Product: BioPassword
Development team: Artur Babayan, Brian O'Neill, Bobby Bhasin, Chaz Spahn, Danny DeSousa, Jagadeesan Baskar, Jared Pfost, John Stacy, Jonathan (Hong) Wang, Kulwinder Deol, Lensey Hau, Mark Gamache, Mechthild Kellas-Dicks, Mike Stewart, Seshadri Mani and Steve Comninos
Information security has adopted a number of procedures from the military. One of the latest is using keystroke rhythm as a method of identifying users.
"We see that passwords are increasingly at risk because of known vulnerabilities and new cybercrime threats," says Ant Allan, a U.K.-based Gartner Inc. infosecurity and privacy analyst. "More organizations are looking at stronger authentication methods."
One approach is to move to biometric technologies, such as fingerprint scanners, voice-recognition systems and retina scanners, which physically identify the person logging on.
The limitation of most biometric technologies is that they require the purchase of an additional piece of hardware. In addition to the cost of these devices, the setup restricts a person's ability to use any computer that doesn't have the required piece of biometric hardware installed.
To get around this problem, BioPassword Inc. in Issaquah, Wash., takes a software approach to biometrics using keystroke dynamics -- an analysis of how long a person holds down each key and how long it takes to move from one key to another.
This method is derived from military applications. As recently as World War II, the military used Morse code for communications. Since Morse was a well-known public standard, the problem was how to verify who was actually sending the message.
"Using a methodology called 'the fist of the sender,' military intelligence identified that an individual had a unique way of keying in a message's dots and dashes, creating a rhythm that could help distinguish ally from enemy," says Greg Wood, BioPassword's chief technology officer.
Later, organizations started looking into applying this methodology to computer security. In the early 1980s, the U.S. National Bureau of Standards funded research by the Stanford Research Institute (now SRI International) into this area. SRI concluded that analyzing the keystroke dynamics used when entering a user ID and password was 98 percent accurate, and an initial patent was issued in 1989.
BioPassword purchased the patents in 2002, then further developed the technology and commercialized it.
In 2004, the company released its first product for the workgroup market, and this year, it released products for Internet and enterprise network security systems. The software currently runs on Windows, but BioPassword is looking to extend it to the Unix/Linux environment.
"Probably the single biggest hurdle was to determine the best implementation of the client component in Internet implementations," says Wood. "ActiveX controls are generally frowned on by users, but we needed a reliable, highly distributed technology that could easily be integrated into the user browser."
To overcome that challenge, the product was designed as a Flash plug-in that requires no user installation.
The big advantage BioPassword has over other types of authentication is that it is purely software based. That makes it an appealing option in situations where installing biometric readers isn't practical.
For example, a bank could use a keystroke analyzer to identify customers before allowing them to transfer funds.Even if someone managed to steal a password, that person still wouldn't have the same typing rhythm as the customer.
Sally Hudson, an identity and access management analyst at IDC in Framingham, Mass., says BioPassword fills "the growing need for multifactor, strong authentication in both enterprise and Internet environments."
She says early adopters will come from banking, health care, e-commerce, government, education and technology sectors, with general enterprise use coming later.
Gartner's Allan says it's too early to tell if the technology will catch on in a big way but adds that it has a good chance.
"It's interesting," he says, "because this is one of the few biometric technologies for user authentication that we see clients enthuse about."