Fist of the Sender Statistically ValidBy Doug Bartholomew | Posted 2008-01-30 Email Print
Know the Risk: Digital Transformation's Impact on Your Business-Critical Applications REGISTER >
Forum Credit Union adopts a multifactor authentication system that identifies users by their unique typing patterns. Sound far-fetched? The method was proven during World War II.
In 1980, a research project at the Rand Corporation, funded by the National Science Foundation, concluded that the Fist of the Sender concept was statistically valid as a security method. During the ensuing decade,
In 1984, International Bioaccess Systems acquired the rights to the technology developed by
The system uses information on each keystroke that is routinely captured in the client machine’s operating system. Specifically, the key-down and key-up events are captured for each character entered in the logon and password sequence. “Every keyboard has a component that communicates to the operating system, and we have a way of capturing that information,” says Doug Wheeler, BioPassword vice president of marketing.
The raw measurements can be recorded from almost any keyboard. First, they use the “dwell time”—that is, the time between key-down and key-up. They also use “flight time”—the time between key-down and the next key-down, and between key-up and the next key-up. The data is then processed by an algorithm to determine a primary pattern for future comparison. This pattern represents the user’s unique biometric signature.
“It’s a very cool technology, but we were definitely skeptical,” Minges says. “Our people tried giving their user name and password to another person to type in, but it denied them access.” The BioPassword salesperson on the account even offered a $100 gift card to anyone who could log on pretending to be another user. No one won the prize.
Of course, there are a few monkey wrenches that could stymie BioPassword. For example, someone who breaks a hand won’t be able to log on and type a password with the same rhythm as usual. In that case, the user must ask the credit union for a new user BioPassword signature.
Likewise, other user variations—fatigue, alcohol consumption or else anything that disrupts a user’s normal typing pattern—can impede BioPassword’s effectiveness. “Alcohol could affect your ability to type consistently,” Wheeler says. “But we always remind people to please type normally.” And of course, the organization setting up the system can choose to loosen the user-cadence requirements.
The system can, however, accommodate slower changes in the user’s typing rhythm. “The template continually changes as you change,” Minges says. “If your hands gradually become more shaky, the template will adjust.”