Flexible, effective, software-only two-factor authentication
BioPassword Enterprise Edition 3.2 (BPE) enhances the security of corporate networks by adding a second, biometric component to the standard Windows logon / authentication sequence. As a software-only solution, it does so without the need for the additional client hardware required by other modes of biometric authentication such as fingerprint identification or retinal scanning. Instead, BPE relies upon the consistent, distinctive pattern of each person’s keyboard keystrokes during the logon process.
BPE’s streamlined design will appeal to small organizations, and its support for a variety of environments lets it integrate easily into large enterprises. Supported environments include Citrix and RDP / Terminal Server users; selected thin clients with embedded Windows XP; and integration with Microsoft Outlook Web Services. Web application support allows you to integrate BPE into your own forms-based authentication screens.
BPE improves the standard Windows authentication sequence by extending the Active Directory (AD) schema within the AD domain tree hosting user IDs, and by inserting BPE GINA (Graphical Identification and Authentication) stub modules into the domain’s GINA chain. This requires that you install BPE on all domains that host either User or Computer accounts that will participate in BPE’s two-factor authentication. BPE is active during the primary AD login sequence and will optionally run during secondary logon sequences, such as Run As, Connect As, and Net Use.
BPE works by using client software to record keystroke timings as users complete the User ID and Password fields of an authentication form. Keystroke timings include the dwell (how long a key is held down) and flight (the time between key strokes) times. Using the timings, the authenticating domain controller (DC) calculates a Security Level score. That score is compared to a template created when the user first entered the user ID and password combination. To enroll, a user keys the user ID and password several times until BPE identifies the user’s consistent pattern. In my testing, this required eight or more repetitions. As administrator, you may configure enrollment to complete at the user’s first logon attempt, or gradually (and transparently to the user) over successive logon attempts.
The implementation process has many steps, but is fairly straightforward. Basic AD installation updates the AD schema, then installs software on all PDC emulators in the tree, on all authenticating DC’s, and on all client computers. Other supported environments require additional installation steps. BPE isn’t enabled upon installation, and it won’t participate in the authentication process until you enable it both for the participating domains and for the participating user IDs.
To test BPE, I installed it to a domain with a single DC. I installed the client component to several computers that were members of that domain and to a computer that was joined to a trusted domain and enabled BPE authentication for them. You can enable user accounts for BPE either individually or by enabling a group they belong to for BPE authentication. Figure 1 shows the BPE properties panels used to enable and configure BPE for a group. Finally, I enabled BPE for the domain.
BPE caused me to pay close attention to the logon process, as BPE requires a continuous flow of keystrokes. I enlisted several other regular users of computers in the testing, to see if the “wrong” user could successfully authenticate. This occurred only once in the course of my testing. Administrators can determine how stringent or relaxed their authentication environment will be by requiring a higher or lower BPE security level score.
I found BPE to be effective and relatively easy to work with. BPE provides an evaluation kit to facilitate testing and configuration. Many people will find that installing BPE isn’t a trivial process in their environments, but the added level of security will make it all worthwhile for many of you. The implementation flexibility that BioPassword has designed into the product will help ease that effort, and the support for several popular ways users access their applications makes this a viable product for many enterprises. For those seeking to add multifactor authentication as a way to increase system security, I recommend that you take a look at BPE.