BEAVERTON, Ore. — Authentication technology first used in World War II is now being deployed by First Tech Credit Union at the leading edge of its Internet banking site.

The rhythm of their typing will soon be the determining factor when the 60,000 or so online members of the $1.5 billion CU log-on to their accounts.

BioPassword Inc. of Issaquah, Wash. is providing the solution, which developed directly from technology first used in the 1940s to distinguish keystroke patterns among Morse Code operators.

Over the years Stanford Research Institute further refined the system and patented it, a patent later bought by the company now operating as BioPassword Inc., which is introducing it into the online banking and internal network security arenas.

The system is simple but powerful, according to Jared Pfost, the company's vice president of security and product strategy.

“Your typing rhythm isn't something that can be forgotten or lost. We authenticate the user instead of the device, which makes this different than most of the solutions out there right now,” Pfost says.

Available in Internet or enterprise editions, the system measures the likelihood the person typing is the person who's supposed to be doing the typing and, based on parameters set by the institution, decides whether to allow entry.

Is it foolproof? No. And that's the point.

“You most definitely can fool it,” Pfost says. “Anytime you drastically change your typing behavior, the system won't let you sign. But when people understand that all they have to do is type normally, it's incredibly effective.

“Even a physical-based token can be compromised. Authentication is just a suite of controls to manage risk at an acceptable level.”

Joey Rudisill, First Tech's CIO and vice president of IT, says the solution is an add-on to its existing user name-password logon and is being rolled out in four phases in the next few months.

The first was an internal test with employees, the second was with a small group of members and the third is now a full membership deployment in “silent mode” as the system begins capturing and learning members' typing rhythm before the final phase, when it begins blocking suspect keyboardists.

“We've looked at others who have implemented this in the financial services and other sectors and decided to take a fairly gradual approach, since this technology really is still quite new,” Rudisill says. “We're going to collect data and learn from it so we can make good decisions instead of guesswork, and we'll change things if we have to as we go along.”

Educating members is a big part of the effort.

“Initially we're just going to include a list of FAQs on the site since there'll be a little difference in the appearance of the log-in screen,” Rudisill says. “We'll also provide more information to the more tech-savvy of our membership who want to dig deeper into how all this works.

“We have a large membership base of Microsoft employees and we're really looking forward to seeing their reaction.”

That user base, of course, is fairly mobile and portability is a strong point of the system, says Pfost at BioPassword. Besides the portability of users taking their own keystroke biomechanics to whatever keyboard they're using, the system can allow complementary factors such as challenge questions to authenticate users of mobile devices.

Pfost says the software-based system uses Adobe Flash in the browser so there's no client download and is compatible with Linux, Windows or Mac systems.

The company has about 40 users with about a half-million clients, and uses the re-seller channel to distribute its product. First Tech's implementation was handled by Allied Solutions, a provider of products and services to more than 3,500 credit unions, banks and other financial services.

Allied Solutions' executive vice president, Pete Hilger, says, “BioPassword is already proving itself as a viable two-factor authentication option with the lowest TCO for credit unions.” Pfost says the cost is $1 per member per year.

Of course, hackers never give up and Pfost says he fully expects fraudsters to take aim at beating the biometrics used by his company's log-on protections, just as keyloggers have used their malware to capture and exploit the keystrokes of the unsuspecting.

“But remember, keyloggers today don't log timings, they log key strokes,” the BioPassword security and product strategy executive says.

“Over time, though, we do expect malware to potentially attack biopasswords. We're taking a number of steps to make that more difficult and if and when that happens, we'll gladly enter that arms race, just as hardware authentication has done today.”

Instant Insights /

Those Keystrokes Look Familiar...First Tech to Let Members' Fingers Do the Walking in New Authentication Deploy

Related Stories

Recommended For You