3 minutes
In this Q&A, First Tech Credit Union's CIO tells about the selection and implementation of a home banking authentication solution that measures members' typing cadences.
Compiled by Lisa Hochgraf - reprinted from Jan. 9, 2008
On Nov. 6, $1.5 billion First Tech Credit Union, Beaverton, Ore., rolled out a new online banking authentication solution from BioPassword that measures the rhythm members use when typing their passwords to authenticate their identities. This solution is being used in addition to a username and password authentication strategy.
Joey Rudisil, VP/information technology/chief information officer for First Tech CU, graciously agreed to answer some questions about the solution and its implementation.
CUES Tech Port: How did you choose this solution?
First Tech began reviewing solutions for multifactor authentication in early 2005. When the FFIEC issued its guidance on authentication, the space exploded. We spent hundreds of man-hours examining solutions and considering the value and member impact. We went around and around with various workflows, trying to find a balance between security and convenience, inevitably arriving at the same problem: How do we implement a new "feature" that is inherently designed to make the online experience more difficult? In 2006, BioPassword introduced a solution to the problem by increasing security through measuring normal behavior.
CUES Tech Port: What did you have to do to implement BioPassword?
The technical implementation of BioPassword was fairly straightforward and required a minimal amount of coding. The bigger challenge was gathering real-world data and proving that the technology worked. So we decided to take a measured approach, making data-driven decisions along the way.
We deployed BioPassword in three phases. The first phase tested the technology against internal staff and a select group of members. Proving that the technology worked, we gathered data from this pilot period and moved to the next phase.
The second phase was deployed to all members in an audit mode, whereby we implemented the technology without actually restricting access to our online banking application. By collecting typing samples, we had the opportunity to examine the data, make adjustments, and better predict the outcome of the third phase, a pass/fail mode.
In the third phase of our deployment, we placed the technology in front of high-risk areas and took action if the typing pattern did not match our records. Challenge questions were introduced as a fallback to the typing pattern match, accommodating inevitable exceptions to normal behavior.
CUES Tech Port: How has response been from members?
We've received concerns from a very small percentage of our online members. The concerns have covered the spectrum from "you're going too far" to "you're not going far enough." But we certainly consider this a successful deployment. When you embark on an initiative that's designed to make things more difficult, the best you can hope for is silence; the best you can get is engagement. We've had both.
CUES Tech Port: What are your next steps?
As we know, the connected world is evolving rapidly. Information is being shared at unprecedented levels; members are connecting and engaging at all different levels, through a variety of channels; and security threats exist at every turn. In light of this environment, our intention is to find new ways to promote security as a product and to enable members to exercise some level of control over their own security settings. BioPassword's technology supports this strategy by coupling authentication with behavior. As our implementation evolves over time, members may be able establish behavioral tolerances within online banking.
Lisa Hochgraf is a CUES editor.
