Keystroke Biometric Password

Cameron Sturdevant Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at
By Cameron Sturdevant  |  Posted 2007-03-28 Email Print this article Print

Back in the foggy past when eWEEK was PC Week, I remember some buzz in the Lab about user authentication based on keystroke cadence. It sounded cool but didn't seem to take off. On March 28, 2007, I talked with Jared Pfost, a vice president at BioPassword. It turns out that the company that became BioPassword purchased the rights to keystroke biometric technology held by the Stanford Research Institute. On March 26, 2007, the company announced BioPassword Enterprise Edition 3.0 now with optional knowledge-based authentication factors, integration with Citrix Access Gateway Advanced Edition, OWA (Microsoft Outlook Web Access) and Windows XP embedded thin clients.

What I like about keystroke authentication as a biometric factor is that it uses something that is already built in to every end-user PC: a keyboard. There is no question about the need to retrofit field-deployed PCs with a fingerprint reader, ditto for laptops, because the keyboard is already deployed. The other thing I like about keystroke authentication is that it's cool. After installing a client on the end-user system that chains to the Microsoft Windows GINA (Graphical Identification and Authentication) library to measure key down, key up, key press duration and other keystroke behaviors. All this gets turned into a score based on previously measured metrics to determine if the user who entered the correct user name and password is really the user that was enrolled in the system. What concerns me about keystroke biometrics, or did anyway, is the training time and long sentence that needs to be typed. BioPassword showed me that it's overcome both of these concerns. Training time consists of entering the typed sample at least nine times. The kicker is that the typed sample is the user name and password, which can be as short as 12 characters. If I get the time to test this product, I'm going to look into the ability of a 12-character sample, for example a 5-character user name and a 7-character password, to generate a sufficiently strong authentication credential. BioPassword wants to disrupt the biometric password market with its price: $19/user/year for Enterprise Edition. The company claims this is one-third the cost of physical token systems. As far as I see, BioPassword is talking about RSA with SecureID. With no need to hand out physical tokens and using software to turn keyboards and typing habits into a biometric factor, BioPassword may just have a point. |

Submit a Comment

Loading Comments...

Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel