BioPassword: Two-Factor Authentication The Easy Way

For anyone those who hasn’t heard about it, there’s a really cool new product out by the name of BioPassword. The product does two-factor authentication in a very unique way. Rather than rely on a token or smart card (something that you need to authenticate and can be lost or broken), the system takes its second factor the user’s typing rhythm.

So the keyboard you type on every day is all that’s needed. Nothing to lose or break. As you type it records how long you spend on each key, how long it takes you to move between keys, etc. It keeps that information in your user template in Active Directory, and when someone tries to log in it compares his/her typing rhythm to that of the template for that user (for both the username and password fields).

Impact

The punchline is that you can pretty much give someone else your username and password and they still won’t be able to login as you. In fact this is precisely what I do for demonstrations of the product; I create a username of my first name and use my email address as my password. I even write them both down on an index card for people to read as they type. I then lay down $50 cash and offer it to the first person to login.

I’ve not yet lost the money.

If you’re into security at all you should check it out. It’s not flawless (yet?), but it’s an incredibly powerful two-factor authentication solution that virtually negates the administrative overhead associated with these solutions. You essentially get two-factor authentication without the added annoyance of managing an authentication server, handling token distribution, or dealing with users that can’t properly use (or keep control of) their tokens/smart cards.

[Note: I’m not affiliated with the company, but I am a security consultant who recommends the solution to clients.]

Related posts: