For years, security professionals have known and been saying that passwords themselves are inadequate — thus the need for two-factor (or stronger) authentication. However, multifactor authentication implementations are typically known to be costly (e.g. issuing tokens or biometric readers). Further, many companies report user push-back: some end-users reject or express disdain for biometric authentication.
So, this begs the question: “Is there a multifactor authentication method that is transparent to end-users?” And the answer is, “yes.” The technology is referred to as “keystroke dynamics,” and it extends the authentication paradigm a bit. That is, you usually hear about authentication factors such as:
- Something you know (e.g. Password)
- Something you have (e.g. token)
- Something you are (e.g. biometric)
Keystroke dynamics, as well as signature and speech dynamics, add to that list “Something you do.”
Keystroke dynamics systems check the specific characteristics of how someone enters his/her password (i.e. speed, pauses). So, in effect, keystroke dynamics systems are keyloggers who have turned from the Dark Side. 
In theory, the use of such systems allows users to simply continue entering a single password – the way they do now. Yet, because individual and unique characteristics are being measured, many of the traditional weaknesses associated with passwords can be overcome. For example, normal “problem areas” such as password sharing and shoulder surfing may be mitigated because other parties cannot mimic the “dwell time” (length of time that the key is pressed) and “flight time” (speed between individual keystrokes) dynamics of the actual user.
Though I’ve not yet done any tests with this technology, I do see it touted as an affordable, reliable alternative to biometrics.
Links for further reading/research:
General info:
- http://en.wikipedia.org/wiki/Keystroke_dynamics
- http://articles.techrepublic.com.com/5100-1009-6150761.html
- http://avirubin.com/fgcs.pdf
- http://et.wcu.edu/aidc/BioWebPages/Biometrics_Keystroke.html
- http://www.computereconomics.com/custom.cfm?name=postPaymentGateway.cfm&id=1185
Vendor products:
You left out iMagic Software. Our flagship product, Trustable Passwords, is a leading vendor in the enterprise authentication market. Our Hyperstring Harmonics technology is patent-pending, and well-proven. We have many thousands of production users, in hospitals no less where the stress levels are high, with thousands more implementing now. We invite you to visit us at www.imagicsoftware.com.
Steven Bender
February 21st, 2007
Steven,
Thanks for your comment. You’re right — somehow I totally missed iMagic. I’ll make an edit to the post and list it with the main content.
Perry
Perry Carpenter
February 21st, 2007