Beyond passwords: 5 new ways to authenticate users

New biometric and cognitive tools revolutionize multifactor approach

A look at some fresh ways to make sure the right people are gaining entry to a Web site.

At first signup, customers enter, via dropdown menus, information based on their life, either their favorite trip, dinner, party or other event. Cogneto's Unomi software does the rest. The next time the customer logs in, the software not only provides safe authentication, it puts customers in a good frame of mind by prompting them to recall a pleasant personal experience. (For a quick demo, see >>.)

Unomi represents one of the many new biometric/cognitive methods of authentication that have emerged to help banks and other online businesses deal with new regulations or with the general need to tighten up online security in the wake of so many data breaches.

Keystroke cops

When the Bank of Utah was looking to move beyond user name and password, it had two major criteria: The solution needed to integrate with the bank's existing security infrastructure, and it had to be easy for customers to use.

The bank chose software from start-up BioPassword, which uses "keystroke dynamics'' to recognize a user's unique typing pattern. (During the telegraph era, individuals could be identified by the distinctive way they entered Morse Code. The U.S. military during World War II took advantage of that fact to identify specific German Morse Coders by recognizing their patterns.).

In the Bank of Utah scenario, customers type in their user name and password a few times to create a signature, which is stored in a database. The next time the customer logs in, the system determines whether the user name and password match the typing signature.

"The user experience does not change," says Kirk Marshall, Bank of Utah's CISO. "Users come to our Web page, type in user names and passwords, and the software works behind the scenes. They don't have to look at pictures or answer questions." (Read about the history of keystroke dynamics.)

First-factor follies

Both the Cogneto and BioPassword methods still require user name and password as the first factor in their two-factor authentication schemes, and some security experts argue that continued reliance on this is a problem.

David O'Connell, senior analyst at Nucleus Research, says, "Passwords are inconvenient, and people are careless with them. In a recent survey we conducted with enterprise users, we found that one-third of all people record passwords somewhere, whether on a sticky note or in a computer file.''

Hackers have long known that once they compromise a device, the first thing to look for is a document titled "Passwords." With rootkit and keylogging attacks on the rise, this could be an issue, because additional information could be gleaned alongside the passwords.

However, the question for IT executives is whether the additional security gained by doing away with passwords is worth the problems that will arise as people adjust to new behaviors.

Jared Pfost, BioPassword's vice president of security and product strategy, says the burden on IT created by his company's typing-rhythm system is minimal compared with adopting an entirely new system. Tokens, biometrics, one-time passwords all require a change in user behavior. "Anything that requires behavior changes on the part of the user will generate more calls," Pfost said.

On the other hand, if you keep user name and password, you have to deal with all those help-desk calls from users who forget their passwords. Productivity is affected for the user and for IT. While BioPassword could let users opt for simple passwords that are easy to remember and don't rotate every couple of weeks, some IT professionals are so soured on passwords that they'd like to do away with them once and for all.

Are passwords passé?

ContactWorks provides call-center and customer-contact services, and when the company sought a new form of authentication, it wanted one that would ease the burden on IT.

Jack Pariseau, vice president of sales and marketing, estimated that each password-related call took 10 minutes to handle. "That's just for the call itself," he said. "When you factor in the time it takes to regain your train of thought and find your way back into the project you were working on, the time lost could be anywhere from 20 to 30 minutes."

Last summer, ContactWorks took the radical step of getting rid of passwords and turning instead to the PassFaces authentication solution. PassFaces requires users to recognize a series of people, picking known faces out from a cluster of random people. According to the company, this method of authentication "leverages the brain's innate cognitive ability to recognize human faces."

While it may sound like an odd way to log into a system, the user response has been positive. "It was easy to set up, and it makes life easier for our employees. They don't have to remember passwords or carry around tokens. From an IT standpoint, no one calls them with login problems anymore," Pariseau says.

Another benefit for ContactWorks is managing a transient workforce. "In the call center business, there is a lot of turnover," he says. "Added to that is the fact that we're located in Austin, a city with a lot of tech support people who change jobs often."

Previously, ContactWorks had to perform constant updates. Employees would leave the job and take network and application passwords with them, creating security risks. Because PassFaces enables single sign-on across applications, IT can simply strike a user name, accomplished through a couple of keystrokes, to deactivate the account.

"What I like is that the product authenticates the user," Pariseau says. "It's doesn't authenticate some word they know, but what's in their head."

Head games

How do you authenticate something in someone's head? It sounds like a sidewalk mind-reading scam. The difference is that this new form of biometrics, dubbed cognitive biometrics, is based on neuroscience. PassFaces, for instance, relies on the fact that the human brain is wired to recognize faces.

Your pattern of recognition can uniquely identify you just as your keystroke rhythm can. Traditional biometric solutions, such as fingerprint or iris scans, have long been considered the most secure type of authentication. The "something you are" factor is much more difficult to fake than something you know or have -- and you can't lose it and don't have to write it down. That's not to say these systems can't be defeated. Hacks are out there, but biometrics is considered vastly more secure than most forms of two-factor authentication.

The drawback has always been cost. While fingerprint scanners are shipping with many laptops, they are by no means ubiquitous. Iris scanning isn't even close to catching on, and pretty much anything requiring new hardware, which includes tokens and smart cards, is frowned upon by cost-sensitive IT departments. Additionally, deployments are difficult, and there is something that can be lost, broken or stolen.

Behavioral and cognitive biometrics avoid these problems. Recognizing faces doesn't require new hardware.

Can you hear me now?

Another start-up, Porticus, measures your voice. The company says this approach provides triple-factor authentication, because it can measure your voice and characteristics of the microphone you commonly use, while also asking you to say a specific known phrase (a vocal password). One allure of this sort of speaker verification is that it neatly links up with the push to expand online banking and commerce beyond the desktop to mobile devices.

As opposed to traditional biometrics, these behavioral, cognitive and voice options have clear advantages. First, the ROI is far better than with traditional biometrics. Each solution leverages existing technology, with no burden on users to acquire hardware. Next, the behavioral changes are minimal. Clicking through faces or memories or speaking or typing a phrase is simple enough that even the most techphobic users can adapt.

Finally, each of these solutions can be reset. This is an often overlooked drawback of other forms of authentication. If the database used to authenticate your iris is compromised, what do you do? If you have a large cut on your finger, will you be recognized?

With behavioral, voice and cognitive biometrics, you can easily change the faces to recognize, the phrase used to identify your voice, the word used to for typing or the event you need to remember.

Traditional biometrics bridge physical, online worlds

Still, it's too early to give up on traditional biometrics. Fingerprint recognition has penetrated the market to a certain degree, and the traditional drawback of this form of biometrics -- cost -- is eroding. The cost of fingerprint readers has dropped to the point that they are shipping with inexpensive laptops and add-on USB readers can be purchased for as little as $30.

Another advantage of fingerprint-based authentication is that it smoothly bridges the offline and online worlds. Pay By Touch, a provider of fingerprint-based authentication, gained its early traction in retail settings, using fingerprint authentication as a replacement for debit cards, check-cashing services and as a way to store shopper information without forcing customers to carry around store loyalty cards.

According to Pay By Touch, its authentication service is used by more than 10 million consumers at more than 3,000 retail locations. Most are in Europe and Asia, but several chains in the United States, including Albertsons, Jewel-Osco and Lowes Foods, have started rolling out the service. As consumers get comfortable with this as a means of brick-and-mortar shopping, Pay By Touch intends to extend this to the online world.

Another organization seeking to bridge physical and online authentication is Encentuate, which provides RFID tags that can be affixed to ID badges or other personal devices, such as pagers or mobile phones.

Stamford Hospital, a teaching hospital in Stamford, Conn., with more than 300 inpatient beds and 2,300 employees, turned to Encentuate's RFID tags to help with Health Insurance Portability and Accountability Act compliance, affixing them to employee ID badges. The hospital had invested in RFID for building security, so it wanted to find a way to leverage that investment to provide online authentication.

According to James Hodge, Stamford's director of infrastructure and security services, workstation logons were cumbersome and complex at the hospital. Healthcare professionals relied on public workstations while making rounds and seeing patients.

Timeouts were set at 20 minutes in order to not disrupt patient care. However, people commonly forgot to log themselves out, and when someone else needed to use the workstation, the only way he could access his own data was to reboot the machine.

With the badges, timeouts are short because a quick swipe logs in a user. Stamford also noticed an appreciable ROI. "We based ROI on the fewer number of trouble tickets related to password-change requests," Hodge says. Stamford still has Windows-based user names and passwords, but the RFID tags enable single sign-on, rather than forcing users to have multiple passwords for multiple applications. "We used to average 2,200 reset requests per month. We immediately reduced that number by 30%."

After authentication

For institutions that have achieved basic regulatory compliance, the next security challenge focuses on what happens after the initial authentication. "Too often authentication determines policy," says George Tubin, senior analyst in delivery channels for the TowerGroup. "Risk-based and behavioral monitoring are what should come next. They provide good security, they're not intrusive, and they're not terribly expensive to deploy," he says.

Risk could apply to the device you use to log on, your location or the activities you intend to execute. If something looks unusual or suspicious, an alarm will go off. After that, users may be asked for additional authentication, or their activities could be limited. Fraud detection has been used by credit card companies for years, but it hasn't been widely adopted for e-banking and e-commerce.

"Eventually, authentication will just be the front door," Tubin says. "With behavior and transaction monitoring in place, your activities can be compared against what you normally do and against known fraud signatures." The hope is that even if your identity is compromised, security layers beyond authentication will limit the damage cybercrooks can do.

Vance is a freelance writer. He can be reached at jeff@sandstormmedia.net.

Who was there? How old were you? What type of food was served? If you answer correctly to this set of questions, you're authenticated. Next, to demonstrate that you're not on a phish site, the bank's authentication software displays a special phrase that you preselected, such as chicken-fried steak or mom's apple pie.

Learn more about this topic

Slideshow: Adventures in authentication

Identity management Buyer's Guide 

Cruise ships take on board multifactor authentication

04/09/07

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT