The idea that a computer authentication system might be watching not just for the content of your username and password, but to the way you type them—that is, the exact amount of time your fingers linger on each key, measured to the millisecond—may sound a little spooky. But that’s the premise of Delfigo Security‘s new “DSGateway” software, introduced today. The company says its biometric verification and fraud detection technology could transform the way large organizations manage computer access, perhaps permanently eliminating such awkward contrivances as the one-time password tokens that many corporate employees must carry everywhere in their pockets or on their keychains.
In a second announcement today, Boston-based Delfigo also revealed the identity of its first paying customer: the cardiology department at Boston’s Children’s Hospital. The department will use the system to control access to a new patient record management system that it plans to extend to a number of partner hospitals and clinics, according to Ralph Rodriguez, Delfigo’s founder and CEO. James Lock, the chair of cardiology at Children’s, said in the announcement that Delfigo’s technology meets the department’s needs for security and compliance with privacy regulations “while integrating into our current technology.”
Indeed, the whole point of Delfigo’s system is to provide what computer security professionals call “multi-factor authentication”—identity verification measures that go beyond the traditional username and password—without forcing users to adopt additional technologies such as tokens, fingerprint scanners, and the like. The Children’s cardiology department “experimented with everything from physical tokens to digital certificates to proximity cards, but they all broke down for a variety of reasons, one of them being ‘supply chain’ issues when someone loses their token or card,” Rodriguez tells Xconomy. “We went in and showed them that we could, in fact, tell two things: one, we can know that it’s you logging in, but we can also know if someone else tries to use your password.”
Delfigo opened last fall with venture backing from Stage 1 Ventures in Waltham, MA. Rodriguez is an inventor and serial entrepreneur who was formerly chief security officer at Burlington, MA-based Excellon Corporation and chief technology officer at Chelmsford, MA, semiconductor automation firm Brooks Automation. He says he’s been developing the company’s proprietary keystroke measurement technology for several years, putting on the finishing touches while working as a research fellow at the MIT Media Lab under renowned artificial-intelligence expert Marvin Minsky.
Here’s how Delfigo’s system works: Delfigo adds a bit of Javascript code to the Web page for an organization’s login screen that listens to the electrical signals coming from a computer’s keyboard. The code measures both the “dwell time” (the amount of time your fingers spend on each key) and the “flight time” (the amount of time between keystrokes). When you hit the return key or the login button, the timing information is first transmitted to Delfigo’s servers via HTTP, the standard Web data transfer protocol. Delfigo’s software then compares the incoming timings to historical information stored for each user. (Users have to train the system before it kicks in, Rodriguez says, by typing their usernames and passwords six to 10 times.)
Using sophisticated neural-network algorithms, the software calculates a “confidence score”—in essence, the likelihood that the person who’s trying to log in is the real account owner. It’s all a matter of statistics, Rodriguez explains, since the timings of each new login attempt will never match the training information exactly. If the confidence score crosses the threshold set by the organization, Delfigo
