Start-up measures users' trustworthiness for authentication into sites

* Delfigo offers up context-, risk-based authorization scoring for authentication

It never ceases to amaze me that as soon as I think some company is unique within a particular niche, another vendor comes along - sometimes three or four others - to occupy the same space. So it was that just after I submitted last week's newsletter about AdmitOne and its keystroke dynamics authentication method that I became aware of recent start-up Delfigo, which incorporates what it dubs "keyboard biometrics" into its multifactor authorization product.

Last week, I chatted with Delfigo’s President and CEO, Ralph Rodriguez; Vice President, Business Development, Bharat Nair; and Vice President, Software Engineering, Russ Klein. The one thing these three had in common before founding Delfigo is that they were all with the Aberdeen Group, the Boston-based technology research firm. They evidently really liked what they saw in the artificial intelligence technology developed by MIT which forms the basis for Delfigo.

Boiled down, Delfigo does context- or risk-based authorization scoring. In other words, the product, DSGateway, calculates, in real time, a risk value - called the “confidence factor” - which reflects the trustworthiness of your authentication in much the same way your credit score reflects your credit worthiness.

Here’s how it works, as Klein explained it to me:

a. User signs on with user ID and password.

b. User keyboard biometrics and geospatial data determine “are you who you say you are?”

c. System analyzes current information against user historical profile and assigns a confidence factor (CF).

d. If CF is weak, access is restricted and the user may elect to increase confidence using in-band and out-of-band methods.

e. If confidence factor is sufficient, user is granted access.

The service can continue to monitor the user’s activity during the session and if it deviates too far (settable by the administrator) from the user’s historical profile a flag can be raised and the user is asked to further authenticate using both in-band and out-of-band methods. Examples of in-band methods could be passwords, tokens, secret questions, keyboard dynamics, while examples of out-of-band methods could be SMS messages.

We’ve all experienced, I’m sure, services which ask us to periodically re-authenticate, but if the username and password are compromised it really doesn’t matter how often the attacker needs to enter them, does it? How much better to use different methods, such as the in-band and out-of-band methods, all the while building up a better level of confidence that the user is who they say they are.

This is the future of data security; check it out now and be on the leading edge.

Fun stuff:

If you need a break from the daily drudgery, check out the latest mini-movie from the creative team at Ping Identity. SSO Wars, by Ping’s Mark Viens and Jeremy Hudson – with a strong nod in George Lucas’ direction!

Copyright © 2009 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022