By Orr Hirschauge
TEL AVIV--As new advances in password security struggle to keep
pace with cybercriminals trying to crack them, a new industry of
"post-password" products is making inroads.
Its promise is to add a layer of security to the traditional
username-password combination, or replace it completely.
It is sorely needed. Cybercrime is rampant and even the smartest
passwords can be vulnerable to attack. A string of high-profile
cyber breaches into the data servers of retailers such as Target
Corp., eBay Inc. and others show that vendors who store user
passwords can also be exposed.
According to consultancy company Risk Based Security, in 2013
alone over 800 million individual records around the world were
exposed through information security breaches in 2,000 reported
incidents. The cost of cybercrime for the global economy has been
estimated at $445 billion annually, according to a report by
Internet security company McAfee.
Tech companies have, with mixed success, used eye scans,
fingerprints, and voice recognition for mass-market devices. But
more sophisticated methods for identifying bona fide users are also
emerging.
Sweden-based Behaviometrics AB, also called Behaviosec, makes
software that takes note of how the intended user of a device
manipulates it--how the user typically types, swipes and pinches
the screen. It measures the distinct pressure often applied and the
millisecond pauses between typing certain letters. It also records
the angle at which the user typically holds the device.
Any deviation from this "cognitive footprint" can set off an
alarm and block access to the account. Denmark's largest bank,
Danske Bank A/S, is currently using the technology. Other banks in
the Nordics are also using the technology, Behaviosec says.
"What we can do is determine just how likely it is that a given
user is the same as the one the system already learned to
recognize," says Neil Costigan, Chief Executive of BehavioSec.
BehavioSec started out as a spinoff from Lulea Technical
University in the north of Sweden near Lapland. It is the only
non-American company funded as part of the U.S. Defense Advanced
Research Projects Agency's (DARPA) Active Authentication program--a
research project aimed at finding new user authentication
technologies.
Studied in academic and military research circles for decades,
so-called cognitive biometrics or behavioral authentication is only
now making its way into mainstream use. Advances in research are
just one explanation. Sheer exasperation with remembering dozens of
passwords is another.
Password vulnerability is also a factor. Sophisticated Trojan
horse malware, unwittingly downloaded by users, can intercept even
the most complex passwords.
"There is a feeling of despair that goes along with the
username-password system," says Nimrod Kozlovski, a partner in
Israel-based venture fund Jerusalem Venture Partners and co-manager
of the fund's cybersecurity startup incubator. "Stated plainly, a
password is a weak security mechanism, no matter how strong the
password itself is."
Behavioral authentication has some significant advantages over
biometric technologies like eye and fingerprint scanning. It
doesn't require users to stop what they are doing and complete a
test like putting their finger on a device's scanner. It can also
supply continuous authentication, constantly checking if authorized
users are still the ones using the device after a successful
login.
But behavioral authentication technologies are still relatively
young, and currently regarded mainly as an additional layer of
security to the username-password combination. It faces some of the
same problems as voice recognition--where a users' environment can
have an effect on voice or behavior. In the same way a noisy train
station might make voice recognition difficult, a bumpy train ride
might make it harder to identify a user's keystrokes.
Elsewhere, Israel-based BioCatch Inc. employs brain-studies,
machine-learning and motor-control researchers to help map out how
individuals interact with computers and mobile devices.
"We've used hundreds of different parameters trying to see if we
can come up with a list of parameters in which each of the subjects
is both consistent and distinct," says Uri Rivner, vice president
of business development and cyber strategy at BioCatch.
Florida-based Authenware Corp. offers a product that records the
rhythm of each keystroke when a user types in a username or
password on any device. It uses the unique rhythm, flight and dwell
time between keystrokes to identify the validity of the person
attempting to log into a system. It will block access if it
determines that another user is trying to log in.
The company lets its own employees log into some of its systems
by tapping their favorite tune on a touch screen. The technology,
targeted toward mobile device use, would require a hacker to steal
the user's phone, know the intended tune, the portion of it the
user taps, and use the same unique rhythm performed by the original
user.
"We need the user to type in their username and password or tap
their chosen tune five times. After that we'll be able to identify
any attempt to log onto the account made by anyone else, 99.8% of
the time," says Judy Banks, Authenware's chief operating
officer.
Relative unreliability in different than normal situations
doesn't enable behavioral authentication technologies to replace
passwords altogether currently. However, their impact is already
being felt--for many users these technologies are presently
replacing security measures like security tokens, and the impact of
this set of technologies is expected to continue and grow over the
next few years.
Write to Orr Hirschauge at Orr.Hirschauge@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires