Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Passwords can be one of the weakest links in online security. Users too often choose one that’s easily guessed or poorly protected; even strong passwords may need to be combined with additional measures, such as a smart card or a fingerprint scan, for extra protection.

Delfigo Security, a startup based in Boston, has a simpler solution to bolstering password security. By looking at how a user types each character and by collecting other subtle clues as to her identity, the company’s software creates an additional layer of security without the need for extra equipment or user actions.

The software, called DSGateway, can be combined with an existing authentication process. As a user enters her name and password, JavaScript records her typing pattern along with other information, such as her system configuration and geographic location. When the user clicks “submit,” her data is sent to the Web server and, provided that the username and password are correct, the additional information is passed on to Delfigo. The company’s system then evaluates how well this information matches the behavior patterns of the appropriate authorized user.

Delfigo’s algorithms build up a profile of each user during a short training period, combing 14 different factors. The company’s president and CEO, Ralph Rodriguez, developed the necessary algorithms while working as a research fellow at MIT. Rodriguez notes that recording multiple factors is crucial to keeping the system secure without making it unusable. If the user types a password with one hand, for example, while holding coffee in the other, the system must turn to other factors to decide how to interpret the variation, he says. If she does this every morning, the system will learn to expect to see this behavior at that time of day.

The idea that a password should completely succeed or completely fail “is an old paradigm that should go away,” says Rodriguez. Even if the system sees something strange about the way that a user enters her password, for example, it just assigns a confidence level to that log-in attempt. Access levels can be configured depending on this confidence level. For example, if a user logs in from an odd location, lowering the system’s confidence, it might allow her to see her account balance but restrict the funds that she is able to transfer. If the user needs to increase her confidence factor at that moment, Rodriguez says, she could answer additional security questions or have a one-time password sent to her mobile phone or via e-mail.

10 comments. Share your thoughts »

Credit: Technology Review

Tagged: Computing, Communications, security, passwords, biometrics, Web security

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me