The cocktail test
Fingerprints, handprints, or other direct biological markers aren't necessary for biometrics. For example, “keystroke dynamics” from AdmitOne Security is based on a simple premise that can be tested from a distance.
“When you type, there’s a pattern to how you do it—how long you hold down a key and the interval between pressing one key and going on to press the next,” says Matt Shanahan, the company’s senior vice president of strategy. “You can then create a statistical derivation that will predict how long a person holds down and then moves.”
Originally, AdmitOne Security Sentry, a risk-based authentication solution, was based on keystroke behavior by itself. “But then we realized, what about people with disabilities who may have unusual keystrokes or different people typing for them? What about people with broken hands or temporary employees at a workstation? What if somebody goes home, has several glasses of wine, and then attempts to log in to a secure system?”
That’s why the company added other security measures, such as sending a one-time password to a cell phone to gain access. (The odds of a fraudster having access to a person’s mobile device are slim.)
“Or, we might couple permission to our knowledge of when a person usually logs on and from what device,” Shanahan says. “If the time and source match what we know about that person’s behavior, we can take into account changes in keystrokes brought on by those after-work cocktails.”
Shanahan says the product is nonintrusive and difficult to thwart. “It’s not a silver bullet in terms of solving all access security problems, but it’s close. We’ve tested the system to see if somebody could game it by trying to match the keystroke of another person. We did an experiment where different people typed the same text to the beat of a song. Even then, with keystrokes landing at virtually the same time, there were perceptible differences."
Next: Pattern detection