RESOURCES / WHITEPAPERS

Behavioral Biometrics: The Missing Layer in Modern Fraud Prevention

Download Now

What is behavioral biometrics?

Behavioral biometrics is the analysis of how a user physically interacts with a device during a session — touch and swipe geometry, typing cadence, device motion and orientation, and the timing of actions across a journey. Unlike a device fingerprint, which identifies the hardware, behavioral biometrics characterizes the session: is this input coming from a human finger or from software? Is the phone moving like a phone in a hand, or sitting flat and still like one in a rack?

The signals are captured by a JavaScript tag on web and a native mobile SDK on Android and iOS, pulled from the device's sensors and the user's inputs. Temporal signals are sampled continuously during profiling and converted into statistics — averages, ranges, medians, deviations — available on the event and usable directly in risk rules.

What are the four types of behavioral signals?

Behavioral signals fall into four genres. Each captures a different dimension of the session, and each catches a class of risk the others don't:

Signal genreWhat it capturesRisk it catches
SensorMovement, orientation, magnetic field, light, proximityDevice farms and emulators, which sit at fixed orientations with no real movement
Touch & swipeTap area and pressure; swipe path, curvature, and timing; input sourceAutomation and remote-access malware, where swipes turn linear and inputs aren't from a finger
Timing & durationSession pace, per-step timing, hesitation across the journeyBot speed in registration or payment; hesitation that can indicate a scam or coercion
KeyboardTyping cadence, corrections, paste and autofill, field focus orderSynthetic input and agentic AI, which paste sensitive fields and fill forms out of order

Two details make these genres sharper than they first appear. Touch and swipe signals include the input's source — whether it physically came from a finger or was injected by software — which is a direct tell for remote-access tools and automation frameworks regardless of how human the timing looks. And keyboard behavior is evaluated in field context, because normal behavior differs by field: a paste is far likelier in an ID-number field than in a first-name field, so the same action can be benign in one place and a red flag in another.

A remote-access scam, seen through behavior

Consider an anonymized malware case. The device looked trusted and passed every device check — it was the victim's own phone, so the payment passed MFA. Device-only checks saw nothing wrong.

The session told a different story. On one high-value payment, four behavioral signals fired together: the touch input wasn't coming from a finger, a side-loaded package was present on the device, accessibility services were enabled, and live call audio was playing — the victim was on the phone with the scammer while the payment went through. And the sensors agreed: the phone lay flat and still throughout, not held in a hand.

No single signal proves fraud. Four firing together on one payment, on a session the device layer fully trusted, is the pattern behavioral biometrics exists to catch.

Does behavioral biometrics require special permissions or collect personal data?

No permission popups. These signals are available by default because apps already receive keyboard input and orientation changes — the SDK inherits what the app already has and never needs to raise its own permission request. And keyboard capture records interaction patterns per field, never the contents of what was typed.

Get the full capability brief

The complete brief includes the full signal coverage map across mouse, touch, keyboard, and sensor families, the attribute-level detail for each of the four signal genres, the example rules and the risks each one catches, and the full worked malware case with the event-table evidence.

Download the Darwinium Behavioral Biometrics capability brief to see every signal.

Frequently asked questions

What is the difference between behavioral biometrics and device fingerprinting?

Device fingerprinting identifies which device is connecting; behavioral biometrics characterizes what's happening in the session — how the device is held, touched, and typed on. Fingerprinting can't distinguish a trusted device controlled by its owner from the same device controlled by malware or a remote attacker. Behavioral signals can.

Can behavioral biometrics detect remote-access scams?

Yes — this is one of its strongest use cases. Remote-access sessions produce telltale combinations: touch input sourced from software rather than a finger, a device lying flat and motionless, accessibility services enabled, and in coached scams, live call audio during the transaction.

Does behavioral biometrics work on mobile?

Yes. A native SDK on Android and iOS captures touch, swipe, keyboard, timing, and sensor signals — the mobile equivalent of mouse and keyboard signals on web, plus motion and orientation data that only mobile devices provide.

Can it detect AI agents and bots?

Yes. Automation shows up as perfectly linear swipes, synthetic touch sources, impossible completion speeds, pasted field values, and out-of-order form filling — patterns that separate software-driven sessions from human ones regardless of how legitimate the device looks.

Is typing content captured?

No. Keyboard biometrics records interaction patterns — key counts, timing, hesitancy, corrections — per field context. Field contents are never collected.