The ResultsBy Doug Bartholomew | Posted 2008-01-30 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Forum Credit Union adopts a multifactor authentication system that identifies users by their unique typing patterns. Sound far-fetched? The method was proven during World War II.
The Results: Forum Solutions first tested BioPassword by rolling out the system to Forum Credit Union’s 400-plus employees using workstations and laptops. After nine months, the credit union began offering BioPassword to its online banking customers. The setup requires each user to type his or her user name and password a minimum of nine times for the system to capture the person’s typing rhythm. This caused some confusion and frustration among account holders. “Some people didn’t adapt to it quickly, and we had our share of calls from members to help them work through it,” Minges says.
Although not all of Forum’s online banking members enrolled when the new security system was offered, within a few months those who hadn’t were enrolled “silently” through the automatic capture of their password typing pattern. About 2 percent to 3 percent of Forum’s online banking members whose typing pattern lacked the consistency needed to form a pattern were instructed to use a secondary login, Minges says.
In fact, the sheer newness of the technology may be its biggest drawback, observers say. “One of the problems may be that BioPassword does not have a lot of history,” Ogren says. Although he believes his own typing cadence never varies, “I’m not sure that this holds for everybody on the planet.”
“There needs to be more case history for IT prospects to feel inherently comfortable with this approach,” Ogren adds. “This is tricky stuff, because the system must handle such things as drifts in user behavior and typing skills. BioPassword has yet to prove they can grow the market for this technology.”
Ogren, a former security analyst at Enterprise Strategy Group and Yankee Group, predicts that the market for this technology, once proven, could be vast. “I would love for [ATMs] to have this kind of technology,” he says. “This technology has the [potential] to be used for all login authentication—more than just remote access.”
The BioPassword method of user authentication has some big advantages over other technologies currently in use, Ogren says. For one thing, it’s less expensive than access tokens, such as
With a typical token setup, the end user may be required to purchase a fob or card that typically costs $50 to $70. The user carries the device around and uses it when typing in a PIN. The fob or card has an LCD display showing a six- to eight-digit number that changes randomly and therefore can’t be copied or guessed by anyone. “This type of one-time password generator works well for a banking application,” Ogren says. “But the drawbacks are that it’s expensive, and it usually only penetrates about 20 percent of users because of the cost.
“The nice thing about BioPass-word is that you don’t have to carry around a token,” he says. “And people like using passwords, and the company doesn’t have to ship out these extra password devices.”
The typing-pattern technology itself may offer an advantage vis-à-vis other biometrics-based systems. “The usual types of biometrics in these systems use fingerprint scanners or retinal readers,” Ogren says. “But many people find these uncomfortable, not to mention that they’re also more expensive.”
BioPassword’s deployment was relatively simple: “They put BioPassword on their Web page, and the user connects with that,” Wheeler says. “The control is in the Web page.”
The enterprise version of BioPassword enables companies to be assured that remote users, generally employees connecting from home or on the road, are in fact who they claim to be. “For employees connecting from home, a separate control is put on their PC that captures their keystroke timing,” Wheeler says. That way, even if a laptop is stolen, no other person can connect to the company’s network, even if the person somehow finds the employee’s password.