Fist of the Sender Statistically Valid

By Doug Bartholomew Print this article Print

Forum Credit Union adopts a multifactor authentication system that identifies users by their unique typing patterns. Sound far-fetched? The method was proven during World War II.

In 1980, a research project at the Rand Corporation, funded by the National Science Foundation, concluded that the Fist of the Sender concept was statistically valid as a security method. During the ensuing decade, SRIInternational, with funding from the U.S. National Bureau of Standards, developed a biometric solution based on the Fist of the Sender principles and earned a patent for the process. SRIthen went on to conduct a feasibility study, concluding that a familiar passage such as a logon and password sequence was sufficient for virtually error-free authentication.


In 1984, International Bioaccess Systems acquired the rights to the technology developed by SRI. In 2002, BioPassword, in turn, acquired the keystroke dynamics technology rights and patent, and began offering the system for use on Windows-based PCs. The authentication system works by capturing an initial set of measurements from the user, who types both logon and password as he or she would normally.


The system uses information on each keystroke that is routinely captured in the client machine’s operating system. Specifically, the key-down and key-up events are captured for each character entered in the logon and password sequence. “Every keyboard has a component that communicates to the operating system, and we have a way of capturing that information,” says Doug Wheeler, BioPassword vice president of marketing.


The raw measurements can be recorded from almost any keyboard. First, they use the “dwell time”—that is, the time between key-down and key-up. They also use “flight time”—the time between key-down and the next key-down, and between key-up and the next key-up. The data is then processed by an algorithm to determine a primary pattern for future comparison. This pattern represents the user’s unique biometric signature.


“It’s a very cool technology, but we were definitely skeptical,” Minges says. “Our people tried giving their user name and password to another person to type in, but it denied them access.” The BioPassword salesperson on the account even offered a $100 gift card to anyone who could log on pretending to be another user. No one won the prize.


Of course, there are a few monkey wrenches that could stymie BioPassword. For example, someone who breaks a hand won’t be able to log on and type a password with the same rhythm as usual. In that case, the user must ask the credit union for a new user BioPassword signature.


Likewise, other user variations—fatigue, alcohol consumption or else anything that disrupts a user’s normal typing pattern—can impede BioPassword’s effectiveness. “Alcohol could affect your ability to type consistently,” Wheeler says. “But we always remind people to please type normally.” And of course, the organization setting up the system can choose to loosen the user-cadence requirements.


The system can, however, accommodate slower changes in the user’s typing rhythm. “The template continually changes as you change,” Minges says. “If your hands gradually become more shaky, the template will adjust.”


This article was originally published on 2008-01-30
Doug Bartholomew is a career journalist who has covered information technology for more than 15 years. A former senior editor at IndustryWeek and InformationWeek, his freelance features have appeared in New York magazine and the Los Angeles Times Magazine. He has a B.S. in Journalism from Northwestern University.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.