Who are you? Online retailers and bankers--anyone who does business on the Internet--really wanna' know, because there's a chance that you are really a criminal using a stolen identity. The combination of online fraud and FFIEC guidelines are driving financial institutions, in particular, to implement multifactor authentication and/or some sort of compensating controls, such as fraud detection and prevention services and products.
"We spent a good three years looking at multifactor authentication solutions to satisfy FFIEC and improve our security architecture to protect our members' data," said Joey Rudisill CIO and vice president of IT of Oregon-based First Tech Credit Union, whose members are predominantly from IT and telecommunications companies, including 17,000 Microsoft employees.
Organizations from regional institutions like First Tech to giants like Bank of America and Amazon.com have to balance cost, risk and security, as strong authentication is expensive and difficult to deploy and maintain when the user population is tens of thousands to millions of customers.
"We looked at one-time passwords, tokens, access cards, device signatures; we really looked at a lot of different options," Rudisill said. "What we struggled with was the fact that we were looking at a solution that was inherently designed to make our online banking applications more difficult to use."
That nasty issue and high cost have pushed traditional vendors to try to develop ways to make two-factor authentication more accessible and cost-effective. It has also spawned some interesting alternative technologies, including image-recognition schemes and keystroke capture and recognition. Rudisill regarded the latter with some skepticism when BioPassword approached him with their solution.
"When I first saw it, I absolutely didn't believe it." he said. "Then the CEO created a set of credentials and gave me his username and password. I tried to mimic it and time after time, I failed."
The technology's accuracy has been verified by the Tolly Group. In testing commissioned by BioPassword, Tolly found that the software thwarted 99.2% of its fraudulent login attempts, and allowed 98% of legitimate logins, which addresses concern over false positives.
After internal and customer pilots, First Tech went to full deployment last May. BioPassword is implemented as an SDK, which required some development. Rudsill said that went smoothly, taking about three months.
That's changing, with today's announcement that BioPassword is now AdmitOne Security, with a more fully developed authentication portal platform, AdmitOne Authentication Suite, that allows organizations to develop use policies around other authentication methods to complement the core keystroke recognition technology.
"Before, we were just biometric factor; we weren't a complete portal solution. We architected a new platform from ground up," said AdmitOne CEO Mark Upson. AdmitOne says it has 105 customers, including 30 financials.
The new platform allows organizations to use other factors such as signatures, embedded flash tags, challenge questions, and/or issue one-time passwords out of band via cell phone, based on policy that Upson says is easy to implement through a point-and-click interface. Users can be provisioned through integration with the company's data store.
Rudsill thinks they're moving in the right direction as they look at the extended platform later this year.
"Incorporating multiple factors for authentication and implementing a policy management system that allow us to use keystroke dynamics in conjunction with challenge questions and signatures and set policy accordingly," Rudisill said. "It will allow us, if necessary, to segment membership, have group policies to give us greater degree of control based on members needs."