Saturday, July 18, 2009

Who's Typing Your Password?

By watching how passwords are entered, a company hopes to make log-ins more secure.

By Erica Naone

Passwords can be one of the weakest links in online security. Users too often choose one that's easily guessed or poorly protected; even strong passwords may need to be combined with additional measures, such as a smart card or a fingerprint scan, for extra protection.

Credit: Technology Review

Delfigo Security, a startup based in Boston, has a simpler solution to bolstering password security. By looking at how a user types each character and by collecting other subtle clues as to her identity, the company's software creates an additional layer of security without the need for extra equipment or user actions.

The software, called DSGateway, can be combined with an existing authentication process. As a user enters her name and password, JavaScript records her typing pattern along with other information, such as her system configuration and geographic location. When the user clicks "submit," her data is sent to the Web server and, provided that the username and password are correct, the additional information is passed on to Delfigo. The company's system then evaluates how well this information matches the behavior patterns of the appropriate authorized user.

Delfigo's algorithms build up a profile of each user during a short training period, combing 14 different factors. The company's president and CEO, Ralph Rodriguez, developed the necessary algorithms while working as a research fellow at MIT. Rodriguez notes that recording multiple factors is crucial to keeping the system secure without making it unusable. If the user types a password with one hand, for example, while holding coffee in the other, the system must turn to other factors to decide how to interpret the variation, he says. If she does this every morning, the system will learn to expect to see this behavior at that time of day.

The idea that a password should completely succeed or completely fail "is an old paradigm that should go away," says Rodriguez. Even if the system sees something strange about the way that a user enters her password, for example, it just assigns a confidence level to that log-in attempt. Access levels can be configured depending on this confidence level. For example, if a user logs in from an odd location, lowering the system's confidence, it might allow her to see her account balance but restrict the funds that she is able to transfer. If the user needs to increase her confidence factor at that moment, Rodriguez says, she could answer additional security questions or have a one-time password sent to her mobile phone or via e-mail.

Trying to strengthen authentication without forcing users to change their behavior is a promising approach, says Bill Nagel, an analyst at Forrester Research, who covers security and risk management. "People want ease of use without losing any security, and that's a tough balance for a lot of IT departments," he says.

Ben Adida, a fellow at Harvard University's Center for Research on Computation and Society, who studies security and privacy, notes that other companies have tried to find ways to improve authentication without inconveniencing users. Some banks, for example, install a cookie in a user's browser after he answers several security questions correctly. The cookie serves as another identifying token. "That's easier than having a physical token, but it's also not as secure," Adida says, since the attacker could trick the user into giving up the information needed to recreate the cookie..

Adida adds that the strength of Delfigo's product will depend on how hard it is for an attacker to re-create the additional factors that it uses. For example, an attacker may be able to trick a user into typing her username and password into a dummy site, in order to collect keystroke patterns and other information, Adida says.


http://www.technologyreview.com/computing/23008/

No comments:

Post a Comment