At first, FORUM Credit Union had no intention of buying a biometrics-based authentication system for its own employees.

Under pressure to adopt dual-factor authentication to meet new FFIEC online banking rules, the $980 million credit union chose BioPassword's software, which authenticates users based on their individual typing rhythms, including keystroke timing and other patterns that are stored in their templates.

But before rolling it out to customers, FORUM decided to try it out internally.

"Before we were willing to buy it for our 45,000 home banking customers, we said why don't we buy [the enterprise version] and try it on our 300 employees," says Cameron Piercefield, assistant vice president of technology for FORUM Solutions, a wholly owned subsidiary of FORUM Credit Union that runs its IT operations. "We had no plans to buy an enterprise product, but we came away with one. It gave us a great opportunity to learn how the software works."

Piercefield says FORUM chose BioPassword over tokens, matrix cards, and challenge-question authentication methods because it was simpler to deploy and manage. "It didn't require that the end users carry something everywhere they went," he says. And the credit union didn't want to send out a token to every account user, including multiple users in shared accounts.

Many financial institutions are grappling with the same hurdle -- how to deploy dual-factor authentication to their at-home online banking users without the headache of issuing and managing extra hardware or client software.

The BioPassword Enterprise Edition offers an additional layer of security that goes beyond the basic password. "This doesn't replace [passwords]," says Piercefield, who could not disclose what FORUM spent on the software. "It does make passwords a lot harder to crack: If you get my password, the chances of you being able to log in are very slim."

The biggest tradeoff of this form of biometrics is that each time the user changes his password (FORUM is considering a policy of somewhere between every 30 to 90 days), he must build his profile by typing his username and password 10 to 20 times, which allows the system to record keystroke rhythms and behavior. "That way, it gets a good profile on you," Piercefield says.

The more inconsistent your typing speed and rhythm, the more the software prompts you to retype, so it can get an accurate rendering of your typing "identity."

FORUM runs the software on its existing Windows 2003-based Active Directory server, and it's integrated with the directory and handles access to the credit union's network. The credit union had to tweak its AD schema to work with BioPassword, Piercefield says. A BioPassword client on each PC is the interface to the AD server, and once a user's profile is created, it's stored on that server.

When a user logs in with his username and password, his keystrokes are run through BioPassword's algorithm that compares the typing patterns to that of the user's stored "identity" on the AD server. "Depending on the threshold you have set, or how accurate a match you require, that will determine whether it allows you to log in or not."

The key is setting thresholds to keep false rejections and false acceptances to a minimum. "If you got five attempts and weren't able to type it right the first time, it will still see you as a 'rejection.'" You can throttle back the threshold for users whose typing rhythms aren't consistent, but that's not ideal, he says.

"We are certainly hoping to avoid altering a lot of individuals' settings, both internally and externally. I think that it would both compromise the effectiveness of the system as well as become a support nightmare."

FORUM plans to roll out BioPassword to its home banking customers late in the first quarter of 2007. The credit union customers won't have client software like employees do. "They will login through a small Flash application" to reach the home banking app, he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading