Commerce: February 2008 Archives
The February 2008 issue of Baseline Magazine has an article entitled "The Rhythm of Identity Management". It doesn't appear to be online as I write this, but you can find another article about it here on Dark Reading: "Credit Union Authenticates 'Bio-Rhythms'. The concept is simple. Different people have different patterns (cadence) to how they type. These don't have to be unique, they just have to be identifiable and unpredictable (given anything else you know about someone). The concept was used in WWII to identify enemy troop movements by tracking the movements of the telegraph operators (as identified by their typing patterns).
A company named BioPassword is now selling this as a security mechanism, fulfilling the "what you are" leg of security. That's good news for banks, because they are supposed to provide "dual-factor" authentication, and this gives them a way of doing that without requiring the customer to own some piece of hardware which either won't work with their computer, or will get lost along with their TV remote.
Unfortunately, along with trivia about your second cousin once removed, and other odd security mechanisms, this lip-service to "dual-factor" isn't providing any additional security at all.
Here is my letter to Baseline's editors:
I find it ironic that in the same issue where TJX is taken to task for putting costs before security, Forum Credit Union makes the very same choice.
The traditional legs of security are "something you know," "something you have," and "something you are," but it turns out that's not quite enough—none of those three may overlap. Going with typing cadence as a security mechanism adds the "something you are" leg, but what works in a corporate environment does not necessary apply when your user is on an unsecured computer in their home. You have to assume that any information entered onto the remote computer is potentially available to a hacker. When that is the case, any non-changing information can be trivially abused, and the whole reason cadence analysis works is because it doesn't change. In essence, "something you know" has become "something your computer can know", and in that context, typing cadence is just another static password.
If the hacker is able to obtain the user's name and password by sniffing keystrokes, then obtaining the timing of those keystrokes is a trivial addition. BioPassword's solution is simply a Flash-based plugin that gathers the typing information. It has no security hooks in the operating system to ensure that nobody else is listening to, or simulating, the input stream. (In any case, it's unclear that such checks would be sufficient on a compromised machine.) A remote hacker can record the timing and then just play the keystrokes back on their own machine, even introducing artificial jiggle should it be necessary.
The reason most USB Tokens and Key Fobs are secure is that they generate one-time passwords synchronized (on a per-device basis) with a server in the back-office. The hacker can get the password, but it's only good for a single use within a 60 second time-span.
BioPassword sounds like a reasonable solution in a corporate environment, where machines are kept secure. In the outside world, it is secure only so long as it remains obscure.
I believe Form Credit Union would do well to reconsider whether $20 is really too much money to spend truly securing a customer's bank account.
Kee Hinckley
CEO/CTO Somewhere, Inc.
