Keystroke recognition aids online authentication at credit union

By Neil Roiter, Senior Technology Editor, Information Security magazine 21 Apr 2008 | SearchSecurity.com

Security technology news and tips for financial services pros Digg This!     StumbleUpon     Del.icio.us

Who are you? Online retailers and bankers--anyone who does business on the Internet--really wanna' know, because there's a chance that you are really a criminal using a stolen identity. The combination of online fraud and FFIEC guidelines are driving financial institutions, in particular, to implement multifactor authentication and/or some sort of compensating controls, such as fraud detection and prevention services and products.

What we struggled with was the fact that we were looking at a solution that was inherently designed to make our online banking applications more difficult to use. Joey Rudisill, vice president of IT, First Tech Credit Union

"We spent a good three years looking at multifactor authentication solutions to satisfy FFIEC and improve our security architecture to protect our members' data," said Joey Rudisill CIO and vice president of IT of Oregon-based First Tech Credit Union, whose members are predominantly from IT and telecommunications companies, including 17,000 Microsoft employees.

Organizations from regional institutions like First Tech to giants like Bank of America and Amazon.com have to balance cost, risk and security, as strong authentication is expensive and difficult to deploy and maintain when the user population is tens of thousands to millions of customers.

"We looked at one-time passwords, tokens, access cards, device signatures; we really looked at a lot of different options," Rudisill said. "What we struggled with was the fact that we were looking at a solution that was inherently designed to make our online banking applications more difficult to use."

That nasty issue and high cost have pushed traditional vendors to try to develop ways to make two-factor authentication more accessible and cost-effective. It has also spawned some interesting alternative technologies, including image-recognition schemes and keystroke capture and recognition. Rudisill regarded the latter with some skepticism when BioPassword approached him with their solution.

Keystroke recognition: What are the pros and cons of using keystroke dynamic-based authentication systems? In this SearchSecurity.com Q&A, security pro Joel Dubin discusses the positive and negative aspects of using keystroke dynamic-based authentication systems. Keystroke dynamics makes BioPassword Internet Edition a viable authentication option: BioPassword Internet Edition uses keystroke dynamics to authenticate users, eliminating the need for biometric hardware and token management.

"When I first saw it, I absolutely didn't believe it." he said. "Then the CEO created a set of credentials and gave me his username and password. I tried to mimic it and time after time, I failed."

The technology's accuracy has been verified by the Tolly Group. In testing commissioned by BioPassword, Tolly found that the software thwarted 99.2% of its fraudulent login attempts, and allowed 98% of legitimate logins, which addresses concern over false positives.

After internal and customer pilots, First Tech went to full deployment last May. BioPassword is implemented as an SDK, which required some development. Rudsill said that went smoothly, taking about three months.

That's changing, with today's announcement that BioPassword is now AdmitOne Security, with a more fully developed authentication portal platform, AdmitOne Authentication Suite, that allows organizations to develop use policies around other authentication methods to complement the core keystroke recognition technology.

"Before, we were just biometric factor; we weren't a complete portal solution. We architected a new platform from ground up," said AdmitOne CEO Mark Upson. AdmitOne says it has 105 customers, including 30 financials.

The new platform allows organizations to use other factors such as signatures, embedded flash tags, challenge questions, and/or issue one-time passwords out of band via cell phone, based on policy that Upson says is easy to implement through a point-and-click interface. Users can be provisioned through integration with the company's data store.

Rudsill thinks they're moving in the right direction as they look at the extended platform later this year.

"Incorporating multiple factors for authentication and implementing a policy management system that allow us to use keystroke dynamics in conjunction with challenge questions and signatures and set policy accordingly," Rudisill said. "It will allow us, if necessary, to segment membership, have group policies to give us greater degree of control based on members needs."

Tags: Secure user and consumer authentication methods,  User IDs and passwords, privileges and federation,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure user and consumer authentication methods Survey: Consumers don't trust banks to keep their data secure Data breach lawsuit puts spotlight on bank's security measures Credit union launches online banking suite with strong authentication Winning the war: Personal information protection BITS releases guide for implementing email authentication protocols Evolving authentication methods in the financial industry Identity management for financial firms in turbulent times Biometrics project studies ways to combat bank fraud Study of banking malware analyzes underground economy Emerging themes in identity access management User IDs and passwords, privileges and federation Symark acquires BeyondTrust How to streamline role-based access control Audit requirements drive demand for privileged account management Study of banking malware analyzes underground economy Gartner advises banks to shore up online channels Emerging themes in identity access management Security on the street with SearchFinancialSecurity.com: Mobile banking IBM USB banking device stops keyloggers, malware Privileged password management steps to success Best practices in managing privileged access

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary