TypingDNA and our partners from Optimal IdM held an insightful webinar about the “the Future of authentication | Behavioral biometrics, tokenless MFA & adaptive authentication”. Access the recording of the webinar above and feel free to contact us if you have any questions.
The topic of discussion covered the following issues:
- About solutions provided by TypingDNA [01:09] and Optimal IdM [02:35].
- Using passwords alone to protect your identity online is not enough [05:32].
- The simple solution: use MFA and choose the simple and easy solution: an AI-enabled typing biometrics right at login with good user experience, and increased security [09:25].
- Demo: MFA with behavioral biometrics [22:02].
- Adaptive authentication – rely on context to establish trust and only escalate the authentication when the risk is great [27:00].
[00:00] Matt Pitchford: Our speakers today: our first speaker will be Tudor Goicea, he manages strategic alliances and the business developments efforts for TypingDNA. He has extensive experience with the deployment of behavioral biometrics systems. Before cybersecurity became his passion, Tudor worked with several management-consulting and venture capital firms. Tudor graduated cum laude with Masters in International Management from Erasmus University in Rotterdam. Our other speaker is Chris Curcio he is Vice president of partners and channels for Optimal IdM. He has over 20 years of IT security experience and has previously worked at identity management companies such as Open Network and Oblix. Prior to joining Optimal, he also spent 12 years at Oracle and a variety of sales leadership roles across security and middleware technologies. Chris is a proud graduate of the University of Florida where he earned his BSc in Mathematics and also his Masters of Business Administration. So gentleman thanks for joining us, and I’ll let you take it away.
[01:09] Tudor Goicea: Sure, Matt, thanks a lot for the intro. This is Tudor speaking it’s great to have so many people on the call. We have some slides that we want to go through with you we have also prepared a couple of demos and we made sure that we have enough time for questions at the end and we strongly encourage you to ask those. So first, let me talk for one second about TypingDNA and what we do. Well, TypingDNA is an NYC based cybersecurity company. We are developing cutting edge typing biometrics technology. We do that to protect businesses and their users against account takeovers and other online fraud cases. The key is that we’re doing that without burdening the user experience. Just a bit on our history, we started in 2016, from the bold idea of recognizing users based on the way they type. We went through the TechStars NYC 2018 program and today we are used by millions of users on all continents. We work with financial services, companies, with SaaS platforms, we work with online assessment companies and in essence what we do is help them validate online identities where it really matters to them. Chris?
[02:35] Chris Curcio: Great, thanks, Tudor. Welcome, everybody. I will talk a little bit here about Optimal IdM and then we’ll get started with the rest of the presentation. Optimal IdM is a global provider of innovative and affordable identity and access management solutions. We’ve been around for a little over 13 years, founded in 2005. We’re 100% organically grown with no outside investment or no debt, profitable every quarter of existence and we have solutions deployed across 6 continents. We’re Headquartered in Tampa, Florida. Our flagship product the OptimalCloud is a complete identity and access management solution, which is only 1 of 15 solutions selected to the Gartner Magic Quadrant for access management. The OptimalCloud provides single or multi-factor authentication, which we’ll be talking about today. Federated single sign-on, adaptive authorization, self-service, self-registration, user and group management, delegated administration, password management, entitlement management, and complete reporting and analytics. The OptimalCloud can be deployed in a shared multi-tenant environment or as a single tenant fully managed service. The OptimalCloud is built upon the industry’s leading virtual directory, Optimal’s Virtual Identity Server or VIS. VIS is an LDAP virtual directory providing a single view of joined data across multiple disparate data stores such as multiple Active Directory forests. We’re a horizontal company in nature, but our customers are across all different industries: retail, finance, healthcare, manufacturing, government etc. Doesn’t really matter what type of business you’re in, the problems we’re solving correlate to all of these. So why are we here today? Password policy and hygiene have long challenged even the best IT shops. It’s not just end-users who are to blame for using weak and reused passwords. Phishing scams and storing passwords where they can easily be accessed are culprits. IT also bears responsibility for not properly, monitoring and securing their Identity Provider (IdP), usually probably an Active Directory. Password as the only secret to access resources are insufficient security for access to most resources. Because they represent a single point of vulnerability. However, don’t be too alarmed, there are many options that we’re gonna be discussing today: multi-factor authentication, biometrics, and adaptive authentication. All of these, in different forms, can provide increased levels of security, but there are different trade-offs: cost, complexity, user experience. Over the next 30 or 45 minutes, we’ill be discussing the issues with password and traditional MFA, we’ll also introduce you to new and exciting technologies leveraging behavioral biometrics to keep your applications the most secure while still providing a great user experience.
[05:32] Chris Curcio: So passwords are dangerous. Many of today’s security threats target someone’s passwords or their PIN. A username plus password requires only one secret it’s the password. So the IT security industry recognized that username and password combination as a single source of authentication is inadequate. Is an inadequate method for access to important information or resources or services. Less than 1 month ago it emerged that more than a billion unique email address and password combinations had been posted to a hacking forum for anyone to see in the mega-breach dubbed Collection # 1. The hackers there can use a range of sites to compromise your services or other websites that you have access to. They do so by utilizing credential stuffing attacks, using bots to automatically test millions of email and password combinations on a whole range of website login pages. Most concerningly, the protective hashing algorithms of the stolen passwords have been cracked, so this means those particular passwords are available in plain text whereas in typical breaches even if they get access to your passwords, those are still encrypted via hashing.
[06:50] Chris Curcio: Here are relevant stats that we see across all industries for passwords: 81% of confirmed data breaches involved weak, fault or stolen passwords, that’s Verizon.
Forrester Research estimates 80% of today’s security breaches involve privileged credentials. And in the public domain, 50% of the public hasn’t changed their social network passwords for a year or more. I know I probably may have not either. 20% have never changed their social network passwords ever. 30% still use birthdays, addresses, pet names or children names for their work passwords, as well. Out of a recent study of close to 30 million people, 38% used the same password for two different online services and 21% of them slightly modified an old one to sign up for a new service. What’s crazy, this is normal user behavior, but it’s extremely risky. So what are some problems with passwords? Passwords are guessable. They’re subject to dictionary and brute force attacks, especially weak ones. Even complex passwords with adequate encryption are vulnerable because compute is cheap in today’s cloud world. It’s not difficult to leverage the power of the cloud to quickly guess passwords. Passwords are written down. How many times have you written down a password on a post-it note or seen someone else’s walking by their cubicle at work to see their passwords stuck next to their computer? There’ve been cases where people posted a photo online and in the background, you’d see a post-it note with someone’s passwords on it. That happens all the time.
Chris Curcio: Additionally, Passwords left at their vendor default values. I know many companies where depending on what type of hardware or software they purchase from other vendors, they never change the administrator passwords. These secrets or these passwords are well known in the hacking community and put the entire enterprise at risk when that happens. So would a better password help? Absolutely not. Many websites in corporate environments have taken steps to require more complex passwords. The issue with this is complex passwords are recommended; however, complex passwords, by themselves, can give a false sense of security. Like we said in the previous breaches they’ve cracked the hashing algorithms. So if this is your single point of vulnerability you’re still in trouble even with a complex password. Password complexity requirements mitigate risks of passwords being easily guessed, but like I said, they still end up being a single secret or a single point of entry to gain access.
[09:25] Chris Curcio: So there seems to be an obvious answer. Require additional secrets or a second factor before granting access to resources, services or applications. An additional authentication factor provides greater proof of ownership thereby mitigating the risk of an impersonator reusing your credentials. We as users can’t always control the security of the storage of our credentials from the identity provider but we can take immediate steps to mitigate the overall risk or inherent weakness of using only a single secret or single point of entry to get access to an online system. When MFA is offered at whatever service or application you’re trying to access, choose it. The additional authentication factors go beyond what you know which is a password into what you have and that can be a smartphone, a device, a smartcard or a token, or it could be something that you are like biometrics. Usernames and passwords with at least a second factor is the authentication standard for many security-conscious enterprises. It’s this additional layer of proof that mitigates the risk of impersonation and provides the proper identity assurance for the enterprise. At a minimum, second factor should always be leveraged for privilege accounts, access to privileged information such as when you’re doing adds, deletes changes, financial records, health care information and in general almost in every sense. Adding MFA for access to any operation in your enterprise dramatically reduces the risk to the organization as a whole.
[11:18] Chris Curcio: So what are the considerations for MFA? When the risk of the impersonation outweighs the cost of the MFA solution, it’s pretty obvious, implement MFA. A second factor should always be leveraged for privileged digital identity accounts. Some of the common decision factors for MFA include cost, complexity to deploy, options for delivery of the tokens if you’re using a hardware token, what’s the portability of that token, maintenance costs like for example the additional hardware tokens as people lose them they need to be replaced, what’s the reliability, and one of the most important parts is the end user experience, what’s the usability, will people actually use this if given a choice? Some examples of different MFA are time-Based One-Time passwords via Email, Voice, SMS. You can download authenticator applications like the Optimal Authenticator, that’s a custom iPhone or Android app supporting time-based one-time passwords or push notifications. Other ways for MFA you could do U2F or Universal Second Factor, client certificates or if you’re in the government field Common Access Card or CAC.
[12:36] Chris Curcio: Let’s do a quick demo of what an existing multi-factor looks like, or the experience looks like. I am going to switch to our demo system Optimal Life, that’s a fictitious life insurance company I’m gonna sign in right here, so it’s going to ask me my username is my email address: chris.curcio@optimalidm.com, submit that. Now it’s gonna ask me for my password, type in my password and I get into my portal. In this particular example is a policyholder portal. As you can see I have access to the different applications who’s my broker agent, I can click on, it’s Acme insurance broker. There’s other information I can get to. And you see here, under view policy, there’s a red lockbox against it, what that’s indicating is this particular application requires a second factor to access it. So if I click on the application now it’s saying what are my choices for MFA. In this particular example I’ve set up different one-time passwords, I’m gonna actually have it sent to my phone right now, so that is being hopefully sent to my phone, and if I can pick it up, the code is seven, three, seven, three, one, eight. So, I get into the access, so now I have the policy information because that guarded that second factor. If I go back to the portal, now you’ll see it’s a green lockbox above that application so I can continue to get back in if I want to, and that time-limit of how long does that second factor reside for is totally configurable.
Chris Curcio: We come back to the slides here. Why don’t we require multi-factor authentication for everything? If MFA is more secure than just username and password why not require for every authentication attempt? There are a few enterprises and many government agencies that do require MFA for, at least, the initial login attempt. Even so, few require MFA for each application attempt against a new resource or requiring re-authentication within an active session. The issue for most enterprises is that MFA can provide a substandard and frustrating user experience, especially if the user is constantly prompted to enter additional information or has to go gather their phone. What we’ve seen is a poor user experience affects the productivity and pits the end-users against I.T. Then sadly, what often happens is that the end-users end up winning even at the cost of corporate security. The key here is MFA should be as transparent and as user-friendly as possible while providing maximum risk aversion or the highest level of security for the organization. It’s this combination or this pendulum of how secure it is and how user-friendly this is. We’re gonna to transition now to say what can a user do to make it much more user-friendly but still keep that high level of security. And I’ll let Tudor talk a little bit about that.
Tudor Goicea: Yes, thanks Chris also for the demo. I am happy to be able to introduce behavioral biometrics as an MFA factor. We’re very used to physical biometrics like FingerPrints and Facial Recognition, and we get to use them every day, but breakthroughs in Artificial Intelligence are finally putting behavioral biometrics on the map, and I am going to dive into that a little deeper. Now, without actually thinking about it, we use behavioral biometrics in our everyday lives to establish trust. For example, when you speak to people on the phone with someone, you will not ask them for the password, you will recognize them by their voice and you will trust that it is the same person. Also, for example, if you’re in a crowded place, someone is walking away from you but somehow you’re able to recognize them based on how they walk. Similarly, typing behavior can be used to authenticate users in the digital world. But how comes that behavioral biometrics work? Well, they work because behavior is unique, I won’t be able to behave like Chris, or vice-versa. Especially over longer periods of time, imitating behavior is extremely complicated, and this makes the method extremely robust, sometimes even more secure than physical biometrics.
Tudor Goicea: One of the main challenges with authenticating users based on behavior is related to the fact that users behave inconsistently, so, for example, we have environmental factors, like how much coffee a user had that morning, or that behavior simply evolves. For example, let’s say that you’re changing your job and you’re now with Facebook so you’re going to be typing Facebook a lot of times every day, so your speed will actually increase when you’re typing exactly those keys and it’s important that a good behavioral biometric authentication solution keeps up with those changes in behavior and is able to pick up on them. And also as I mentioned it’s very important that behavioral biometric solutions are able to extract those consistent features within behavior so that they are less affected by environmental factors. So if we go to the next slide I can tell you a little bit about how typing biometrics work.
[18:58] Tudor Goicea: Well, first we need to capture what we call a typing pattern. Now, what we mean by a typing pattern is, in a sequence of keystrokes, the time that the user has spent on each key, and the time that it took the user to find the next key. What’s very important is the fact that we don’t record the actual keystrokes, so we’re not providing a keylogger, we only look at how users are typing. Now, depending on the type of device, we collect some other data to help with improving accuracy. For example, on desktops, we record how the user moves the mouse, and on mobile devices, we would record the orientation and the slight movements of the device while you’re typing. The second step, as I mentioned before, is extracting exactly those features that best describe the user’s behavior and that are as consistent as possible over time. This is key. Once that is completed, we run our machine learning algorithms and we provide the result for the authentication, that is do we recognize the user or do we not recognize the user. And all this actually happens in real time.
[20:10] Tudor Goicea: Now, I would like to go over some of the advantages that we see of running typing biometrics in multi-factor authentication or adaptive authentication environment. One key advantage, as Chris also mentioned, is related to the user experience. The user can be authenticated in exactly the same way across channels, whether the user is on mobile or on desktop they would have the exact same experience. It doesn’t depend on any type of hardware and when it’s put together in a really good way then it can be completely passive, so that the user does not need to change previous behavior. And this is key. As we know, users are reluctant to change, so not having to change previous behavior will drive adoption. And also, on the internal level, the product and business teams will be very happy with getting an authentication method that does not drive users away. The second very important point whenever we’re talking about authentication is security. As I mentioned, behavior is extremely hard to imitate, and that makes it very resistant against presentation attacks. In terms of accuracy, at TypingDNA we reach very high accuracy with just two to three previously stored typing patterns, so very early on in the user’s lifetime. Our solution does fulfill official MFA requirements for security around the world and the really cool thing is that it gets better throughout the user’s lifetime, as it keeps learning and learning how the user types. I think it’s time to actually go to do a demo on exactly how typing would run as part of an authentication system.
[22:02] Chris Curcio: Great, Tudor. All right so we’re back in the demo environment. I signed out of the other session that I had before. This particular login page has the TypingDNA engine behind it, so I’m gonna be typing in my email address and that’s what we’ll be keying on. You see it’s thinking and as I did that it gave me gave me a score of 90.2% of accuracy of how I typed in my email address. I hit sign in, it validates the password like it did before. This time as I’m through you see that the application view policy that had the red check mark against it before in requiring a second factor and that the second factor has already been applied. So from an end-user standpoint, it’s seamless access to their application. I click on the link I get right into there. Now I sign out again, and to show that this is actually a real system I’m going to pass the control over to Tudor. Tudor, you should have control now so.
Tudor Goicea: Okay let me see. I’m gonna try again, but you can see that it’s actually not letting me in. Can you can you refresh the page?
Chris Curcio: I can, there you go.
Tudor Goicea: Okay let’s see. Yes, I’m still here okay so you can see that I wasn’t recognized as Chris. I’m gonna try to do it again just for consistency, yes?
Chris Curcio: Sure. You’re getting a little better though you got up to 26% it’s still below the threshold but it is a little better, so now if I take back control and now I type in my email address but I’m doing it, I get 94% and in as long as I know my password as well and I get access.
[25:19] Tudor Goicea: So yes, as you could see, by deploying typing biometrics as 1 factor in MFA suit, we kind of get the best of both worlds. So the user is protected, but the user is not annoyed and all the graphical things that you saw like the icon and the small text appearing and so on they can actually be removed so that the authentication is completely invisible to the user. Now following the exact same line of thought, one of the major trends that we see is adaptive authentication. I’d like to go a little bit into that. Adaptive authentication starts from the idea that not all user interactions carry the same risk and this makes sense, right? For example, a user checking their account balance will not carry the same risk as a user attempting to transfer all funds outside of their bank. Right? And most importantly, users often perform exactly those low-risk interactions in whatever service they are. So, does it really make sense to have them jump through high hoops when they only want to do low-risk actions? And this is exactly where adaptive authentication comes in. Adaptive authentication goes by very many names and flavors. So you could call it Adaptive Access Controls, Context-Aware Authentication, Risk-based Authentication, Conditional Authentication, there’s a huge list of that. And, although these terms are somewhat different, they are often used interchangeably.
[27:00] Tudor Goicea: This one is a really good graph of adaptive authentication. Now, the whole point of adaptive authentication is to match the trust that we have regarding the user identity to the risk of the interaction. And this is the key, yes? The point is matching the trust that we have regarding the identity of the user to the risk of the interaction. First, to increase the trust in the user, we would take into account all possible non-collaborative or contextual factors. We can gather all of these points without burdening the user experience whatsoever. Examples would include the login type, for example, are we dealing with a login from a social network or are we dealing with a login from the corporate single sign-on. Another example is the time of day, are we used to seeing this user at this time, in the day in this specific application, the geolocation, the device fingerprint, and even the typing pattern if the user has typed anything during the login. Afterwards, throughout the session, if the risk of an interaction exceeds the trust level that we have established before, we can escalate the authentication by having the user go through the usual MFA steps that you saw before and thus increasing the trust level. All in all, users will most probably not need escalations most of the time and this is the way we can probably achieve the best balance between user experience and security.
[28:40] Tudor Goicea: Let me try and sum up what Chris and I have been talking about and then we’ll jump right into the questions. We started from the basic idea that using passwords alone to protect your users is not enough. Even if you increase password complexity you’re making things way too easy for today’s attackers and you’re actually making things hard on your users. The simple and easy solution would be to use MFA, but not all MFA methods are equal. Here we have differences in terms of security, in terms of user experience, ease of maintenance or cost so you need to choose wisely. One of the newest and most elegant solutions is to use AI enabled typing biometrics right at login, maintaining good user experience and increasing security. Such solutions can easily be deployed by identity management providers like Optimal IdM and they will cover all your applications and all your users. Last but not least we covered the slightly more complex solutions for adaptive authentication as kind of the best of both worlds. Whereby we heavily rely on context and non-collaborative authentication factors for establishing a trust level and only escalate the authentication when the risk of the session exceeds that trust level.
[30:20] Tudor Goicea: I think we can move forward to the questions, I open the floor for questions. I think there’s some functionality in here to actually be typing questions and we’ll go through them.
Chris Curcio: Matt do you have any?
Matt Pitchford: Okay, yes so I have a Question here. If the behavioral biometrics fails on the username like when Tudor typed it in can the user still login with the password but not have access to the profile page?
Chris Curcio: Certainly you can you can do that. We just were using that example but the workflow is totally up to the business requirements. You could have the typing behavior be put in at any time like through an adaptive mechanism but also at the beginning or that can failover to a traditional MFA if your biometric piece if the typing behavior continued to fail. Tudor do you want to add anything?
Tudor Goicea: No, now I think that’s actually a very great question because it’s it kind of makes a transition from MFA to adaptive authentication so you’re kind of taking into account the typing behavior as part of the context and if that is not fulfilled the trust that you have in the user is not at the highest level so then you would decide to escalate at a later point in time if the interaction exceeds a certain risk threshold.
Matt Pitchford: Okay, let’s see, we have another question here. What happens if the typing changes suddenly like if I was drunk and the user is not recognized anymore?
Tudor Goicea: Sure, indeed there are some environmental factors as I mentioned that will influence the typing behavior, being drunk can be one of them. I would probably first start with a question whether you would want a drunk user to be accessing the more sensitive information, but assuming that you do, or there’ other thing happening like a broken arm you would probably use a fallback method. So whenever you will try to use biometrics you will see that there’s always a fallback method. For example, if you want to set up a fingerprint on your mobile phone, whatever brand that may be you will have to define a PIN before you’re able to do that or a pattern or whatever. This is exactly what would happen in this case and our partners at optimal IDM have a lot of failsafe methods that they can provide.
Matt Pitchford: Okay see we have another question here. Can I sign into all my corporate apps including cloud-based SAAS apps with my corporate credentials?
Chris Curcio: Sure that would be part of a broader overall identity management framework, but of course if you have a product like the optimal cloud deployed in your environment, it would secure both your on-premise and your SAAS-based application. So your same credential could be used even from your desktop, then to access those applications in a single sign-on or federated single sign-on manner and as Tudor mentioned you can deploy adaptive authentication or adaptive authorization policies per application, per access along the way to ensure that the right level of authentication is always required for each application.
Matt Pitchford: Ok. Let’s see this one just came in. How would the system deal with password managers?
Tudor Goicea: Yes, that’s actually a question that we get quite often. TypingDNA, in this case, was used on the very login at the beginning. In essence, you can use TypingDNA wherever users type throughout the session so we do have some integrations where in the case where the password manager and the context of the authentication implies a risky authentication like having a different device, then the user would have had a pop-up shown and asking the user to retype their email. Right? And we would have auto-fill disabled there. So this is a more aggressive approach if you will. Another method is just to go to a failsafe, as we mentioned before, or do another authentication throughout the session when the user is actually typing.
Matt Pitchford: Okay.
Chris Curcio: Right, the key being is that you can apply TypingDNA not just to the username, which in our case is the email address, and/or the password, but any field. So if you use the password manager to type in your username and password you could require another field of random text to also be typed in to validate the typing behavior.
Tudor Goicea: That’s right.
[35:57] Matt Pitchford: Okay, let’s see this question. How is the TypingDNA capability called or exposed and when I say called I mean from the identity management system for example Optimal
Tudor Goicea: I will assume that you mean how the two solutions are connected with each other.
Matt Pitchford: That’s what it sounds like yes.
Tudor Goicea: Yes well, TypingDNA is being called through an API directly from the Optimal IdM access management solution so the solutions are embedded with each other.
Matt Pitchford: Okay and then from the same person: are there any plans for plugging into the Windows Hello Ecosystem?
Tudor Goicea: That actually is on our roadmap, yes.
Matt Pitchford: Okay, and then also from the same person: what are the challenges and solutions with TypingDNA and a loss of network internet connectivity?
Tudor Goicea: Well here is where TypingDNA has an edge over other especially biometric methods of authentication because the typing pattern is such a small thing that even when you have a very laggy internet connection you can actually send it. So a typing pattern is usually around 1 KB in size and if you compare that to a facial recognition system where you would have to send probably a set of pictures if they have liveness detection as well then there’s a huge difference. So when there’s laggy internet connection TypingDNA does work and it works very well. When there’s absolutely no internet connection, well, you would probably not be accessing anything on the internet, only local services, so yes it wouldn’t really work.
Matt Pitchford: And I think this is related: how does TypingDNA adapt to the user authenticating through different devices?
Tudor Goicea: This is also something that we deal with at TypingDNA. So as long as the device let’s say it’s of the same form factor there shouldn’t be any issue whatsoever. So if you’re let’s say enrolling from a laptop and then you’re coming home and trying to login from a normal keyboard the solution will still identify you. When you move from one type of device, from one form factor like a laptop to a mobile phone that is where we will need to re-enroll you on the mobile phone in order to be able to authenticate you on that type of device.
Chris Curcio: So basically you’re saying it’s for every form factor you’ll be using as part of your profile you’ll need an enrollment for that form factor?
Tudor Goicea: That’s right, that’s right.
Matt Pitchford: The questions keep rolling in so I hope you’ve got some time here the next question is what kind of machine learning or deep learning algorithms or models do you use if you can answer that?
Tudor Goicea: Well, that is something that we kind of like to keep in-house.
Matt Pitchford: Sure. Okay, let’s see. What is the false positive rate for TypingDNA in your study or practice
Tudor Goicea: This is a great question because we’re getting into the accuracy discussion. Now, of course, we perform a lot of tests on our solution in-house. The false acceptance rate that we reach in-house actually reaches all the way to zero percent, but as a word of caution we do our testing on tens of thousands of samples, so if we were to expand that to say millions of samples, the false acceptance rate would probably be a nonzero figure there. But the point is that we can easily comply with local regulation around the world for false acceptance rates in multi-factor authentication solutions.
[40:25] Matt Pitchford: Okay and I think this question is probably related too: how do you prevent fraudulent onboarding, for example, the typing pattern of a criminal would be recorded as authentic? How do you prevent?
Tudor Goicea: Sure, so we are trying to increase what we call the level of assurance as much as possible during enrollment because as the person that asked the question correctly is thinking if you’re enrolling the wrong user then the whole MFA system will actually not work as it’s supposed to work. And this actually carries for any kind of MFA method you will do be it an app on the mobile phone or a biometric solution like ours. The easiest way to ensure a high level of assurance is enrolling at the very creation of the account so that is when you’re assuming that you’re dealing with the rightful user. If you’re doing it after the creation of the account you would increase the level of assurance probably with another multi-factor method like a one-time password via email or via SMS something like that.
Matt Pitchford: Okay next question. What if any options exist to leverage the TypingDNA capability into the user’s desktop login?
Tudor Goicea: Sorry can you come again on that?
Matt Pitchford: Are there any options to leverage the TypingDNA capability into the users desktop login?
Tudor Goicea: So I think this circles back to the question on the Windows Hello. As I said integrating with a Windows login, is part of our roadmap.
Matt Pitchford: Ok. Next question does a user’s behavior vary between devices what happens when a user gets a new device?
Tudor Goicea: Yes, so we found that we can extract consistent traits of the typing behavior within the same class of devices like devices with physical keyboards or smartphones or tablets. When we have a user moving from one device class to another we’re gonna need to re-enroll them.
Matt Pitchford: Okay, let’s see. Does Optimal IdM have options where if Chris is logging in via his iPhone then touch ID is acceptable but if he is using a laptop then TypingDNA should be leveraged? So can they use different forms of authentication? Chris?
Chris Curcio: Yes, I don’t see why not. I’m just trying to think through it. That could be part of how the step-up authentication occurs. If you’ve already done it in one form then you wouldn’t need it in the other. I think that should be ok, I’d have to think through it exactly but I believe so because we could key on the device and from this device you’re requiring one type of authentication from other devices you’d require say TypingDNA so I believe that should work.
Matt Pitchford: Okay, and then a follow-up question to that: what are my options if I wanted to test TypingDNA using my existing authentication ecosystem which is Ca Siteminder. Today we use Radius to call our MFA solution. Can TypingDNA play in that?
Chris Curcio: Yes, I don’t see why wouldn’t be able to. I mean that would be more of a Tudor question but yes, I don’t see why not.
[44:27] Tudor Goicea: As I mentioned a little bit earlier our solution is available virtually anywhere via an API. So it should be quite easy to integrate in any kind of authentication system
Matt Pitchford: And then, does the TypingDNA solution offered as a whitelist option for users who get approved to opt out. I guess do you offer it as a whitelist option?
Tudor Goicea: Yes of course but this again is something that you would you would do at the identity management system level not necessarily at TypingDNA level.
Matt Pitchford: Right, okay as here’s a compliance question how does this solution preserve privacy with CCPA or GDPR in mind?
Tudor Goicea: Okay I actually love this question. I saw it on the list and I was hoping you will you will pick it. We’re actually very careful about that, we are carrying out GDPR compliance audits consistently. Now in terms of GDP what we do is, first of all, we start with an opt-in for all users of TypingDNA. all right, so you don’t want to use TypingDNA, that’s fine and you will always have another option. Second of all, we have built our system with privacy by design in mind so what we do is that we actually anonymize all data from the very beginning so in our databases we actually can never assign any typing pattern to a real person and this is very important. All in all, yes we do comply with such regulation and we’re very careful about that.
Matt Pitchford: Okay, another follow-up question on the broken arm.
Tudor Goicea: Okay.
Matt Pitchford: If I have a permanent injury that changes my typing pattern permanently, how do you retrain the TypingDNA or how long does it take to be adapted to the new solution?
Tudor Goicea: Well in such a case what you would do is do a manual re-enroll. What we do in practice is when we notice that we’re not recognizing a user consistently then we assume that something has happened and that’s when we can decide whether to re-enroll the user with TypingDNA or not – a clean slate.
Matt Pitchford: Sure, okay. Let’s see. I’m sorry I might have asked this but is there a publicly available data set for your models of course not whole but a sample? What does it look like?
Tudor Goicea: We do not have that, no.
Matt Pitchford: Okay. Then, it looks like there’s one other question. How would you integrate this solution into on-premise application access that traditionally does Kerberos authentication?
Tudor Goicea: Chris, you wanna take that?
Chris Curcio: An on-premise Kerberos Windows authenticated application? Like we would integrate with Kerberos, so we trust that the user we’ll trust that authentication. We’ll take the Kerberos ticket and we then create the credential for the user and provide single sign-on to the application. Yes, that user would be authenticated at the desktop with Kerberos. But if through your adaptive rules when you access a specific application we want to enforce TypindDNA or behavioral biometrics at that point we’d prompt the user, assuming this is a web application, prompt the user for the re-authentication with their typing credentials. So that would be your second factor. The Kerberos ticket would be the first factor then the second factor would be your typing but they wouldn’t be putting their typing pattern in until they try to access that application. So they would login to their desktop do whatever they’re doing, when they’re trying to access a web application we grabbed the Kerberos ticket and then at that point forced them to go to a login page for TypingDNA and then what they type in is totally arbitrary up to you.
Matt Pitchford: Okay, and then one last question came in: What if my application doesn’t support MFA?
Chris Curcio: That’s okay I mean as long as it’s part of an overall identity management or access management solution framework that’s no problem because at that point there’s a number of ways to provide single sign-on to those applications either legacy ways of creating cookies or passing in credentials or modern ways of providing federated single sign-on or a combination of both. The applications shouldn’t need to be changed at all and if it’s a third party application that you can’t change that’s okay as well because it would happen in front of it.
[50:00] Matt Pitchford: Okay, well it looks like that’s all the questions we had. Are there any last things you’d like to say? Is there a way that they can reach you, maybe?
Tudor Goicea: Yes, sure. I think you are all seeing our email addresses if there are any questions that we did not answer or if there are any follow-up questions feel free to reach out to us and we’ll be at RSA next week. We’ll actually be there together for a few days.
Chris Curcio: As well Gartner at the end of next week in London and then KuppingerCole in Munich in May, and then InfoSec in Orlando, I think it’s the first week in April and I believe InfoSec in London is maybe in June is that right too?
Tudor Goicea: Yes, I think so. We will definitely be there. If you’re there feel free to drop by. It would be great to chat and yes I think that’s it from my side.
Matt Pitchford: Okay, super! Well, thank you, everyone, for joining and thank you guys, thanks for your time today.