Passwords can be one of the weakest links in online security. Users too often choose one that’s easily guessed or poorly protected; even strong passwords may need to be combined with additional measures, such as a smart card or a fingerprint scan, for extra protection.
Delfigo Security, a startup based in Boston, has a simpler solution to bolstering password security. By looking at how a user types each character and by collecting other subtle clues as to her identity, the company’s software creates an additional layer of security without the need for extra equipment or user actions.
Delfigo’s algorithms build up a profile of each user during a short training period, combing 14 different factors. The company’s president and CEO, Ralph Rodriguez, developed the necessary algorithms while working as a research fellow at MIT. Rodriguez notes that recording multiple factors is crucial to keeping the system secure without making it unusable. If the user types a password with one hand, for example, while holding coffee in the other, the system must turn to other factors to decide how to interpret the variation, he says. If she does this every morning, the system will learn to expect to see this behavior at that time of day.
The idea that a password should completely succeed or completely fail “is an old paradigm that should go away,” says Rodriguez. Even if the system sees something strange about the way that a user enters her password, for example, it just assigns a confidence level to that log-in attempt. Access levels can be configured depending on this confidence level. For example, if a user logs in from an odd location, lowering the system’s confidence, it might allow her to see her account balance but restrict the funds that she is able to transfer. If the user needs to increase her confidence factor at that moment, Rodriguez says, she could answer additional security questions or have a one-time password sent to her mobile phone or via e-mail.
Trying to strengthen authentication without forcing users to change their behavior is a promising approach, says Bill Nagel, an analyst at Forrester Research, who covers security and risk management. “People want ease of use without losing any security, and that’s a tough balance for a lot of IT departments,” he says.
Ben Adida, a fellow at Harvard University’s Center for Research on Computation and Society, who studies security and privacy, notes that other companies have tried to find ways to improve authentication without inconveniencing users. Some banks, for example, install a cookie in a user’s browser after he answers several security questions correctly. The cookie serves as another identifying token. “That’s easier than having a physical token, but it’s also not as secure,” Adida says, since the attacker could trick the user into giving up the information needed to recreate the cookie..
Adida adds that the strength of Delfigo’s product will depend on how hard it is for an attacker to re-create the additional factors that it uses. For example, an attacker may be able to trick a user into typing her username and password into a dummy site, in order to collect keystroke patterns and other information, Adida says.
These weird virtual creatures evolve their bodies to solve problems
They show how intelligence and body plans are closely linked—and could unlock AI for robots.
A horrifying new AI app swaps women into porn videos with a click
Deepfake researchers have long feared the day this would arrive.
Chinese hackers disguised themselves as Iran to target Israel
But they left a few clues that gave them away.
DeepMind says it will release the structure of every protein known to science
The company has already used its protein-folding AI, AlphaFold, to generate structures for the human proteome, as well as yeast, fruit flies, mice, and more.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.