Trying to strengthen authentication without forcing users to change their behavior is a promising approach, says Bill Nagel, an analyst at Forrester Research, who covers security and risk management. “People want ease of use without losing any security, and that’s a tough balance for a lot of IT departments,” he says.

Ben Adida, a fellow at Harvard University’s Center for Research on Computation and Society, who studies security and privacy, notes that other companies have tried to find ways to improve authentication without inconveniencing users. Some banks, for example, install a cookie in a user’s browser after he answers several security questions correctly. The cookie serves as another identifying token. “That’s easier than having a physical token, but it’s also not as secure,” Adida says, since the attacker could trick the user into giving up the information needed to recreate the cookie..

Adida adds that the strength of Delfigo’s product will depend on how hard it is for an attacker to re-create the additional factors that it uses. For example, an attacker may be able to trick a user into typing her username and password into a dummy site, in order to collect keystroke patterns and other information, Adida says.