• United States



Toolbox: Authenticity Matters

Feb 01, 20054 mins
CSO and CISOData and Information Security

Given that cybercrime is growing faster than kudzu in a manure patch, it’s ridiculous that most employees still log on to their corporate networks using a single, easy-to-guess password. Options abound for the second factor in two-factor authentication: Smart cards to swipe into a keyboard reader. Tokens that generate onetime access codes every minute or two. Keychain fobs that plug into a PC’s USB slot. Biometric scanners for fingerprints, voiceprints, retinal patterns or facial geometry. These products are becoming more common as their cost declines and, particularly in the case of biometrics, accuracy rates rise. RSA Security, for example, claims 15 million users for its SecureID tokens and fobs.

But a few entrepreneurs have come up with alternative forms of strong authentication, ranging from simple to very complex.


BioPassword’s authentication software might be described as quasi-biometric. Upon installing the software, the user types in a sample phrase three times. BioPassword captures the “rhythm” of the user’s typing, and that cadence becomes part of the authentication process. A password thief can’t log in, unless he can duplicate the user’s unique typing style. (Refer to the company’s website to see how to deal with employees breaking a finger or other wrinkles.)


Facial recognition has long been one of the most problematic biometric access methods; computers simply aren’t very good at identifying human faces. People, on the other hand, are very good at it. Passfaces seizes on this concept with what it calls “cognometric” technology. Each user memorizes a set of three to seven pictures of anonymous faces (selected from a library of options). When the user attempts to log in, he is presented a grid of nine faces, only one of which will be familiar. Pick the right face and he’s in. Obvious downside: An attacker has a 1-in-9 chance of guessing right. Upside: Faces can’t be written on Post-it notes and stuck on monitors.


Swivel’s technology is meant to protect Internet transactions. Take the setting of online shopping as an example: When a customer establishes an account with a retailer, the retailer issues him a four-digit PIN (typically via snail mail). But to reduce the chance of electronic interception, that PIN is not entered into the PC or transmitted to the server as part of the log-in process. Instead, when the customer attempts to log in, the website generates a onetime string of 10 numbers, and the user applies the PIN to select the numbers in the correct positions in that string. For example, if the PIN is 1234, the customer would select the first, second, third and fourth numbers from the 10-digit string.


Swiss company CryptMe’s most basic authentication tool is a unique physical card issued to each user, with a grid of random letters and symbols. It’s particularly useful in cases where the user has multiple passwords. The user can memorize a two-letter code and then use the Pathword card to apply that code to generate up to 15 unique, strong (multiletter, case-sensitive) passwords. Carrying the card relieves the user of having to memorize those passwords, because they can be reconstructed with the two-letter code anytime the user wants to log in.

SiVault Systems


Hewlett-Packard has, for years, offered a Digital Pen product. SiVault is an HP channel partner in the health-care, financial and retail industries. SiVault recently announced a combination of the pen with HP biometric and authentication technologies such that a physician’s signature can be compared on the fly with stored documents to ensure that the signer is the real McCoy.

Digital Authentication Technologies

DAT’s seven-factor authentication process incorporates location awareness, physics and “dynamic entropy.” The company does not claim that this is transparent to the end user, and we do not claim to understand how it works, although clearly the only people who can log in are authorized users using authorized applications on authorized machines in authorized locations. At any rate the first official product, dubbed Trilobite, is due out early this year.