Keystroke Biometric Password

Back in the foggy past when eWEEK was PC Week, I remember some buzz in the Lab about user authentication based on keystroke cadence. It sounded cool but didn't seem to take off. On March 28, 2007, I talked with Jared Pfost, a vice president at BioPassword. It turns out

Back in the foggy past when eWEEK was PC Week, I remember some buzz in the Lab about user authentication based on keystroke cadence. It sounded cool but didn't seem to take off. On March 28, 2007, I talked with Jared Pfost, a vice president at BioPassword. It turns out that the company that became BioPassword purchased the rights to keystroke biometric technology held by the Stanford Research Institute. On March 26, 2007, the company announced BioPassword Enterprise Edition 3.0 now with optional knowledge-based authentication factors, integration with Citrix Access Gateway Advanced Edition, OWA (Microsoft Outlook Web Access) and Windows XP embedded thin clients.

What I like about keystroke authentication as a biometric factor is that it uses something that is already built in to every end-user PC: a keyboard. There is no question about the need to retrofit field-deployed PCs with a fingerprint reader, ditto for laptops, because the keyboard is already deployed. The other thing I like about keystroke authentication is that it's cool. After installing a client on the end-user system that chains to the Microsoft Windows GINA (Graphical Identification and Authentication) library to measure key down, key up, key press duration and other keystroke behaviors. All this gets turned into a score based on previously measured metrics to determine if the user who entered the correct user name and password is really the user that was enrolled in the system. What concerns me about keystroke biometrics, or did anyway, is the training time and long sentence that needs to be typed. BioPassword showed me that it's overcome both of these concerns. Training time consists of entering the typed sample at least nine times. The kicker is that the typed sample is the user name and password, which can be as short as 12 characters. If I get the time to test this product, I'm going to look into the ability of a 12-character sample, for example a 5-character user name and a 7-character password, to generate a sufficiently strong authentication credential. BioPassword wants to disrupt the biometric password market with its price: $19/user/year for Enterprise Edition. The company claims this is one-third the cost of physical token systems. As far as I see, BioPassword is talking about RSA with SecureID. With no need to hand out physical tokens and using software to turn keyboards and typing habits into a biometric factor, BioPassword may just have a point.