Security software taps human touch
seattlepi.nwsource.com
By JOHN COOK
SEATTLE POST-INTELLIGENCER REPORTER
Wednesday, November 9, 2005
At a technology conference in Las Vegas last month, Issaquah-based BioPassword agreed to offer $10,000 to anyone who successfully accessed a computer by typing a specific user name and password.
The task seemed easy enough, though 1,200 people failed to get by the company's keystroke authentication system. In fact, BioPassword was so confident that its software could identify unauthorized typing cadences that it upped the prize on the last day of the conference to $100,000.
"No one even came close," bragged Chief Executive Mark DiSalle, whose company's software authorizes or denies access to computers by the way people type.
DiSalle, who bought the BioPassword technology for $500,000 in a bankruptcy sale three years ago, believes keystroke analysis is the future of computer security.
And the 52-year-old former Hollywood movie producer -- whose film credits include "Bloodsport," "Kickboxer" and "Street Knight" -- is pulling in some deep-pocketed investors who agree.
Today, BioPassword is announcing $8 million in a second round of financing from Ignition Partners and OVP Venture Partners, bringing total financing in the privately held company to $13.5 million. As a result of the investment, Ignition's John Connors and OVP's Lucinda Stewart will join the board.
BioPassword's technology may sound futuristic, but DiSalle said its roots can be traced to Morse code operators in World War II who figured out how to determine message senders based upon tapping patterns. In extensive military and intelligence studies, DiSalle said it was "proved that everyone has a unique typing rhythm."
The Stanford Research Institute picked up the research in the 1970s and 1980s, receiving a patent related to keystroke dynamics. That patent was acquired by NetNanny Software in 1989, the Bellevue software company whose assets DiSalle bought in November 2002.
DiSalle, who set up a small investment firm after moving to Seattle in 1994, said he was blown away by the technology when he discovered it three years ago.
"To me, the vision I saw was it being used everywhere: over the Internet, at enterprise," DiSalle said.
"Because the technology started with one finger with Morse code, the future of the technology goes beyond keyboard -- it goes to cell phones, PDAs -- anything you can really type, touch or tap our technology can play with."
So far, the company is targeting financial institutions and health care organizations, with about a dozen customers paying $20 to $30 per work station and an annual maintenance fee.
BioPassword, which has grown from seven to 56 employees in the past year, introduced its first product earlier this year. A second version will be released in December, with DiSalle saying that there is a "tremendous pipeline of customers."
He declined to disclose names, other than Ontario-based Musicrypt Inc. which uses the software to authenticate who downloads digital music files at radio stations.
Protecting computer networks from unauthorized users is big business, with Ignition's Connors placing the market opportunity at about $4.5 billion.
However, a study conducted last year by the Computer Security Institute and the FBI found that the number of cybersecurity breaches is on the decline. Only 53 percent of companies experienced unauthorized use of computer systems last year, the smallest percentage since the study began in 1999. And total losses attributed to computer security breaches fell to $141 million in 2004 -- down from $202 million in the previous year.
Connors, the former chief financial officer at Microsoft, said those trends -- while positive for computer users -- do not mean that BioPassword is entering a shrinking market.
"It is clearly a market that, with the right technology, will grow," said Connors, who became aware of BioPassword after former Microsoft Chief Security Officer Greg Wood joined as chief technology officer earlier this year.
Connors said the company has advantages over other security technologies -- such as smart cards, fingerprint readers and iris scans -- because it is cheaper and easier to deploy.
The software also has an advantage in providing a second layer of security for passwords -- the most common authentication technique, Connors said.
"The notion that you can still use user ID and passwords, but you get a second form of authentication -- without the user having to keep a smart card, without the user having to keep a set of passwords or without the user having to remember which pet he told you he liked the most -- is really attractive," he said.
Connors said he could envision content companies, such as The Wall Street Journal, using the technology to make sure that authorized subscribers are logging onto the news site. He also imagines possible applications for e-commerce Web sites, automated teller machines or remote access to computer networks.
Because BioPassword is software-based, DiSalle said the company easily can deploy over the Internet at costs that are up to 20 percent cheaper than competing biometric systems.
He also said the technology is secure, with just 0.04 percent of people who know a password able to gain access. It works by measuring how long typists spend on individual keys and the time between pressing the next key.
To activate the software, DiSalle said computer users must initially type a password 10 times in order to set keystroke patterns.
Stewart, who spent months analyzing the company, said BioPassword has a unique approach to a big market.
"There is no one else that we know of who is doing it, and given our patent position, we feel pretty good about it," she said.
Judith Collins, an associate professor of criminal justice at Michigan State University, was unaware of the BioPassword technology. But she said biometric technologies, which she defined as those that analyze a person's DNA, hold much promise.
"Biometrics has been talked about for a long time, and I think it is improving," Collins said.
"It is coming, but it just can't get here fast enough."
In fact, last year's Computer Security Institute / FBI study found that only 11 percent of companies used biometric technologies for computer security -- far below other techniques. |
