Keystrokes Are Us

By Cameron Sturdevant  |  Posted 2007-05-07 Print this article Print

Opinion: BioPassword may be the next big thing in biometrics.

I remember buzz here at eWEEK Labs some time ago about user authentication based on keystroke cadence. It sounded cool but didnt seem to take off. That may soon change.
In March, I spoke with Jared Pfost, a vice president at BioPassword. It turns out that the company that became BioPassword purchased the rights to keystroke biometric technology held by the SRI (Stanford Research Institute) International.
BioPassword is putting that technology into action with its new BioPassword Enterprise Edition 3.0, with optional knowledge-based authentication factors, integration with Citrix Systems Citrix Access Gateway Advanced Edition, and Microsoft OWA (Outlook Web Access) and Windows XP embedded thin clients. What I like about keystroke authentication as a biometric factor is that it uses something that is already built in to every users PC: a keyboard. This eliminates the need to, for example, retrofit field-deployed PCs with a fingerprint reader—ditto for laptops—because the keyboard is already deployed. The other thing I like about keystroke authentication is that its cool: A client is installed on a users system, which is then chained to the Microsoft Windows GINA (Graphical Identification and Authentication) library to measure keystroke behaviors such as key-down and key-up duration. All this information gets turned into a score based on previously measured metrics to determine if the user who entered a correct user name and password is really the user who enrolled in the system. What has concerned me about keystroke authentication in the past is the training time it takes and the long sentences that need to be typed for authentication. BioPassword seems to have overcome these concerns. Training time consists of entering a typed sample at least nine times. The kicker is that the typed sample is the user name and password, the total character count for which can be as short as 12. If I get the time to test this product, Im going to look into the ability of a 12-character sample—for example, a five-character user name and a seven-character password—to generate a sufficiently strong authentication credential. With no need to hand out physical tokens and using software to turn keyboards and typing habits into a biometric factor—not to mention its low cost of $19 per user per year for the Enterprise Edition—user authentication based on keystroke cadence may be coming to a PC near you. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Cameron Sturdevant Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel