Yes. US Patent No. 7,206,938. Four others are pending with more coming.
Yes, the technology is proven daily in live online applications.
People across the web are using Trustable Passwords on our
customers’ websites every day.
Our customers are businesses that provide information or
experiences online. They come to us for a solution to the following
1) Online Cheating – students or professionals giving
their user name/password to someone else to take a test for them.
2) Quiet Fraud – sharing logon credentials for access to paid content sites.
3) Malicious Fraud – phishing & other hacker type fraud.
4) Legal Requirements – mandated use of multi-factor authentication.
Trustable Passwords uses Keystroke Dynamics to analyze the way
users type their password. We use that analysis to identify a real
user from an imposter. We often use the analogy of throwing darts to
help explain our technology. What we do is measure the way a user
types their password (the dart) and compare (throw) it against their
password signature (the dart board), or a set previously typed
samples. When the patterns match, the user gains access (a
By matching typing patterns, we are able to add a layer of
security that protects our customers (web based information or
service providers) and their customers (the end users).
Keystroke dynamics, or typing dynamics, refers to the detailed
timing information that describes exactly when each key was
depressed and when it was released as a person is typing. They are
known as a behavioral biometric, or performance biometric. Click
for further explanation.
Yes, to a very high degree.
No, we only monitor passwords.
Most typing rhythms are random, which by definition means they
no patterns. However, with certain words and small phrases people unconsciously
develop consistent patterns due to muscle memory. This is especially
true with frequently typed words, like passwords.
There have been prior attempts to monitor user typing all the
time; all of which have failed. Trustable Passwords is a way to
authenticate logons ... and is not trying to be Big Brother. It works and is very well
received by users.
There are four ways to authentication someone:
1. Something the user knows (e.g. user name, passwords, PINs)
2. Something the user has (e.g. smartcards, tokens, RFID badges)
3. Something the user is (e.g. finger scans, facial, iris recognition)
4. Something the user does (e.g. voice recognition, Trustable Passwords)
"Strong" means passwords, #1, paired with either #2, #3, or #4. The combination of passwords with something else (another factor) constitutes "Strong" in generally accepted definitions.
Trustable Passwords is 2-factor strong authentication (#1 knows
and #4 does).
Excellent. As seen in the study shown in the graph, Trustable
Passwords starts out strong and gets stronger over time. We focus on
constantly improving both real user success and imposter denial.
Of course, misses happen, but not very often. It has been our experience that real users miss their password signature at about the same rate that they misspell their password. In most cases, if a person misses their rhythm, just like with a typo, they are reprompted and most-likely "hit" the second time.
The result is, in the user's perception our reprompts disappear
into their existing typo rate and they feel they always get in.
Depends on how many is a couple. Unless someone overdoes it,
there won't be a problem.
We are a performance biometric so you do have to "perform".
Surprisingly though, most injuries do not prevent authentication. We look at many factors across the password signature. A user may miss some markers and still get in.
Of course, some injuries are serious enough to make normal typing
impossible. Trustable Passwords has administrative systems to make
dealing with problems like this simple and easy to deal with.
It means we ask our user to do something and measure their
performance. It is similar to a normal biometric because it is
something inherent to the user. However, it is a performance, so if
a password is lost, stolen, or otherwise compromised it can easily
be changed unlike an iris scan or fingerprint… users only have one
set of those.
The simple answer is yes, Trustable Passwords works across keyboards and platforms*. Users’ patterns translate from home desktops to work laptops inherently. Where users can develop consistent patterns, we can measure them.
*Note: We plan to support mobile devices in 2010
No worries, you can develop a Trustable Password. Trustable
Passwords does not require touch-typing or any specific typing
skills. All we need is consistent patterns, which occur among users
of all typing skills. In fact sometimes “hunt and peck” typists
develop their trustable password more quickly than “touch typists”.
No. Our job is to help make them safer to use. Passwords are
still the gold standard for ubiquity and user acceptance.
The problems with passwords are:
A. Anyone who learns a password can use it to logon.
B. To combat (A), many organizations force frequent password changes, which results in making them hard to remember and often difficult to type.
Trustable Passwords addresses both these issues. With our
technology only the real user can perform his/her Password
Signature. Additionally, Trustable Passwords get stronger with time
so mandatory password changes are no longer necessary from both the
security and legal points of view.
No. Trustable Passwords uses Flash because it is ubiquitous
across the internet, so there is no download or installation needed
on the end user’s machine.
No. Users do what they are used to doing - they type their username and password.
All. Trustable Passwords uses Flash, which is supported on all browsers.
All*. Users are having success on all types of machines across the internet. We find consistency in users across new, old, ultra-mobile laptops, and desktops alike.
*Note: We plan to support mobile devices in 2010.
While our technology does work well in concert with other authentication methods, the below graph displays a comparison.
Keystrokes can be intercepted and replayed by complex keystroke
recorders. However, Trustable Passwords includes numerous
countermeasures designed to prevent a wide variety of attacks.
This is completely up to our customers’ discretion.
A user trying to logon with the wrong password is different from
a user with the correct password and the wrong Password Signature.
In the latter case, we recommend alerting rather than lockouts.
Alerting can reveal impostor activity or password sharing while it
is occurring. Account lockouts are a top reason for help desk calls,
which Trustable Passwords helps minimize with easier to remember
passwords and alerting.
There are currently two methods of creating a trustable password:
1) Trustable Registration™ -- Accelerated Process
The Accelerated Process has users create a Password Signature in just a few quick entries, which typically takes 15-20 seconds. Once registered, Trustable Passwords continues to auto-tune to their signature.
2) Trustable Registration™ -- Transparent Process
The Transparent Process unobtrusively enrolls users. In this model users continue to log on normally, as always. Trustable Passwords observes each password entry and silently builds a profile unique to the user. Once a user demonstrates consistent muscle memory, Trustable Passwords automatically activates trustable verification. A byproduct of this approach is that shared passwords show up as failures to enroll. This helps organizations enforce password policy compliance.
Integration into customer’s existing application is easy. Simply
embed our control into the existing logon form and then call our
authentication web service to evaluate the password signature.
It is FREE. We will give you a demo, as well as let you run
trials and install the software on your systems at no cost. We don’t
ask to get paid until you have your first paying customer.
The cost of Trustable Passwords varies based on several things,
such as volume, transaction values, and others. Please contact our
sales department at sales@iMagicSoftware.com
for more information.
Yes. We have enterprise products based on the same technology. We
support SSO, VPN, Web Portal access, and more.
Our customers are businesses that provide information or a
service over the internet. We work with them to overcome hurdles,
like online cheating, quiet fraud, malicious fraud, and legal
Please contact us:
P: (805) 686-2800