Knowing the Customer's Type
COMPANIES TYPICALLY have to choose between strengthening security and providing the user with easy access. There’s at least one increasingly popular example involving online authentication, however, which could be an exception. It involves the analysis of typing patterns. Vendors and satisfied users say it’s secure, accurate, and minimally intrusive.
Joey Rudisill, CIO and IT vice president at First Tech Credit Union, had been looking for an additional online authentication layer for the Beaverton, Oregon-based company for several years. He was initially skeptical of the typing-analysis technology. A demonstration changed his mind.
Rudisill watched the CEO of leading vendor AdmitOne Security, based in Issaquah, Washington, log on with a username, password, and his own typing style. Rudisill tried to mimic the sign-on, failing every time.
The system has also proved reliable in more formal settings. In a test by the Tolly Group, an independent Technology testing service, AdmitOne’s Solution thwarted 99.2 percent of fraudulent log-ins. The Boca Raton, Florida-based service also found that the technology allowed 98 percent of legitimate attempts.
The credit union began authenticating its online customers with the technology in May 2007. Installation involved integrating an AdmitOne software development kit (SDK) into First Tech’s online banking architecture, which included a First Tech-developed application that authenticated users through personal questions. Company developers found the SDK to be “one of the easiest they’d worked with,” says Rudisill. The credit union’s customers only needed to install an Adobe Flash Player plug-in, which most users already had on their computers, says Rudisill. First Tech’s site offers a download link for users to get the plugin if they need it.
Installation should be even easier for companies that buy AdmitOne’s Authentication Suite, introduced in April. It lets companies set detailed risk-based policies and also comes with a handful of authenticating technologies, including one-time passwords sent via e-mail or cell phone, personal questions, and secure device signatures. While AdmitOne still offers its SDK, the integrated suite should require less coding work, says Rudisill, who adds that First Tech plans to upgrade to the suite in the coming months.
The keystroke-analysis software relies on a user’s typing rhythm as a signature. To get started, users need to build a usable profile, which requires about 12 log-ins on average, Rudisill says. About 90 percent of online customers currently have usable keystroke profiles, he says.
Before the system’s official rollout, First Tech conducted two pilots. The first, lasting about two months, involved about 100 staff and customers and was mainly about establishing confidence in the solution, says Rudisill. The second phase lasted about four months and mainly involved auditing.
Initially, no restrictions were placed on site access. The company analyzed login failures to adjust the system’s threshold settings, or the number of failures that could still be acceptable. This stage also involved posting basic program information and training material online.
At the end of this phase, Rudisill says, the bank was confident about the accuracy of the typing recognition software, especially its ability to block fraudulent log-ins. Still, he says, the bank wanted to give customers some leeway. Currently, users who fail the typing verification but enter a correct password can still view some basic account information. Any transaction or additional information requires that they correctly answer a personal question, however.
One challenge to effective keystroke profiling is shared online accounts. First Tech has had a few instances, for example, in which an adequate user profile can’t be established because couples have alternated logging into the same account. First Tech warns against such practices on its Web site.
Many adopters of this technology are financial services firms. That sector is under regulatory pressure to adopt two-factor authentication for online banking and other high-risk transactions. The keystroke profile can serve as one factor, supplementing a user name and password, for example.
About 30 of AdmitOne’s 105 current customers are financial services firms. Other customers including government, healthcare, manufacturing, and law firms.
“The problem with multifactor authentication methods is that they can get expensive—fast,” says Scott Crawford, a research director at Enterprise Management Associates, a Boulder, Colorado-based IT management consulting firm.
One big benefit of the keystroke technology is the low cost, according to AdmitOne. An AdmitOne Enterprise Edition 4.0 one-year subscription costs $19 annually per user. That’s less than a per-user cost for giving internal employees relatively expensive fingerprint or iris readers; it’s also less expensive than providing customers with tokens that generate onetime passwords.
When used internally, the software can also cut costs associated with helpdesk calls. According to AdmitOne’s figures, which the firm based on a 1,000-seat implementation, extending a password’s life cycle from 30 to 90 days can reduce helpdesk calls by 67 percent, saving $88,200 in the first year. Moving to 180-day cycles can cut first-year expenditures by $110,250. The theory is that the added security of the typing profile makes it safe to let users retain passwords for longer periods. About 30 percent of AdmitOne’s customers use the solution inside their firewall, according to the company.
Rudisill says organizations should give users the option to opt out of the program. Just a small handful of First Tech customers have done so, however.