It has been something of a consensus view among security folks for a few years now that passwords, as we know and love them, have mostly outlived their usefulness as a means of authenticating a user. Certainly, the technology landscape is quite different from that of the early days of computing, when there were no networks, and passwords had to be typed on a keyboard. Back then, the original UNIX method of encrypting the password on entry, and storing only the encrypted form, gave pretty reasonable security. Now, with automated attacks available, and computing power cheap enough to pre-compute a large dictionary of encrypted passwords, things are not so secure.
Various approaches to making passwords work better have been tried:
- Getting users to select “good” passwords, by exhortation or by force.
- Adding a second identification method, such as a smart card.
- Forcing regular password changes.
- Incorporating biometric authentification.
None of these has proved entirely satisfactory, although the second method is an improvement; it incorporates something you know (the password) and something you have (the card). Biometrics (something you are, the third element of the security trinity) are not as useful as you might think, except in controlled environments. The problem is that, for a remote or networked user, what you are actually verifying is the digital represenation of a fingerprint (for example), and not the fingerprint itself.
The Technology Review, published by MIT. has a report by Erica Naone on a somewhat different approach being tested by a Boston start-up, Delfigo Security. Their idea uses passwords, together with a profile compiled for each user, to come up with (in essence) an estimate of the probability you are who you say you are.
By looking at how a user types each character and by collecting other subtle clues as to her identity, the company’s software creates an additional layer of security without the need for extra equipment or user actions.
The use of typing patterns (e.g., delay between keystrokes, patterns for particular letters or groups of letters) is interesting. The idea of the approach is not new; intelligence services in WW II, for example, were often quite successful at identifying radio operators sending Morse code by their “fists” — the timing patten of dots and dashes, and other keying habits.
The system also incorporates other information, such as the user’s geographic location, terminal or PC type, and usual schedule,into its estimate of probability. This is actually an approach that to some extent echoes the traditional, low-tech way of verifying identity: the only person likely to fit many aspects of a particular person’s profile is the person himself.
The use of a probabilistic estimate is also interesting, and I think quite sensible. I am much less concerned with someone impersonating me to read the New York Times than I am with someone impersonating me to access my bank account. One might allow the first kind of access if one were, say, 90% sure of the user’s identity; the second kind of access would probably require a significantly higher probability. (Something along these lines is already done by some Web sites. Yahoo!, for example, is happy to keep me logged in to see my main news summary page for quite a while, but it requires entry of my password to get to my account settings, for example.)
As with most security methods, to a considerable extent the devil is in the details. And, no matter how well the technique works, it will not protect users against things like keystroke loggers or phony “phishing” Web sites. It is good, though, to see someone taking a fresh look at the problem.