What are the pros and cons of using keystroke dynamic-based authentication systems?

BROWSE BY TAG Identity Management and Access Control,   Enterprise Identity and Access Management,   User Authentication Services,   Biometric Technology,   Two-Factor and Multifactor Authentication Strategies,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Is Identity Management as a Service (IDaaS) a good idea? How to log in to multiple servers with federated single sign-on (SSO) How to confirm the receipt of an email with security protocols Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Biometric Technology Group to shed light on secure identity management threats Biometrics project studies ways to combat bank fraud Apple iPhone app could boost two-factor Vein-reader biometric authentication for health care, financials Exploring authentication methods: How to develop secure systems Biometric authentication know-how: Devices, systems and implementation Pre-boot biometric user authentication tools and strategies To what exactly would a request for biometric data from an insurance provider pertain? Keystroke recognition aids online authentication at credit union What are the possible benefits of microchip implants and RFID tags for employees? Biometric Technology Research Two-Factor and Multifactor Authentication Strategies Two-factor authentication, vigilance foil password theft Security on a budget: How to make the most of authentication tools Best Authentication Products Best Identity and Access Management Products Are 'strong authentication' methods strong enough for compliance? PCI compliance requirement 7: Restrict access PCI compliance requirement 9: Physical access Best practices: How to implement and maintain enterprise user roles Changing times for identity management RSA researcher Ari Juels: RFID tags may be easily hacked

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary biometric payment  (SearchSecurity.com) electro-optical fingerprint recognition  (SearchSecurity.com) false acceptance  (SearchSecurity.com) finger vein ID  (SearchSecurity.com) fingernail storage  (SearchSecurity.com) keystroke dynamics  (SearchSecurity.com) live capture  (SearchSecurity.com) multifactor authentication (MFA)  (SearchSecurity.com) password hardening  (SearchSecurity.com) ridge  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The technology you describe is offered by two companies called BioPassword Inc. and Deepnet Security. It's a biometrics device that records a user's keystroke style and typing speed. Unlike other biometric devices, which measure more permanent physical characteristics, BioPassword and Deepnet's TypeSense measure something more transient.

Biometrics is a factor in authentication systems. There are three factors in authentication: something you know, like a user ID and password; something you have, like a smart card or one-time password (OTP) token; and something you are, like a physical feature. Traditional biometrics devices include fingerprints, iris scanners or facial and voice-recognition systems.

Combining two authentication factors together creates an additional layer of defense for a system. If an attacker breaks through one factor, they still have the second one to crack before gaining malicious access. Biometrics are considered one of the toughest authentication systems to break because they are the hardest to spoof or duplicate, unlike user IDs and passwords, which can be easily stolen and used.

But what's unique about BioPassword is that the system can be tuned by a system administrator to adjust for different typing speeds and styles. I saw a live demonstration of the product at the RSA Conference in 2006, and this was the feature that impressed me the most. The system basically learns a person's typing style over a period of time and records it in directories like Active Directory.

TypeSense, the only other product in the keystroke dynamics space, is similar and bills itself as non-invasive and light on hardware. The product doesn't require any additional biometrics devices; the keyboard is the hardware. And, it's non-invasive since everybody has to type on a workstation. It doesn't have to read any additional physical characteristic, as do other biometrics.

As with any biometrics technology, the main weakness is false positives and errors that either block access to legitimate users or inadvertently grant access to unauthorized users.

BioPassword has received a lot of attention in the trade press and has a diverse customer base. The decision to purchase the product should be based on your company's needs after a thorough risk assessment of your data. Biometrics of any kind are a hefty investment and should only be considered for high-risk data or to meet compliance standards, like the Federal Financial Institutions Examination Council (FFIEC), which mandates two-factor authentication for Web-based banking.

As with any new product, it should be thoroughly tested in a development or test environment, and rolled out in stages through the enterprise before committing to a full investment.

For more information: