BioPassword Internet Edition
Price: $30,000, starting fee of $1 per user, plus an ongoing maintenance fee of 15%
Fueled by increasingly sophisticated identity theft techniques and regulatory requirements, dual-factor authentication has grown in usage to overcome password weaknesses. Typically, dual-factor relies on tokens as biometric options -- generally fingerprint readers -- and are often considered too expensive and difficult to manage for all but the most security-sensitive organizations.
BioPassword Internet Edition introduces another, cheaper biometric technology: keystroke dynamics, which creates a unique user identifier based on individual typing patterns.
We found that the technology works as advertised once it's properly "trained" with sufficient typing samples to develop a reliable template.
Keystroke dynamics isn't exactly a household phrase, but the idea and technology of this science has its beginnings in World War II, when Morse code operators found they were able to identify senders by the way they typed out the message. Since then, keystroke dynamics has been heavily studied and refined.
We received the BioPassword software development kit (SDK), which is designed to be integrated with an organization's existing login infrastructure. The SDK ships with a sample application, which we used for our testing. The sample application runs on IIS 6 with a MS SQL Server 2000 back end. It uses SOAP to transmit information between
One lab member created several users and trained the program by typing user names and passwords several times to create a base authentication template. Subsequent logins are recorded and used to strengthen the template. We gave our users several different strengths of passwords: a very weak dictionary-based password, a password with mixed case and punctuation, and a pass phrase that contained all lower-case characters. We started the test with only the minimum number of logins for the template (10). One person created the templates with his typing, and others attempted to compromise it by typing in the same credentials with their unique keystroke patterns.
Other lab personnel quickly compromised the account with the simplest user name and the weakest password, and for the account with the mixed case and punctuation. The pass phrase, which provided a larger combination of keystrokes, fared much better, withstanding all compromise attempts.
The performance of the passwords improved as we continued testing. After about 20 or so successful logins, the account with the dictionary-based password successfully resisted compromise.
The key behind BioPassword is its definable user threshold, which determines the acceptable score for authentication. The higher the threshold is set, the less likely the chance of compromise, but the greater the chance of error and the need to re-enter credentials.
A strong combination of user name, password and pass phrase repetition is required for optimal results. Therefore, users need to be educated on how they are being authenticated, and need to be prepared to re-enter their credentials if they pause in mid-password.
BioPassword may be a viable alternative to token-based authentication or costly biometrics for financial institutions that need to meet short-term FFIEC requirements for dual-factor authentication. However, it may not yet be attractive for servicing typical customers because of the education requirements and frustration of login failures due to any change in keystroke pattern.