than the traditional linear machine learning algorithms used currently.
FB: And which vertical markets are you focusing on at Zighra?
Zighra: We have three main markets. We started in the Finance and FinServ space: mobile banking, mobile wallets, claims, payments and such. Our second patent, dating back to 2013, for running behavioral biometrics and authentication algorithms entirely on device, has driven the OEM space. Smartphone manufacturers have been very interested in our technology. The third market is the app developer segment. In October 2017, we released our SDK for download by mobile and web app developers to integrate inside their applications to start generating behavioral scores. This is generating new ideas and use cases.
FB: Very good, and how would you help companies for example, with the new GDPR compliance rules that are being put into place in the European Union?
Zighra: That’s a very interesting regulation and I believe behavioral biometrics has a very strong play. Privacy is of utmost importance. We provide the option to either centrally store encrypted behavioral data and algorithms in a cloud, in an on-premise appliance, or a fully decentralized, light data ‘on-device’ model for compliance alternatives. The on-device model offers an alternative for users who may not want their ID data being stored centrally and not always knowing who has access to it or how it is being used as in recent cases hitting the news. We also support the right to be forgotten once the app and SDK are deleted.
FB: Well there certainly is a lot going on with your company and a lot going on in our industry. What are your growth plans? What’s next for your company?
Zighra: Many predict that 2018 is the year for “Identity as the new perimeter” with focus on securing access and authorization rather than on the device and the network. Hackers and fraudsters are gearing up to be able to use the latest tools and techniques available in the domain of computer vision, natural language understanding, big data processing and reinforcement learning to make their attacks more effective, faster and adaptable to resistance. These tools are the product of advancement in AI techniques like Deep Learning. Some examples include: enhanced captcha breaking systems; faster identification of vulnerabilities in existing defense systems; more effective selection of phishing targets by collecting and processing information from large number of different public domain sources; faster creation of new malware which can avoid detection, among others. Though one may not see entirely new types of attacks using so called AI agents, it is very highly likely that existing attacks would be made much more targeted, effective and automated using these AI tools.
We put our foundational SDK and API components in place in 2017 and plan to meet the demand this year for accelerated adoption head on. Partnerships are a key growth play for us from the smartphone manufacturers, alliance and app development platforms, and ID platforms. We believe the industry needs to collaborate more to help customers fight the cybersecurity battle.
We also look forward to contributing to the growth in decentralized data exchanges and movements being driven by blockchain and new data ownership models.
FB: Well, Deepak, thank you very much for taking the time to tell us about your company, I look forward to hearing about news as it unfolds this coming year.
Zighra: Absolutely, Peter. Thank you very much for your time.