The Rhythm of Identity Management

The Problem: How does a $1 billion Indianacredit union distinguish member from impostor? By applying a user authentication method that helped the U.S.military distinguish ally from enemy during World War II.


The Details: Forum Credit Union last September began using a user-keystroke identification system from BioPassword to validate the identity of its 55,000 members who bank online. “As our business grew, we found we have more and more security issues,” says Carol Minges, director of technology solutions at Forum Solutions, the Indianapolis-based credit union’s software development unit.


In keeping with credit union regulations, Forum was required to implement multifactor user authentication for its online banking system. “You usually need to have two or more factors, because someone can always crack one of them,” says Eric Ogren, president of the Ogren Group, a security consulting firm in Massachusetts.


The Context: Although Forum’s online banking hadn’t been victimized by fraud, the organization had been allowing members to access the Internet-based banking system using only their user name and password. “People could share user names and passwords,” Minges says. “The user authentication we had was similar to what you find with 99 percent of the applications on the Internet.”


The Solution: Forum looked at a variety of technologies, including the use of USBtokens. While USBtokens provide strong two-factor authentication (something you have—the token—combined with something you know—a password), they proved too costly. At an average initial distribution price of $20 per account holder, tokens would have cost the bank hundreds of thousands of dollars. BioPassword’s software-based solution provides two-factor authentication by recording and recognizing users’ unique typing rhythms (something they have or something about them).


Forum ran an internal pilot with its employees to test the new technology and method. In the case of BioPassword, however, “new” is a relative term: While the modern application was new, the idea and technique were more than proven.


In the mid-19th century, telegraph operators were known by their “signature” styles of tapping out Morse code. It was commonly accepted that, with experience, each operator developed a unique signature and was identified simply by the person’s idiosyncratic tapping rhythm.


During World War II, U.S.military intelligence experts took advantage of a methodology called the “Fist of the Sender,” which identified an individual by his unique method of typing out Morse code messages. As a result, intelligence officers were able to track enemy troop movements using code operators’ signatures.