Startup of the Week / Bypassing Online Passwords With Biometrics

As the need grows for alternatives to passwords, the Israeli startup BioCatch is developing identification solutions based on user behavior patterns, sometimes without the user even knowing it.

About two and a half years ago, Charles Tappert of Pace University published a study showing that in 99.3 percent of cases, computer users could be identified by their typing patterns, mouse movement and touch. His study, “Keystroke Biometric Identification and Authentication on Long-Text Input,” became a major catalyst for one of the most fascinating technological projects of the past few years — the effort to find an alternative to passwords on the Internet.

Last month, the American technology news site The Verge observed that the use of passwords, currently the main tool for confirming identity on the web, is collapsing under the pressure of the enormous amount and variety of information they are supposed to protect, and from hackers’ attempts to crack them. Although passwords are more prevalent than ever, over the past year efforts to find an alternative have been ramped up.

Researchers such as Tappert hope to develop a method for ongoing user identification through, for example, biometric identification of fingerprints, without the special hardware needed today. Ideally, they would be able to confirm users’ ID without their knowledge. Benny Rosenbaum, a founder and the CEO of the Israeli company BioCatch, points out that these methods match today's commercial requirements for user identification.  

Since its establishment in 2011, BioCatch has developed a system for desktop and laptop computers and tablets that recognizes user behavioral patterns to confirm identity. Along with keystroke patterns — the biometric that Tappert identified — BioCatch taps into cognitive behavioral profiling, like the order in which a user types, to identify her or him.

“In addition to developers, we also employ psychologists to develop this method,” says Rosenbaum.

BioCatch, which has 15 employees in Lod, has raised $2.6 million to date from the Office of the Chief Scientist in the Industry, Trade and Labor Ministry, as well as from Janvest Technologies and private investors from Magic Software, where Rosenbaum was one of the first workers and served  as vice president of business development. Rosenbaum was also the CEO of the startups VapiSoft and MyNayad and, in 2006, he was appointed vice president at Babylon, a position he held for about a year. Avi Turgeman, who founded BioCatch with Rosenbaum and serves as its chief technology officer, is a former head of the innovations department of the Israel Defense Forces Unit 8200, which is responsible for collecting intelligence and code decryption.

Large companies looking for new ID verification technology

The field of ID verification technology is growing and BioCatch isn't the only Israeli name in the game. Last month, Lenovo joined the ranks of companies that support the Fast Identity Online Alliance with PayPal and Infineon Technologies. The goal of FIDO is to offer an alternative standard for fast and reliable user authentication online through non-password verification technologies such as biometrics, near field communication chips or authentication tokens that generate a one-time password.

At around the same time, the Defense Advanced Research Projects Agency, an agency of the U.S. Department of Defense responsible for the development of new military technologies, announced an allocation of $14 million to create sensors to monitor user behavior continuously. DARPA’s Active Authentication program, which has been in operation for about a year and a half, is devoted mainly to researching biometrics similar to the ones Tappert’s study investigated.

“The main problem with this sort of solution is the amount of time needed to create a user behavior pattern,” says Rosenbaum. “Practically speaking, Tappert claimed that at least 15 minutes of user interaction were required. As far as we’re concerned, that’s not good enough for the solution we wanted. At first, we thought about forgetting the whole idea. But later, we discovered that by creating a deliberate challenge that the user doesn’t know is happening, we could reduce the time required to establish an identity significantly, and we brought that time down to one minute.”

Contacting the online banking market

The third member of BioCatch’s founding team is Uri Rivner, who serves as its VP of business development and cyber strategy. Rivner was in charge of new technologies and cyber research at Cyota, which was sold in 2005 to RSA Security for $140 million. After the sale, Rivner continued in his position at RSA, and a year later served as interim CEO at Funtactix for about six months.

Rivner heard about BioCatch from Michal Blumenstyk-Braverman, the general manager of RSA Israel and the business owner of its Identity Protection and Verification suite.

“When Michal told me about BioCatch’s solution, my jaw dropped," said Rivner. "The ability to authenticate a user’s identity on a cellular telephone or a tablet without the user knowing about it, and without special hardware, is very necessary.

“Our first business decision was to contact the online banking market, where the problem of user authentication is a familiar and painful one,” Rivner continued. “When we approach a bank and tell them we have authentication technology for cellular devices that is ongoing, not overt, and contains biometric-like components, they get very interested."

An American bank is using BioCatch’s system as a pilot, and the company is in contact with other banks as well.

“A bank that wants to use our product installs it with a code for the mobile application, and after a short learning period for the user, it starts to run," Rivner says. "We give the bank a last line of defense. Even if the password is breached, and even if a hacker gets control of a client's computer remotely and uses it to break into the bank’s system, our system will be there."

AP