Biometrics is a factor in authentication systems. There are three factors in authentication: something you know, like a user ID and password; something you have, like a smart card or one-time password (OTP) token; and something you are, like a physical feature. Traditional biometrics devices include fingerprints, iris scanners or facial and voice-recognition systems.
Combining two authentication factors together creates an additional layer of defense for a system. If an attacker breaks through one factor, they still have the second one to crack before gaining malicious access. Biometrics are considered one of the toughest authentication systems to break because they are the hardest to spoof or duplicate, unlike user IDs and passwords, which can be easily stolen and used.
But what's unique about BioPassword is that the system can be tuned by a system administrator to adjust for different typing speeds and styles. I saw a live demonstration of the product at the RSA Conference in 2006, and this was the feature that impressed me the most. The system basically learns a person's typing style over a period of time and records it in directories like Active Directory.
TypeSense, the only other product in the keystroke dynamics space, is similar and bills itself as non-invasive and light on hardware. The product doesn't require any additional biometrics devices; the keyboard is the hardware. And, it's non-invasive since everybody has to type on a workstation. It doesn't have to read any additional physical characteristic, as do other biometrics.
As with any biometrics technology, the main weakness is false positives and errors that either block access to legitimate users or inadvertently grant access to unauthorized users.
BioPassword has received a lot of attention in the trade press and has a diverse customer base. The decision to purchase the product should be based on your company's needs after a thorough risk assessment of your data. Biometrics of any kind are a hefty investment and should only be considered for high-risk data or to meet compliance standards, like the Federal Financial Institutions Examination Council (FFIEC), which mandates two-factor authentication for Web-based banking.
As with any new product, it should be thoroughly tested in a development or test environment, and rolled out in stages through the enterprise before committing to a full investment.
For more information:
This was first published in September 2007