Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/8/2006
02:52 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Credit Union Authenticates 'Bio-Rhythms'

New biometrics tool measures typing rhythms to authenticate users

At first, FORUM Credit Union had no intention of buying a biometrics-based authentication system for its own employees.

Under pressure to adopt dual-factor authentication to meet new FFIEC online banking rules, the $980 million credit union chose BioPassword's software, which authenticates users based on their individual typing rhythms, including keystroke timing and other patterns that are stored in their templates.

But before rolling it out to customers, FORUM decided to try it out internally.

"Before we were willing to buy it for our 45,000 home banking customers, we said why don't we buy [the enterprise version] and try it on our 300 employees," says Cameron Piercefield, assistant vice president of technology for FORUM Solutions, a wholly owned subsidiary of FORUM Credit Union that runs its IT operations. "We had no plans to buy an enterprise product, but we came away with one. It gave us a great opportunity to learn how the software works."

Piercefield says FORUM chose BioPassword over tokens, matrix cards, and challenge-question authentication methods because it was simpler to deploy and manage. "It didn't require that the end users carry something everywhere they went," he says. And the credit union didn't want to send out a token to every account user, including multiple users in shared accounts.

Many financial institutions are grappling with the same hurdle -- how to deploy dual-factor authentication to their at-home online banking users without the headache of issuing and managing extra hardware or client software.

The BioPassword Enterprise Edition offers an additional layer of security that goes beyond the basic password. "This doesn't replace [passwords]," says Piercefield, who could not disclose what FORUM spent on the software. "It does make passwords a lot harder to crack: If you get my password, the chances of you being able to log in are very slim."

The biggest tradeoff of this form of biometrics is that each time the user changes his password (FORUM is considering a policy of somewhere between every 30 to 90 days), he must build his profile by typing his username and password 10 to 20 times, which allows the system to record keystroke rhythms and behavior. "That way, it gets a good profile on you," Piercefield says.

The more inconsistent your typing speed and rhythm, the more the software prompts you to retype, so it can get an accurate rendering of your typing "identity."

FORUM runs the software on its existing Windows 2003-based Active Directory server, and it's integrated with the directory and handles access to the credit union's network. The credit union had to tweak its AD schema to work with BioPassword, Piercefield says. A BioPassword client on each PC is the interface to the AD server, and once a user's profile is created, it's stored on that server.

When a user logs in with his username and password, his keystrokes are run through BioPassword's algorithm that compares the typing patterns to that of the user's stored "identity" on the AD server. "Depending on the threshold you have set, or how accurate a match you require, that will determine whether it allows you to log in or not."

The key is setting thresholds to keep false rejections and false acceptances to a minimum. "If you got five attempts and weren't able to type it right the first time, it will still see you as a 'rejection.'" You can throttle back the threshold for users whose typing rhythms aren't consistent, but that's not ideal, he says.

"We are certainly hoping to avoid altering a lot of individuals' settings, both internally and externally. I think that it would both compromise the effectiveness of the system as well as become a support nightmare."

FORUM plans to roll out BioPassword to its home banking customers late in the first quarter of 2007. The credit union customers won't have client software like employees do. "They will login through a small Flash application" to reach the home banking app, he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • BioPassword Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Cloud Security Threats for 2021
    Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
    Why Vulnerable Code Is Shipped Knowingly
    Chris Eng, Chief Research Officer, Veracode,  11/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Assessing Cybersecurity Risk in Todays Enterprises
    Assessing Cybersecurity Risk in Todays Enterprises
    COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-27772
    PUBLISHED: 2020-12-04
    A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
    CVE-2020-27773
    PUBLISHED: 2020-12-04
    A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
    CVE-2020-28950
    PUBLISHED: 2020-12-04
    The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
    CVE-2020-27774
    PUBLISHED: 2020-12-04
    A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
    CVE-2020-27775
    PUBLISHED: 2020-12-04
    A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...