We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

Intelligent Machines

Who's Typing Your Password?

By watching how passwords are entered, a company hopes to make log-ins more secure.

Passwords can be one of the weakest links in online security. Users too often choose one that’s easily guessed or poorly protected; even strong passwords may need to be combined with additional measures, such as a smart card or a fingerprint scan, for extra protection.

Delfigo Security, a startup based in Boston, has a simpler solution to bolstering password security. By looking at how a user types each character and by collecting other subtle clues as to her identity, the company’s software creates an additional layer of security without the need for extra equipment or user actions.

The software, called DSGateway, can be combined with an existing authentication process. As a user enters her name and password, JavaScript records her typing pattern along with other information, such as her system configuration and geographic location. When the user clicks “submit,” her data is sent to the Web server and, provided that the username and password are correct, the additional information is passed on to Delfigo. The company’s system then evaluates how well this information matches the behavior patterns of the appropriate authorized user.

Delfigo’s algorithms build up a profile of each user during a short training period, combing 14 different factors. The company’s president and CEO, Ralph Rodriguez, developed the necessary algorithms while working as a research fellow at MIT. Rodriguez notes that recording multiple factors is crucial to keeping the system secure without making it unusable. If the user types a password with one hand, for example, while holding coffee in the other, the system must turn to other factors to decide how to interpret the variation, he says. If she does this every morning, the system will learn to expect to see this behavior at that time of day.

The idea that a password should completely succeed or completely fail “is an old paradigm that should go away,” says Rodriguez. Even if the system sees something strange about the way that a user enters her password, for example, it just assigns a confidence level to that log-in attempt. Access levels can be configured depending on this confidence level. For example, if a user logs in from an odd location, lowering the system’s confidence, it might allow her to see her account balance but restrict the funds that she is able to transfer. If the user needs to increase her confidence factor at that moment, Rodriguez says, she could answer additional security questions or have a one-time password sent to her mobile phone or via e-mail.

Trying to strengthen authentication without forcing users to change their behavior is a promising approach, says Bill Nagel, an analyst at Forrester Research, who covers security and risk management. “People want ease of use without losing any security, and that’s a tough balance for a lot of IT departments,” he says.

Ben Adida, a fellow at Harvard University’s Center for Research on Computation and Society, who studies security and privacy, notes that other companies have tried to find ways to improve authentication without inconveniencing users. Some banks, for example, install a cookie in a user’s browser after he answers several security questions correctly. The cookie serves as another identifying token. “That’s easier than having a physical token, but it’s also not as secure,” Adida says, since the attacker could trick the user into giving up the information needed to recreate the cookie..

Adida adds that the strength of Delfigo’s product will depend on how hard it is for an attacker to re-create the additional factors that it uses. For example, an attacker may be able to trick a user into typing her username and password into a dummy site, in order to collect keystroke patterns and other information, Adida says.

Keep up with the latest in Security at Business of Blockchain 2019.

May 2, 2019
Cambridge, MA

Register now
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to All Access Digital.
  • All Access Digital {! insider.prices.digital !}*

    {! insider.display.menuOptionsLabel !}

    The digital magazine, plus unlimited site access, our online archive, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    Digital magazine (6 bi-monthly issues)

    Access to entire PDF magazine archive dating back to 1899

    The Download: newsletter delivered daily

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.