Biometrics is a factor in authentication systems. There are three factors in authentication: something you know,...
like a user ID and password; something you have, like a smart card or one-time password (OTP) token; and something you are, like a physical feature. Traditional biometrics devices include fingerprints, iris scanners or facial and voice-recognition systems.
Combining two authentication factors together creates an additional layer of defense for a system. If an attacker breaks through one factor, they still have the second one to crack before gaining malicious access. Biometrics are considered one of the toughest authentication systems to break because they are the hardest to spoof or duplicate, unlike user IDs and passwords, which can be easily stolen and used.
But what's unique about BioPassword is that the system can be tuned by a system administrator to adjust for different typing speeds and styles. I saw a live demonstration of the product at the RSA Conference in 2006, and this was the feature that impressed me the most. The system basically learns a person's typing style over a period of time and records it in directories like Active Directory.
TypeSense, the only other product in the keystroke dynamics space, is similar and bills itself as non-invasive and light on hardware. The product doesn't require any additional biometrics devices; the keyboard is the hardware. And, it's non-invasive since everybody has to type on a workstation. It doesn't have to read any additional physical characteristic, as do other biometrics.
As with any biometrics technology, the main weakness is false positives and errors that either block access to legitimate users or inadvertently grant access to unauthorized users.
BioPassword has received a lot of attention in the trade press and has a diverse customer base. The decision to purchase the product should be based on your company's needs after a thorough risk assessment of your data. Biometrics of any kind are a hefty investment and should only be considered for high-risk data or to meet compliance standards, like the Federal Financial Institutions Examination Council (FFIEC), which mandates two-factor authentication for Web-based banking.
As with any new product, it should be thoroughly tested in a development or test environment, and rolled out in stages through the enterprise before committing to a full investment.
For more information:
Related Q&A from Joel Dubin, past SearchSecurity.com expert
The security of RFID chips and smart cards may not be fully mature, but there are best practices to keep facilities safe. Identity and access ...continue reading
Picture passwords for mobile device security aren't a new idea, but they have been recently improved. Identity and access management expert Joel ...continue reading
Hacked smart cards are a large potential threat to enterprises that utilize them. Learn how to thwart smart card hackers.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.