Telltale Fingertips

By Kathleen Kingsbury

Just got to have that red-hot Gnarls Barkley single before it even hits iTunes? Good luck. Gone are the days when a simple password was all that stood in the way of a best-selling artist's next hit landing in the wrong hands. The music industry has turned to the next generation of online security to thwart cyberthieves--one that may soon extend to other security-sensitive cybertransactions like banking.

For the past six months, to access the newest releases, you have had to supply something perhaps even harder to replicate than your fingerprints: fine motor skills. Your typing speed and the pressure of your fingers on the computer keys are a rhythmic pattern that you repeat every time you type a given word, a pattern nearly impossible for someone else to duplicate.

Keystroke authentication is the newest offering from the field of biometrics--the measurement and analysis of unique physical or behavioral characteristics--and it's accurate 98% of the time. "We've had more than 2 million deliveries without a leak," says John Heaven, CEO of Musicrypt, a Toronto-based digital-rights-management firm that arranges music distribution between record labels and radio stations or the press.

Providing this enhanced level of protection for Musicrypt and its clients is BioPassword Inc., a security-software company based in Issaquah, Wash. Keystroke patterning was first employed by the military a century ago in its use of Morse code, which also allows senders to be identified by their tapping rhythms. In the 1980s, Stanford University scientists applied the technique to computer security. But it was not until BioPassword bought the patents from the school in 2002 that keystroke dynamics found its first commercial use. BioPassword's developers harnessed the technology into portable software and began selling it in 2004 as a backup password-protection authentication method for many online sites. Now more than 30 companies, or about half a million users, have signed on. As BioPassword CEO Mark Upson puts it, "For $1 per user annually, you've got online security that can't be sold, lost or replicated."

BioPassword's best customers so far are banks and credit unions, which are under federal mandate to adopt stronger authentication measures to protect online customers against identity theft and other fraud. To access account information, online banking generally requires a password with a maximum of 10 character points. Biometric IDs have more than 80 distinct data points.

For most financial institutions, the new federal rules mean finding a second method to authenticate a user while ensuring that the new system doesn't disrupt business. Fingerprinting and retinal scanning are options, but both require users to have expensive additional equipment. Some credit unions also considered giving members ID tokens, a popular practice for many banks, but this proved cost prohibitive.

Many banks, fearing the Big Brother aspect of biometrics, have chosen in-depth analysis of customers' online behavior as a backup. Such monitoring can then determine whether a certain customer needs a higher level of security, like a token or an RFID tag. "Some of the most advanced technology we're seeing is those tokens being embedded in something that a consumer is carrying every day, such as a cell phone or credit card," says cybersecurity expert Fran Rosch of VeriSign, a leader in online authentication. "That makes it less likely to be lost." Less likely, but not impossible.

Upson says keystroke authentication's accuracy could soon be applied to verify any Web-based data, like electronic medical records or tax filings. "Even a fingerprint can be altered," he says. "Typing? You probably couldn't change it if you wanted to."