It’s not just the password, it’s the rhythm of your typing that identifies you.
By Kevin Davies
January 20, 2010 | From the National Institutes of Health to T-Mobile, Twitter to the White House, almost no organization is immune to security concerns. For life sciences and health care, the problems are particularly troublesome given the need to track data access and comply with regulatory standards.
Yet despite the use of retinal scans, thumbprints, digital certificates and other devices in some more secure environments, the majority of firms still rely on the traditional username and password. That, says Ralph Rodriguez, founder and CEO of Delfigo Security, is a major weakness. And the problem is only getting worse. Last summer, reports surfaced of new malware that allows hackers to piggy-back on users and commit fraud.
Whether you use the same user/password combination for multiple accounts, because you don’t want to remember 40 different passwords, or different combinations, probably keeping a list somewhere handy, the current system won’t suffice. “If your Facebook account is hacked, it would be easy for someone in say eastern Europe to find other things online,” says Rodriguez. “Passwords can be shared, but that also opens up to hacking.”
Whether hardware or software, the challenge is distribution, says Rodriguez. If a company has 500 users, it’s not so difficult. “But what if I have 1 million users? Now I have a massive distribution problem.” And what happens if a new security device comes out—how will you get that into the field?
Rodriguez says his two-year-old company has created a technology based on biometrics that solves both the attribution problem and the distribution problem. “We’re looking at your keyboard dynamics—how you play the piano,” says Rodriguez. “I’m trying to validate that it’s actually you logging in, not the fact you have the correct password. I’m looking at you and your unique muscle memory, your signature.”
The trick is to make the individual’s password adaptive like sound. To demonstrate, Rodriguez raps out seven even taps on the table. Now compare that to a different pattern, say: “tum-tum-te-tum-tum….tum-TUM!” The password is no longer just the simple order of characters, but incorporates information on the force and tempo of the characters as they are entered.
Delfigo provides the opportunity to forego creating some awkward, unmemorable alpha numerical character set. “If you have to write it down, all that money is compromised,” says Rodriguez.
The system allows three things: Are you who you say you are? Where will I allow you to go? What will I allow you to do? “We’ve changed the paradigm,” he says. “Pharma now has intelligence. It can ask how much do I trust you?”
The system calculates a confidence score each time a password is entered. The system might say 78%, in which case it could allow read-only access to certain materials but not editing privileges.
“Here’s the beauty,” says Rodriguez. “You need no software. You already own it—it’s your browser!” Rodriguez explains that the web browser has evolved into “a very sophisticated platform, a massive operating system in effect. Think of it as a 500-MB software running on your machine.”
Using the native Javascript, Delfigo is able to capture three things about the user entering his/her password: the flight time (first key to submit); the key-to-key time; and the time each key is depressed – all with millisecond resolution. “The secret sauce is, because of your pattern of muscle memory, you often hold keys down simultaneously. So we look at that, put it together with algorithms, and score it. I also know your machine ID such as your operating system, time zone, browser, IP address, all these elements. So holistically it creates a profile to score. How much do I believe it’s you?” Another “beauty of the technology is that there is no storage of the user ID or password.”
Fast Track
Delfigo is less than two years old, but Rodriguez, has been researching IT security since 2002. Among the company’s early clients is a major online trading company and Children’s Hospital-Cardiology in Boston, concerned about electronic medical records and securing information, while maintaining HIPAA compliance. The system was introduced in the cardiology department and has been rolling out since then. The IT guy is usually the lead sponsor, but not the initial contact.
The company is also conducting a proof-of-concept with a major (unnamed) pharma. “They all understand the value of the challenge,” says Rodriguez. “But they tend to throw money at the problem, and solve one-moment-in-time’s problem. They use token solutions, they have a contract, it’s easy. They worry about costs.”
But with pharma taking an increasingly globalized view of R&D, how do they know if the right person in Mumbai is logging in? Do they have permission to access results? “That’s where the puck is going, as Wayne Gretzky would say.”
This article also appeared in the January-February 2010 issue of Bio-IT World Magazine.
Subscriptions are free for qualifying individuals. Apply today.