Charter Bank’s New Encryption Device – the Keyboard

At Charter Bank in Bellevue, WA, multi-factor authentication will soon be as close as a keyboard. The bank is using an application from BioPassword, an Issaquah, WA company, to capture a user’s unique typing rhythm and then use that rhythm to validate his identity the next time he logs in.

With BioPassword running on a Windows server, a user with an existing user name types in his password 10 times. The server learns the unique rhythm of his typing and creates a profile and establishes a strong authentication process without using a token or thumbprint reader.

Identifying a user by his rhythm isn’t exactly new, allowed Mark Upson, CEO of BioPassword; in telegraph days operators could tell who was sending messages by Morse code through the individual’s pattern in hitting the telegraph key. Dell has offered BioPassword as a way to control access to individual PCs, and now BioPassword has expanded with protection for users working over the Internet.

Tom Robertson, senior vice president and manager of IT at Charter Bank, learned of BioPassword from a third party IT audit firm, even though the authentication provider’s headquarters is just a few miles away from the bank. He is planning to roll it out internally and then make it available as authentication for Internet banking users once BioPassword rolls out its software developer kit (SDK).

In 19 years of working on bank networks for Fiserv, Robertson got to see many of the shortcomings that passwords present in providing strong security. Users who needed multiple passwords to log into different programs would store them on slips of paper in a desk drawer and routinely shared them with colleagues in order to get their work done.

“There’s no way to keep people from doing that,” said Robertson. “We wanted robust, two-factor authentication that doesn’t let people share passwords, doesn’t require tokens, and integrates with Microsoft Active Directory.”

Charter has run BioPassword in a pilot, which persuaded him that it would be a solution for the bank.

“It works wonderfully with our Windows-based network. It’s a really neat technology and made a lot of sense,” Robertson said. “We didn’t want to deal with any additional hardware; we didn’t want a token or a thumbprint reader. With BioPassword, you can go to any device and log in – all you need is a keyboard.”

BioPassword sits on top of the bank’s existing infrastructure to record keystrokes and permit or deny access to the systems it is linked to. Users can be set up on the system by typing in their password 10 times in a row, or the system can be set on silent mode where it tracks nine log-ins to register their typing rhythm. It has no impact on latency or storage, said Upson. And if someone figures out your password, you’re still safe, because they won’t be able to match your typing pattern.

Robertson admits he was skeptical about the technology, which BioPassword has licensed from SRI, formerly Stanford Research Institute.

“Give me a break – this can’t possibly work,” he recalled thinking. “But my system admin and I sat down and on the same computer did your 10 sign-ins.” They typed normally and they typed while holding a pen in a typing hand. With their template built, they tried logging in. No problem.

Then they watched each other type and tried to copy the typing rhythm and break into the other’s account. No luck.

“It was truly amazing,” Robertson said. “They keep scores on how close you get, and you can change the levels of sensitivity, so you can make it tougher for system admins, or lower it for people who have trouble typing, or require a higher score for a larger transaction than a small one.”

Charter Bank receives 80 percent of its revenues from business banking and most of its retail business is with people who own those businesses or work at them. The bank plans to use BioPassword to provide secure Internet banking access and single sign-on for its business customers. Other than its Fiserv ITI core banking system, Charter takes a modular, best of breed approach to its technology, using AFS for check imaging and Fundtech for wire transfers. Its customers want access to cash balances, images of checks and deposits, and information about the status of ACH payments.

“They want to do their own check research, and we have a browser front-end interface to our wire system,” Robertson said. “We provide a single sign-on for our clients to reach all the products we offer.”

Requiring them to remember a password for each product would be poor business. But since BioPassword has a software development kit that any vendor can write to, Robertson plans to develop interfaces to all the products they need to access.

Charter Bank isn’t the only one whose interest was piqued by BioPassword technology. The World Bank uses BioPassword to control access of users in Washington, and around the world.

“The mission of the World Bank is global and we needed the ability to authenticate VPN users accessing our network from remote locations in the US and other countries in the world,” said Jim Nelms, chief security officer at the World Bank. “As a software-only solution, BioPassword provided us with strong authentication for point solutions as well as the ability to integrate with the institutional PKI. In addition, since there is no addition to ship, install, train, maintain or replace, the total cost of ownership (TCO) remains very low when compared with hardware-based solutions.”

Upson sees a growing market for BioPassword, including Tablet PCs and SmartPhones. It could also be used to maintain authentication during instant messaging, he added. The engine could be used to identify unauthorized users on a machine and challenge them to enter a password with the typing pattern of the registered user. He also expects a market in health care, and perhaps in digital rights management.

www.charterbankwa.com
Technorati