BioPassword: Two-Factor Authentication The Easy Way

By Daniel Miessler on October 2nd, 2006: Tagged as Authentication | Security | Technology

For anyone those who hasn’t heard about it, there’s a really cool new product out by the name of BioPassword. The product does two-factor authentication in a very unique way. Rather than rely on a token or smart card (something that you need to authenticate and can be lost or broken), the system takes its second factor the user’s typing rhythm.

So the keyboard you type on every day is all that’s needed. Nothing to lose or break. As you type it records how long you spend on each key, how long it takes you to move between keys, etc. It keeps that information in your user template in Active Directory, and when someone tries to log in it compares his/her typing rhythm to that of the template for that user (for both the username and password fields).

Impact

The punchline is that you can pretty much give someone else your username and password and they still won’t be able to login as you. In fact this is precisely what I do for demonstrations of the product; I create a username of my first name and use my email address as my password. I even write them both down on an index card for people to read as they type. I then lay down $50 cash and offer it to the first person to login.

I’ve not yet lost the money.

If you’re into security at all you should check it out. It’s not flawless (yet?), but it’s an incredibly powerful two-factor authentication solution that virtually negates the administrative overhead associated with these solutions. You essentially get two-factor authentication without the added annoyance of managing an authentication server, handling token distribution, or dealing with users that can’t properly use (or keep control of) their tokens/smart cards.

[Note: I'm not affiliated with the company, but I am a security consultant who recommends the solution to clients.]

  • Digg
  • Reddit
  • HackerNews
  • StumbleUpon
  • DZone
  • Google Bookmarks
  • Twitter
  • Facebook
  • del.icio.us
  • FriendFeed
  • Posterous
  • RSS
  • email
  

Comments

  • Carl M
    I'm curious if you let them watch you log on first. I'm just wondering how sensitive the software is. I mean, when we keep the same password for an extended time (a big no-no of course) we develop a rhythm for typing both our username and password. If we change our password frequently, the rhythm will be substantially different (though perhaps fairly consistent). Anyway, the software can't be TOO picky since our rhythms are not 100% consistent. So, I'm wondering if someone watching you log on could mimic your rhythm sufficiently well to fool the software.
  • Yes, they watch me log in multiple times, and it's not really copyable. As for the sensitivity, it's a adjustable.
  • Ken
    I have been watching Daniel type for years. I am all really good at picking up on things like that. I could only get a 20 when I tried to log in with his username and password. That being said it was better then most in the room by 10 or better.
blog comments powered by Disqus

Twitter Microblog

twitter_icon      facebook_icon

Sample Original Content


Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects


Blog Archives