So, this begs the question: “Is there a multifactor authentication method that is transparent to end-users?” And the answer is, “yes.” The technology is referred to as “keystroke dynamics,” and it extends the authentication paradigm a bit. That is, you usually hear about authentication factors such as:

• Something you know (e.g. Password)
• Something you have (e.g. token)
• Something you are (e.g. biometric)

Keystroke dynamics, as well as signature and speech dynamics, add to that list “Something you do.”

Keystroke dynamics systems check the specific characteristics of how someone enters his/her password (i.e. speed, pauses). So, in effect, keystroke dynamics systems are keyloggers who have turned from the Dark Side.

In theory, the use of such systems allows users to simply continue entering a single password – the way they do now. Yet, because individual and unique characteristics are being measured, many of the traditional weaknesses associated with passwords can be overcome. For example, normal “problem areas” such as password sharing and shoulder surfing may be mitigated because other parties cannot mimic the “dwell time” (length of time that the key is pressed) and “flight time” (speed between individual keystrokes) dynamics of the actual user.

Though I’ve not yet done any tests with this technology, I do see it touted as an affordable, reliable alternative to biometrics.

Links for further reading/research:

General info:

• http://en.wikipedia.org/wiki/Keystroke_dynamics
• http://articles.techrepublic.com.com/5100-1009-6150761.html
• http://avirubin.com/fgcs.pdf
• http://et.wcu.edu/aidc/BioWebPages/Biometrics_Keystroke.html
• http://www.computereconomics.com/custom.cfm?name=postPaymentGateway.cfm&id=1185

Vendor products:

• http://www.biopassword.com/index.php
• http://www.imagicsoftware.com
• http://www.deepnetsecurity.com/