Steve Schipull admits to being at least a little skeptical when he first saw the biometric password product that would eventually become part of his firm's employee authentication arsenal.
"It was like, 'Okay, you just type on your keyboard and you get in,'" says the evp of finance and technology for the San Antonio City Employees FCU. Schipull was referring to Biopassword, a product that provides a password and user authentication by remembering the finger-typing pattern of a specific user. The user types in his password, and his typing pattern serves as a second level of authentication.
Part of Biopassword's sales pitch to the San Antonio CU included a demonstration by Biopassword executives. Schipull watched as an executive logged in. Then it was Schipull's turn to try to emulate the Biopassword exec in an attempt to "hack" into that executive's computer. "For the life of me, when I went through the test, I was trying to duplicate his typing cadence. And I just couldn't," he says. "You hear stories about people losing laptops or other wireless devices, so we went with this system. Even if somebody loses their laptop, another person who finds it would have a hard time getting access to the system."
Like most financial firms, The San Antonio-based CU has high-level user authentication on its mind-given the attention the issue of electronic fraud is getting and the FFIEC guidance on authentication. Since the FFIEC missive isn't a law and doesn't specify a method of user verification, financial firms are left to decide on an approach. And part of that decision is based on how much "extra work" users have to do to get into a Web site or onto a company's server.
For the credit union, part of the appeal of Biopassword is in the simplicity for the user. If a user can hit keys on a keyboard, they can be verified. There's no extra list of key words to remember beyond the initial username and password. "[Biopassword] is easy to install and easy to manage," Schipull says. The credit union is using the product to authenticate internal users, and while it's not using it for customers, that use hasn't been ruled out.
Andrew Tull, evp of sales and marketing for the Seattle-based Biopassword, says the idea behind the technology is based in part on scientific research on key patterns that dates back to Morse Code. During World War II, it was found that people on the receiving end of telegraph messages often knew who was sending the message simply based on the cadence of the strokes. "If we were tapping code back and forth to one another, and I was out one day, you'd know someone different was on the other end, even if the code they were typing in was valid," he says.
Subsequent generations of research found the manner in which specific people interact with a keyboard can be "captured" to form an identity. And it's that concept that drives keyboard-driven biometric devices such as Bio-password. "We capture the unique pattern that you and only you can type, and use that pattern as a way to ID you."
Tull says the technology works on any keyboard, and the firm can set a level of security from 1 to 100, with 100 being the most difficult to breach.
The user profile is built by measuring data points, such as "flight times" between characters, or the manner in which someone hits keys on a keyboard, taking the variability that even a specific user can have into consideration. Those patterns are measured and an array of numbers is created to match a specific user. These numbers become that user's biometric template.
The pattern is built up over a set period of time, or by simply having the user type his username and password a specified number of times in succession. "I just type the way I normally do, and the template is stored on a windows-based server that's on the bank's network. Or it can also be stored in a date repository," Tull says.
Behavior-based authentication and electronic employee profiles can also be used as a means to reduce another common password headache, that of the "forgotten password." At Enterprise Bank & Trust, the number of password resets was becoming so great, it was a hindrance to the IT staff.
The St. Louis-based bank turned to a single sign-on product from Imprivata that automates the sign-on process in manner that creates a user profile that "remembers" the access or clearance of that particular user across an entire enterprise-without requiring additional sign ons as the user moves into a different silo.
Omar Hussain, CEO of Imprivata, says the complexity of most current bank networks combined with increasing regulatory pressure has created a monster of multiple passwords that change every 90 days-even for smaller institutions. "The first thing that any organization does to make sure that only the right person has the right access is to create a dozen passwords, and have those passwords change every 90 days."
