Given that cybercrime is growing faster than kudzu in a manure patch, it’s ridiculous that most employees still log on to their corporate networks using a single, easy-to-guess password. Options abound for the second factor in two-factor authentication: Smart cards to swipe into a keyboard reader. Tokens that generate onetime access codes every minute or two. Keychain fobs that plug into a PC’s USB slot. Biometric scanners for fingerprints, voiceprints, retinal patterns or facial geometry. These products are becoming more common as their cost declines and, particularly in the case of biometrics, accuracy rates rise. RSA Security, for example, claims 15 million users for its SecureID tokens and fobs.But a few entrepreneurs have come up with alternative forms of strong authentication, ranging from simple to very complex. BioPassword www.biopassword.comBioPassword’s authentication software might be described as quasi-biometric. Upon installing the software, the user types in a sample phrase three times. BioPassword captures the “rhythm” of the user’s typing, and that cadence becomes part of the authentication process. A password thief can’t log in, unless he can duplicate the user’s unique typing style. (Refer to the company’s website to see how to deal with employees breaking a finger or other wrinkles.) Passfaces www.realuser.comFacial recognition has long been one of the most problematic biometric access methods; computers simply aren’t very good at identifying human faces. People, on the other hand, are very good at it. Passfaces seizes on this concept with what it calls “cognometric” technology. Each user memorizes a set of three to seven pictures of anonymous faces (selected from a library of options). When the user attempts to log in, he is presented a grid of nine faces, only one of which will be familiar. Pick the right face and he’s in. Obvious downside: An attacker has a 1-in-9 chance of guessing right. Upside: Faces can’t be written on Post-it notes and stuck on monitors. Swivel www.swiveltechnologies.comSwivel’s technology is meant to protect Internet transactions. Take the setting of online shopping as an example: When a customer establishes an account with a retailer, the retailer issues him a four-digit PIN (typically via snail mail). But to reduce the chance of electronic interception, that PIN is not entered into the PC or transmitted to the server as part of the log-in process. Instead, when the customer attempts to log in, the website generates a onetime string of 10 numbers, and the user applies the PIN to select the numbers in the correct positions in that string. For example, if the PIN is 1234, the customer would select the first, second, third and fourth numbers from the 10-digit string.Pathword www.cryptme.com/eSwiss company CryptMe’s most basic authentication tool is a unique physical card issued to each user, with a grid of random letters and symbols. It’s particularly useful in cases where the user has multiple passwords. The user can memorize a two-letter code and then use the Pathword card to apply that code to generate up to 15 unique, strong (multiletter, case-sensitive) passwords. Carrying the card relieves the user of having to memorize those passwords, because they can be reconstructed with the two-letter code anytime the user wants to log in. SiVault Systems www.sivault.comHewlett-Packard www.hp.com Hewlett-Packard has, for years, offered a Digital Pen product. SiVault is an HP channel partner in the health-care, financial and retail industries. SiVault recently announced a combination of the pen with HP biometric and authentication technologies such that a physician’s signature can be compared on the fly with stored documents to ensure that the signer is the real McCoy.Digital Authentication Technologies www.dathq.comDAT’s seven-factor authentication process incorporates location awareness, physics and “dynamic entropy.” The company does not claim that this is transparent to the end user, and we do not claim to understand how it works, although clearly the only people who can log in are authorized users using authorized applications on authorized machines in authorized locations. At any rate the first official product, dubbed Trilobite, is due out early this year. Related content brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security news Gitlab fixes bug that exploited internal policies to trigger hostile pipelines It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. By Shweta Sharma Sep 21, 2023 3 mins Vulnerabilities Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe