What Is Password Hardening and How Does It Work?

When hardware or biometric multifactor authentication means are not available, password hardening is, explains Mark Diodati, Identity and Privacy Strategies analyst at the Burton Group.

Q: What exactly is password hardening, and how does it mimic the benefits of multifactor authentication?
A: The basic idea of password hardening is that you do something extra to make the password harder to guess or spoof without actually distributing a piece of hardware or software to the consumer. That extra thing you do is like a second factor. Various vendors have pursued different ways of doing this.

Q: Can you give some examples of how password hardening is done?
A: One way is to capture a biometric without using a special device like a fingerprint reader or an iris scanner. For example, there is a company called BioPassword that uses a Flash plug-in to measure the speed of the users typing and keyboard dwell time, that is, how long the fingers hold down the keys. It turns out Adobe has added some additional security features to Flash that expand its use beyond the usual animation features. This process creates a unique biometric value that is extremely hard to imitate. I could type the correct sequence of characters corresponding to your password, but the system would detect the fact that it wasnt you doing the typing.

Q: Doesnt this method inconvenience consumers by requiring them to install Flash?
A: Not necessarily, because many consumers already have Flash installed in their browsers. That has made some of the financial institutions willing to experiment with it. Flash has become the flavor of the year, and some ubiquity metrics show that it is more widely deployed than the Java plug-in.

Q: How widespread is this kind of "stealth biometric" for password hardening?
A: Its not in widespread use yet. Its mostly some of the smaller financial institutions that are experimenting with it. Some of the bigger banks may still have residual concerns about requiring the Flash plug-in. But a lot of institutions are still working through their deployment of risk analytic engines, i.e., the software that analyzes consumer online behavior and flags transactions that seem anomalous. When they get that done youll probably see a wider move toward password hardening, though not necessarily using this specific technology.

Q: What are some other ways of doing password hardening?
A: One way is to present the user with a bitmap image of a scrambled keyboard for them to type their password on using mouse clicks. Each time you use it the keyboard is scrambled in a different way. There is a company called Bharosa that does this; they were acquired by Oracle back in July. You can consider this a form of multifactor authentication, in the sense that it provides an equivalent to a one-time-only password. Though really I would call it pseudo-multifactor compared to the keyboard biometric method. There is also a weaker form of the keyboard image method, where the keys appear in their proper order each time instead of being scrambled. This will protect you from malware that captures keystrokes.

Q: Can password hardening protect from man-in-the-middle attacks?
A: Unfortunately, the only way to be totally protected against man-in-the-middle attacks is to use digital certificates or public key encryption. But short of that, approaches like the BioPassword biometric password hardening are much less vulnerable to man-in-the-middle attacks than simple passwords or the older things like digital watermarking.