Deep DivesBehavioral Biometrics

Behavioral Biometrics

One-line relationship: C7’s other signal, alongside device fingerprinting — a continuous identity signal derived from how someone interacts, not what device they’re on.

What it is

Keystroke dynamics (typing rhythm, dwell time between key presses), mouse movement patterns (velocity, acceleration, curvature of motion), and touch dynamics on mobile (pressure, swipe speed, finger size approximation) are all measurably different between individuals, and reasonably consistent for the same individual over time. Captured continuously through a session rather than once at login, they form a behavioral signal that doesn’t require the user to do anything — no extra prompt, no extra friction — while still contributing to the risk decision.

Where it sits relative to step-up

Behavioral biometrics answers a different question than step-up authentication: step-up is a discrete decision at a specific moment (“this transaction looks risky, challenge now”). Behavioral biometrics is continuous — it can flag that the person currently driving the session stopped matching the behavioral profile established at login, which is a meaningfully different signal from “this transaction crossed a risk threshold.” A session that started with the genuine user’s typing rhythm and then shifts sharply (a RAT operator has taken over control of an already-authenticated session, for instance) is exactly the scenario behavioral biometrics is positioned to catch, and one that a point-in-time login check structurally cannot.

What to take to the client

This is the closest analog the web has to continuous authentication rather than authentication as a single event — genuinely useful against session takeover after a successful login, which passkeys and DPoP don’t address (they prove who authenticated and that the client key is present; they don’t prove the same human is still driving). Like device fingerprinting, treat it as a probabilistic signal feeding C8, with a real false-positive cost to weigh against the fraud it catches.