Keystrokes Are Us

Opinion: BioPassword may be the next big thing in biometrics.

I remember buzz here at eWEEK Labs some time ago about user authentication based on keystroke cadence. It sounded cool but didnt seem to take off.

That may soon change.

In March, I spoke with Jared Pfost, a vice president at BioPassword. It turns out that the company that became BioPassword purchased the rights to keystroke biometric technology held by the SRI (Stanford Research Institute) International.

BioPassword is putting that technology into action with its new BioPassword Enterprise Edition 3.0, with optional knowledge-based authentication factors, integration with Citrix Systems Citrix Access Gateway Advanced Edition, and Microsoft OWA (Outlook Web Access) and Windows XP embedded thin clients.

What I like about keystroke authentication as a biometric factor is that it uses something that is already built in to every users PC: a keyboard. This eliminates the need to, for example, retrofit field-deployed PCs with a fingerprint reader—ditto for laptops—because the keyboard is already deployed.

The other thing I like about keystroke authentication is that its cool: A client is installed on a users system, which is then chained to the Microsoft Windows GINA (Graphical Identification and Authentication) library to measure keystroke behaviors such as key-down and key-up duration. All this information gets turned into a score based on previously measured metrics to determine if the user who entered a correct user name and password is really the user who enrolled in the system.

What has concerned me about keystroke authentication in the past is the training time it takes and the long sentences that need to be typed for authentication. BioPassword seems to have overcome these concerns.

Training time consists of entering a typed sample at least nine times. The kicker is that the typed sample is the user name and password, the total character count for which can be as short as 12.

If I get the time to test this product, Im going to look into the ability of a 12-character sample—for example, a five-character user name and a seven-character password—to generate a sufficiently strong authentication credential.

With no need to hand out physical tokens and using software to turn keyboards and typing habits into a biometric factor—not to mention its low cost of $19 per user per year for the Enterprise Edition—user authentication based on keystroke cadence may be coming to a PC near you.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.