The Rise of Passive Biometrics: How Scroll Speed + Phone Angle = Your ID

[BadB]

How a combination of accelerometer and behavior data creates a biometric key without your knowledge

Introduction: Your Body Is Your Password​

You visit a website on your phone. You scroll through the feed. You tilt the device to get a better view. You tap the screen to pause the video.

You think, "These are just actions".

But in reality, every movement is being recorded — not for convenience, but to create a unique biometric key.

Modern fraud engines (Forter, Sift, Riskified) no longer wait for you to enter your fingerprint. They silently collect data from the accelerometer, gyroscope, and touchscreen to build a passive biometric profile — without your knowledge or consent.

In this article, we'll explore how passive biometrics works, why it's irreversible, and how even the angle of your phone can give you away.

Part 1: What are Passive Biometrics?​

Technical definition​

Passive biometrics is the collection and analysis of a user's unique behavioral patterns and physiology without active participation:

• Scroll speed and acceleration,
• The angle of the device,
• Pressure on the screen (3D Touch),
• Micro-shaking of the hand,
• Touch patterns.

Key fact:
This data is collected through the DeviceMotion, Touch Events, and Orientation APIs — and does not require permissions.

Part 2: How a Biometric Key is Created​

Three levels of analysis​

Level 1: Motor Patterns

• Scroll: Acceleration, deceleration, stops,
• Taps: Pressing force, duration, contact area,
• Swipes: Angle, speed, trajectory curvature.

Level 2: Physiological signals

• Accelerometer: Micro-vibrations when held (±0.05g),
• Gyroscope: Angular velocity when turning (±0.1°/s),
• Magnetometer: Orientation relative to the Earth's magnetic field.

Level 3: Contextual Correlation

• Time of day: At night, traffic is slower,
• Content type: Video has more tilt, text has more scrolling,
• Posture: Lying down - different angle than standing.

Entropy:
The combination of these data gives an entropy of 45–60 bits → 1 in 10²⁰

Part 3: How Fraud Engines Use Passive Biometrics​

Analysis process (Forter, Sift)​

Step 1: Collecting a Reference Profile

• On the first successful login, the system records:
  • Average tilt angle: 22.3°,
  • Scroll speed: 320 px/sec,
  • Screen pressure: 0.78.

Step 2: Comparison in subsequent sessions

• If new profile:
  • Angle: 5.1°,
  • Speed: 850 px/sec,
  • Pressure: 0.32,
• The system sees: “This is a different person” → fraud score = 95+.

Example:
A real user holds the phone at an angle of 20-30°,
a carder puts the phone on the table → angle 0-5° → instant ban.

Part 4: Why Passive Biometrics Is Irreversible​

Three reasons​

1. It is impossible to fake physiology

• You can change IP, User-Agent, Canvas,
• But you can't change your scrolling style or hand shake.

2. Works without permissions

• DeviceMotion API does not require permissions on iOS/Android,
• The data is available to any site.

3. Accumulates over time

• The more sessions, the more accurate the profile,
• After 3-5 sessions, identification accuracy is 99.2%.

Field data (2026):
Passive biometrics reduces the false positive rate by 50%, but increases carder detection by 75%.

Part 5: How to Test Your Vulnerabilities​

Step 1: Use test sites​

• https://browserleaks.com/sensors — shows sensor data,
• https://amiunique.org — analyzes biometric entropy.

Step 2: Run a local test​

js:

// Accelerometer
window.addEventListener('devicemotion', e => {
console.log('Acceleration:', e.acceleration);
});

// Gyroscope
window.addEventListener('deviceorientation', e => {
console.log('Alpha/Beta/Gamma:', e.alpha, e.beta, e.gamma);
});

// Scroll
let lastScroll = 0;
window.addEventListener('scroll', () => {
const now = performance.now();
const speed = (window.scrollY - lastScroll) / (now - lastTime);
console.log('Scroll speed:', speed);
lastScroll = window.scrollY;
lastTime = now;
});

Rule:
If the angle of inclination is less than 10°, you are already given away (you are using the table, not your hands).

Part 6: How to Protect Yourself from Passive Biometrics​

Device level​

iOS / Android

• There is no way to disable the DeviceMotion API - it is built into the browser,
• The only way is not to use mobile devices for transactions.

Recommendation

• Use only desktop (laptop + mouse),
• There is no accelerometer/gyroscope on the desktop → passive biometrics do not work.

Browser level​

Dolphin Anty

• Configure desktop profiles only,
• Disable Device Motion in settings.

The hard truth:
Mobile devices are impossible to protect.
Passive biometrics is the end of mobile carding.

Part 7: Why Most Carders Fail​

Common Mistakes​

Error	Consequence
Using the phone for transactions	Tilt angle = 0° → anomaly
Lying position	The angle differs from the standard → flag
Ignoring DeviceMotion	They think it's "just sensors" → failure

Field data (2026):
82% of mobile device failures involve passive biometrics.

Part 8: A Practical Guide – Safe Typing​

Step 1: Use desktop only​

• Laptop + mouse,
• No tablets or phones.

Step 2: Set up Dolphin Anti​

• Profile: Windows 10 + Chrome 125,
• Disable: Device Motion, Gyroscope, Accelerometer.

Step 3: Imitate human behavior​

• Scroll at a natural speed (200–500 px/sec),
• Take breaks to read,
• Use a mouse, not a trackpad.

Result:
Complete absence of passive biometrics → low fraud score.

Conclusion: You can't fool your body​

Passive biometrics isn't just "another API". It's a physical imprint of your body that can't be counterfeited.

Final thought:
True anonymity begins not with concealment, but with refusal to reveal.
Because in the world of biometrics, even the angle of your face is your ID.

Stay on your desktop. Remain physically invisible.
And remember: in the world of security, your body is the biggest traitor.