Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What are the pros and cons of using keystroke dynamic-based authentication systems?

In this SearchSecurity.com Q&A, security pro Joel Dubin discusses the positive and negative aspects of using keystroke dynamic-based authentication systems.

Are keystroke dynamic-based authentication systems reasonable tools for an enterprise? What are some weaknesses of the technology?
The technology you describe is offered by two companies called BioPassword Inc. and Deepnet Security. It's a biometrics device that records a user's keystroke style and typing speed. Unlike other biometric devices, which measure more permanent physical characteristics, BioPassword and Deepnet's TypeSense measure something more transient.

Biometrics is a factor in authentication systems. There are three factors in authentication: something you know,...

like a user ID and password; something you have, like a smart card or one-time password (OTP) token; and something you are, like a physical feature. Traditional biometrics devices include fingerprints, iris scanners or facial and voice-recognition systems.

Combining two authentication factors together creates an additional layer of defense for a system. If an attacker breaks through one factor, they still have the second one to crack before gaining malicious access. Biometrics are considered one of the toughest authentication systems to break because they are the hardest to spoof or duplicate, unlike user IDs and passwords, which can be easily stolen and used.

But what's unique about BioPassword is that the system can be tuned by a system administrator to adjust for different typing speeds and styles. I saw a live demonstration of the product at the RSA Conference in 2006, and this was the feature that impressed me the most. The system basically learns a person's typing style over a period of time and records it in directories like Active Directory.

TypeSense, the only other product in the keystroke dynamics space, is similar and bills itself as non-invasive and light on hardware. The product doesn't require any additional biometrics devices; the keyboard is the hardware. And, it's non-invasive since everybody has to type on a workstation. It doesn't have to read any additional physical characteristic, as do other biometrics.

As with any biometrics technology, the main weakness is false positives and errors that either block access to legitimate users or inadvertently grant access to unauthorized users.

BioPassword has received a lot of attention in the trade press and has a diverse customer base. The decision to purchase the product should be based on your company's needs after a thorough risk assessment of your data. Biometrics of any kind are a hefty investment and should only be considered for high-risk data or to meet compliance standards, like the Federal Financial Institutions Examination Council (FFIEC), which mandates two-factor authentication for Web-based banking.

As with any new product, it should be thoroughly tested in a development or test environment, and rolled out in stages through the enterprise before committing to a full investment.

For more information:

  • Learn how to avoid the risks associated with implementing biometric data.
  • In this expert response, security pro Joel Dubin examines how authentication credentials are in need of more protection from current security regulations.
  • This was last published in September 2007

    Dig Deeper on Biometric technology