Banking industry slowly embracing biometric security: Local tech firm rolls out keystroke authentication systems to financial institutions

The banking industry is turning to the next generation of online security to thwart cyberthieves, and an Indianapolis information technology consulting firm is trying to stay at the forefront of the movement.

Locally based Catalyst Technology Group has received a contract from BioPassword Inc., a security-software company based in Issaquah, Wash., to install keystroke authentication systems at financial institutions throughout the United States.

Keystroke authentication is among the latest offerings from the field of biometrics-the measurement and analysis of unique physical or behavioral characteristics-and it’s accurate 98 percent of the time, according to BioPassword.

Biometric security has become more common since the terror attacks of 9/11. Government agencies and private businesses are investing in biometric devices that grant or block access after scanning fingerprints, eyes, facial features or vocal patterns to guard against identity theft.

The benefit of biometric security is that it can never be lost, said Peter Beering, who serves as Indianapolis’ terrorism preparedness coordinator. “You never have to worry about forgetting your keys, because your keys are your eyeball. You not only buy increased security, but increased convenience.”

The industry has grown from roughly $300 million in revenue in 2001 to more than $2 billion last year, according to the National Biometric Security Project, a not-for-profit consulting service in Washington, D.C.

Scores of banks and credit unions nationwide are seeking keystroke authentication to replace the simple passwords consumers use to make online transactions. Typing speed and finger pressure on the computer keys make up a rhythmic pattern repeated every time a word is typed-a pattern nearly impossible for someone else to duplicate.

The added security measures stem from government regulation requiring multifactor authentication for online banking customers.

In October 2005, the Federal Financial Institutions Examination Council released guidelines aimed at overhauling security in Internet-based banking and financial services.

The guidelines called on banks to upgrade single-factor authentication processes-typically based on user name and passwords-with a stronger form of authentication by the end of 2006.

The FFIEC leaves it up to the banks to choose which kind of authentication to implement but lists several suggestions, including biometric systems, key fobs or tokens, and one-time passwords.

Neil Issa, president of Catalyst, thinks keystroke authentication is even more effective than other biometric security measures such as fingerprint scanning.

“The problem is that, once [biometrics are] on file, it’s getting easier for someone to replicate those physical attributes,” he said. “Once that’s been compromised, it’s gone forever.”

Indianapolis-based Forum Credit Union, the city’s largest credit union in terms of assets, and Three Rivers Federal Credit Union in Fort Wayne are among the financial institutions for which Catalyst has installed the software.

Forum has 11 branches and 95,000 members, 62,000 of whom check balances, transfer money or pay bills online, said Doug True, president of Forum Solutions, a technology consultancy and Forum subsidiary.

The credit union’s 350 employees are using the keyword authentication system, and customers should follow by the end of June. No client software is required. Rather, the software installed on the central system uses Macromedia Flash, which is part of most browsers. The flash component is what collects the keystroke timing. For spouses who share bank accounts, there are built-in prompts to gain access.

“The rollout has gone extremely well,” True said. “We were skeptical at first, but we used it with our employees and tried to break it, and found that it was solid technology.”

Officials in the banking industry are hesitant to put a price tag on the additional security measures, saying the cost depends on the size of the bank and the amount of online customers.

BioPassword CEO Mark Upson estimates the cost to banks at about $1 per user. The company so far has amassed 50 clients, mostly banks and credit unions, who boast a million users.

Jim Cousins, president of the Indiana Bankers Association, favors the changes.

“As the customer base moves from the older generation to my son’s generation, they’re going to demand this kind of service from all service providers,” he said. “It’s not really a question or a debate.”

For Catalyst, the contract the company received from BioPassword should enable it to at least double this year’s revenue from $1.5 million to $3 million, Issa said.

Catalyst-which provides IT support, infrastructure and custom applications to clients throughout the country-so far is the only reseller and installer of BioPassword’s software.

A nationwide organization that provides services to the financial services industry approached Catalyst, which has multi-factor authentication experience, about reselling and installing the BioPassword product. After demonstrating its abilities, Catalyst became BioPassword’s preferred partner.

Catalyst has 20 employees at its Keystone at the Crossing office and expects to hire six or seven by the end of the year, Issa said. Catalyst’s clients provide it remote access to their networks to install the keystroke authentication software.

Keystroke patterning was first employed by the military a century ago in its use of Morse code, which created a tapping rhythm that could help distinguish allies from enemies.

In the 1980s, Stanford University scientists applied the technique to computer security. But it was not until BioPassword bought the patents from the school in 2002 that keystroke authentication found its first commercial use.

Developers harnessed the technology into portable software and began selling it in 2004.