As businesses look for better ways to verify the identities of their users, the word "biometrics" often comes up. Then everyone at the table gets a mental image of retinal scanners and James Bond movies, followed by big dollar signs in their eyes. And often, the conversation moves in another direction.

Authentication vendors next week at the RSA conference in San Francisco will be aiming to change that mental image with new technologies that verify users' identities by their behavior, rather than an eye scan or a thumbprint. Behavior-based authentication can be cheaper and easier to use than traditional biometrics, they say.

"In the past, businesses had two choices: single-factor authentication, which meant basically a name and password; and tokens or biometrics, which meant a lot of hassle and administrative costs," says Jared Pfost, vice president of security and product strategy at BioPassword, a biometrics tool vendor. "What we see now is that there's a huge middle ground for software-based and behavioral authentication technology that costs less than the traditional tokens, but is much more secure than single-factor technology."

At the conference, vendors will be demonstrating authentication tools that can verify the users' identities by how they speak, type, or move their mice. Others will discuss alternative methods for two-factor authentication, such as adding new levels of personal questions. Still others, such as Corillian, will be unveiling ways to let users create unique ways to identify the authenticity of the Web sites they use via images, text and colors.

"As businesses and as vendors, we have to work with what the end users have," says Greg Hughes, chief security executive at Corillian. "The reality is that today, most users don't have fingerprint scanners. Maybe someday they will. But in the meantime, there are some pretty good technologies emerging that don't require additional hardware or equipment."

The rapid emergence of behavior-based and Q&A methods of authentication has been driven by new government and industry requirements for deployment of two-factor authentication, Hughes observes. The federal government's HSPD-12 mandate, along with the financial industry's FFIEC requirements, made two-factor authentication schemes mandatory for some organizations in 2006.

"It was a force-feeding frenzy," he says.

With the short time fuse and a strong need to control costs, many organizations have been looking toward software-based and behavioral methods of authentication, at least as a stopgap to full-blown physical biometrics. Corillian, which also does consulting on authentication technology, has seen companies use everything from smart cards to voice prints to simply asking the user's grandmother's name.

"I think the behavioral authentication methods have a lot of promise," he says. "I'm also interested in the out-of-band methods that require you to verify your identity by some avenue other than the Internet, such as a phone call."

BioPassword's products work via "keystroke authentication," which means they track the way the user types and then store it like a signature. If someone with a different keystroke signature tries to log onto the user's account, the system will raise a red flag and lock the pretender out.

Keystroke authentication might not be as reliable as retinal scans, but it's a heck of a lot less expensive and a lot more practical for companies that have a wide array of online customers, Pfost says.

"I think what's happening is that a lot of companies are doing a sort of risk assessment, though they may not really think of it that way," Pfost says. "They're evaluating the risk of penetration against the cost and usability of the authentication technology. And they're finding that there's a significant middle ground where the risk can be greatly reduced -- without incurring prohibitive costs."

The next step will be for companies to begin monitoring the behavior of end users after they have been authenticated," Hughes says. "What you want to do is monitor the user's activity for patterns of bad behavior that might indicate trouble," he says. "That's another way to reduce risk."

— Tim Wilson, Site Editor, Dark Reading