Home > Information Security Magazine > Hot Pick & Product Reviews > Biometrics
EMAIL THIS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Biometrics
Issue: Jun 2006
printer-friendly

BIOMETRICS


BioPassword Internet Edition
BioPassword
Price: $30,000, starting fee of $1 per user, plus an ongoing maintenance fee of 15 percent

[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] BioPassword's BioPassword Internet Edition [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
BioPassword Internet Edition's dynamic keystroke technology offers an alternative to token- and fingerprint-based dual-factor authentication.
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]

Fueled by increasingly sophisticated identity theft techniques and regulatory requirements, dual-factor authentication has grown in usage to overcome password weaknesses. Typically, dual-factor relies on tokens as biometric options--generally fingerprint readers--and are often considered too expensive and difficult to manage for all but the most security-sensitive organizations.

BioPassword Internet Edition introduces another, cheaper biometric technology: keystroke dynamics, which creates a unique user identifier based on individual typing patterns.

We found that the technology works as advertised once it's properly "trained" with sufficient typing samples to develop a reliable template.

Keystroke dynamics isn't exactly a household phrase, but the idea and technology of this science has its beginnings in World War II, when Morse code operators found t...



hey were able to identify senders by the way they typed out the message. Since then, keystroke dynamics has been heavily studied and refined.

We received the BioPassword software development kit (SDK), which is designed to be integrated with an organization's existing login infrastructure. The SDK ships with a sample application, which we used for our testing. The sample application runs on IIS 6 with a MS SQL Server 2000 back end. It uses SOAP to transmit information between the application and the BioPassword Web service back end, which runs on Windows 2003 Server with IIS.

One lab member created several users and trained the program by typing user names and passwords several times to create a base authentication template. Subsequent logins are recorded and used to strengthen the template. We gave our users several different strengths of passwords: a very weak dictionary-based password, a password with mixed case and punctuation, and a pass phrase that contained all lower-case characters. We started the test with only the minimum number of logins for the template (10). One person created the templates with his typing, and others attempted to compromise it by typing in the same credentials with their unique keystroke patterns.

Other lab personnel quickly compromised the account with the simplest user name and the weakest password, and for the account with the mixed case and punctuation. The pass phrase, which provided a larger combination of keystrokes, fared much better, withstanding all compromise attempts.

The performance of the passwords improved as we continued testing. After about 20 or so successful logins, the account with the dictionary-based password successfully resisted compromise.

[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] Exec Summary [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] No biometric hardware
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] No tokens to manage
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] Integrates with current applications
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] Monitors access attempts
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] Requires user education
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] Inadvertent login failures

[IMAGE]

The key behind BioPassword is its definable user threshold, which determines the acceptable score for authentication. The higher the threshold is set, the less likely the chance of compromise, but the greater the chance of error and the need to re-enter credentials.

A strong combination of user name, password and pass phrase repetition is required for optimal results. Therefore, users need to be educated on how they are being authenticated, and need to be prepared to re-enter their credentials if they pause in mid-password.

BioPassword may be a viable alternative to token-based authentication or costly biometrics for financial institutions that need to meet short-term FFIEC requirements for dual-factor authentication. However, it may not yet be attractive for servicing typical customers because of the education requirements and frustration of login failures due to any change in keystroke pattern.

[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
More information from our sister site SearchSecurity.com

Learn best practices and future trends for biometrics.

With a wealth of resources on biometrics and other forms of authentication, our Learning Guide can help you choose the authentication mechanism that best suits your organization's needs.
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]

--BRENT HUSTON





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts