Trustable Passwords FAQ
Trustable Passwords FAQ
Is the technology patented?
Yes. US Patent No. 7,206,938. Four others are pending with more coming.
Can you really identify people by the way they type?
Yes, the technology is proven daily in live online applications.
People across the web are using Trustable Passwords on our
customers’ websites every day.
What problems do you solve?
Our customers are businesses that provide information or
experiences online. They come to us for a solution to the following
problems:
1) Online Cheating – students or professionals giving
their user name/password to someone else to take a test for them.
2) Quiet Fraud – sharing logon credentials for access to
paid content sites.
3) Malicious Fraud – phishing & other hacker type fraud.
4) Legal Requirements – mandated use of multi-factor
authentication.
How does it work?
Trustable Passwords uses Keystroke Dynamics to analyze the way
users type their password. We use that analysis to identify a real
user from an imposter. We often use the analogy of throwing darts to
help explain our technology. What we do is measure the way a user
types their password (the dart) and compare (throw) it against their
password signature (the dart board), or a set previously typed
samples. When the patterns match, the user gains access (a
bull’s-eye).
By matching typing patterns, we are able to add a layer of
security that protects our customers (web based information or
service providers) and their customers (the end users).
What are Keystroke Dynamics?
Keystroke dynamics, or typing dynamics, refers to the detailed
timing information that describes exactly when each key was
depressed and when it was released as a person is typing. They are
known as a behavioral biometric, or performance biometric. Click
Keystroke Dynamics
for further explanation.
Are everyone’s typing patterns unique?
Yes, to a very high degree.
Do you watch every keystroke all the time?
No, we only monitor passwords.
Most typing rhythms are random, which by definition means they
have
no patterns. However, with certain words and small phrases people unconsciously
develop consistent patterns due to muscle memory. This is especially
true with frequently typed words, like passwords.
There have been prior attempts to monitor user typing all the
time; all of which have failed. Trustable Passwords is a way to
authenticate logons ... and is not trying to be Big Brother. It works and is very well
received by users.
Is Trustable Passwords a form of strong authentication?
Yes.
There are four ways to authentication someone:
1. Something the user knows (e.g. user name, passwords, PINs)
2. Something the user has (e.g. smartcards, tokens, RFID badges)
3. Something the user is (e.g. finger scans, facial, iris
recognition)
4. Something the user does (e.g. voice recognition, Trustable
Passwords)
"Strong" means passwords, #1, paired with either #2, #3, or #4. The combination of passwords with something else (another factor) constitutes "Strong" in generally accepted definitions.
Trustable Passwords is 2-factor strong authentication (#1 knows
and #4 does).
How well does it work?
Excellent. As seen in the study shown in the graph, Trustable
Passwords starts out strong and gets stronger over time. We focus on
constantly improving both real user success and imposter denial.
What happens if I, for some reason, don't type my password right
and "miss"?
Of course, misses happen, but not very often. It has been our experience that real users miss their password signature at about the same rate that they misspell their password. In most cases, if a person misses their rhythm, just like with a typo, they are reprompted and most-likely "hit" the second time.
The result is, in the user's perception our reprompts disappear
into their existing typo rate and they feel they always get in.
What if I've had a couple drinks?
Depends on how many is a couple. Unless someone overdoes it,
there won't be a problem.
What if I break my hand or something?
We are a performance biometric so you do have to "perform".
Surprisingly though, most injuries do not prevent authentication. We look at many factors across the password signature. A user may miss some markers and still get in.
Of course, some injuries are serious enough to make normal typing
impossible. Trustable Passwords has administrative systems to make
dealing with problems like this simple and easy to deal with.
What do you mean by performance/behavioral biometric?
It means we ask our user to do something and measure their
performance. It is similar to a normal biometric because it is
something inherent to the user. However, it is a performance, so if
a password is lost, stolen, or otherwise compromised it can easily
be changed unlike an iris scan or fingerprint… users only have one
set of those.
Does your technology work with any keyboard?
The simple answer is yes, Trustable Passwords works across keyboards and platforms*. Users’ patterns translate from home desktops to work laptops inherently. Where users can develop consistent patterns, we can measure them.
*Note: We plan to support mobile devices in 2010
What if I can’t type?
No worries, you can develop a Trustable Password. Trustable
Passwords does not require touch-typing or any specific typing
skills. All we need is consistent patterns, which occur among users
of all typing skills. In fact sometimes “hunt and peck” typists
develop their trustable password more quickly than “touch typists”.
Are Passwords Going Away?
No. Our job is to help make them safer to use. Passwords are
still the gold standard for ubiquity and user acceptance.
The problems with passwords are:
A. Anyone who learns a password can use it to logon.
B. To combat (A), many organizations force frequent password
changes, which results in making them hard to remember and often difficult to
type.
Trustable Passwords addresses both these issues. With our
technology only the real user can perform his/her Password
Signature. Additionally, Trustable Passwords get stronger with time
so mandatory password changes are no longer necessary from both the
security and legal points of view.
Does Trustable Passwords require user downloads or installation?
No. Trustable Passwords uses Flash because it is ubiquitous
across the internet, so there is no download or installation needed
on the end user’s machine.
Does Trustable Passwords require additional hardware?
No.
Do users need to be trained to use Trustable Passwords?
No. Users do what they are used to doing - they type their username and password.
What browsers does Trustable Passwords work on?
All. Trustable Passwords uses Flash, which is supported on all browsers.
What platforms does Trustable Passwords work on?
All*. Users are having success on all types of machines across the internet. We find consistency in users across new, old, ultra-mobile laptops, and desktops alike.
*Note: We plan to support mobile devices in 2010.
How does Trustable Passwords compare to other technologies?
While our technology does work well in concert with other authentication methods, the below graph displays a comparison.
What happens if a key logger or keystroke recorder
captures my trustable
password?
Keystrokes can be intercepted and replayed by complex keystroke
recorders. However, Trustable Passwords includes numerous
countermeasures designed to prevent a wide variety of attacks.
What happens after multiple invalid logon attempts?
This is completely up to our customers’ discretion.
A user trying to logon with the wrong password is different from
a user with the correct password and the wrong Password Signature.
In the latter case, we recommend alerting rather than lockouts.
Alerting can reveal impostor activity or password sharing while it
is occurring. Account lockouts are a top reason for help desk calls,
which Trustable Passwords helps minimize with easier to remember
passwords and alerting.
How does a user get started with Trustable Passwords?
There are currently two methods of creating a trustable password:
1) Trustable Registration™ -- Accelerated Process
The Accelerated Process has users create a Password Signature in
just a few quick entries, which typically takes 15-20 seconds. Once
registered, Trustable Passwords continues to auto-tune to their
signature.
2) Trustable Registration™ -- Transparent Process
The Transparent Process unobtrusively enrolls users. In this model
users continue to log on normally, as always. Trustable Passwords
observes each password entry and silently builds a profile unique to
the user. Once a user demonstrates consistent muscle memory,
Trustable Passwords automatically activates trustable verification.
A byproduct of this approach is that shared passwords show up as
failures to enroll. This helps organizations enforce password policy
compliance.
Is it easy to implement?
Integration into customer’s existing application is easy. Simply
embed our control into the existing logon form and then call our
authentication web service to evaluate the password signature.
What does it cost to try Trustable Passwords?
It is FREE. We will give you a demo, as well as let you run
trials and install the software on your systems at no cost. We don’t
ask to get paid until you have your first paying customer.
How much does Trustable Passwords cost?
The cost of Trustable Passwords varies based on several things,
such as volume, transaction values, and others. Please contact our
sales department at sales@iMagicSoftware.com
for more information.
Do you support the Enterprise Market?
Yes. We have enterprise products based on the same technology. We
support SSO, VPN, Web Portal access, and more.
Who are your customers?
Our customers are businesses that provide information or a
service over the internet. We work with them to overcome hurdles,
like online cheating, quiet fraud, malicious fraud, and legal
requirements.
How can I learn more about Trustable Passwords?
Please contact us:
E: sales@iMagicSoftware.com
P: (805) 686-2800
One strong authentication platform - inside the four walls and over the Internet
Preserve your Passwords – Strengthen your Security