Could Your Very Thoughts Be The Key To Data Security?

Here's the kind of e-mail we all love to get from the IT department or our ISP or a vendor with which we do online business: "Effective immediately, you will need to create a new password."

Perhaps nothing has led to more monitors being thrown into a wall than passwords, a fit of frustration often preceded by "Sorry, password not recognized."

And that's a big evolution for a word in a short time. For two decades, 30 minutes at a time, Password was a game show in which two contestants, one usually a celebrity, scored points by getting the other person to guess a word by providing one-word clues.

Fast-forward to the early 21st century and passwords are ubiquitous. Everyone has one or more, and as criminals figured out long ago, that little word is all that stands between the scammer and your funds.

Little did anyone ever foresee how the password would become a cottage industry. In fact, the password has become passé-word. Easily broken (it's semi-amazing how many people used or still use "password" as their password), credit unions like other financial services providers, have been racing to stay one keystroke ahead of the scammer.

Credit unions have turned to a number of solutions to meet requirements for "two-factor" authentication, including choosing an icon or "pass-face" known only to the user as one way to defuse phishers.

The great problem with passwords, of course, especially when people use more than one or are required to change their password regularly, is that they are easily forgotten or stolen. Two factor can become blues factor.

But one company believes it has developed a security solution that can neither be forgotten nor stolen, a solution it says "integrates dynamic biometrics with cognitive psychology" and which examines "multiple physical, behavioral and cognitive characteristics as well as local and global risk factors to validate identity claims."

That's one way of describing it. Here's another: memories and behavior, both of which are unique to you.

Here's how Patrick Audley of Seattle-based Congneto describes what the company believes is the answer to a dilemma as old as online transactions themselves: authentication and security.

"We offer a solution to strengthen a relationship with the customer and remove a frustration of having to remember another password, while also meeting the regulatory requirements," said Audley. "If you've ever flown to Israel then you know El Al has a very arduous process of asking questions: did you buy weapons, etc. The questions are not really meant to elicit a 'yes' answer. It's meant to distract you by observing behavior. The answer is not the most important part. Similarly, as you go through logging in, we are looking at how you interact with the computer, even how you move your hand. We can develop a risk score for that contact."

In fact, Audley describes it as "mind blowing the amount of data that can be derived just from logging in." If you need details, he says it all involves "general kinematics" and "cognitive authentication."

So forget the password. If Cogneto has its way, the future lies in "passthoughts" that are unique to all of us.

Consumers using a Cogneto log-in procedure provide answers that only they would know. The company describes the process as "the most adaptive means of identity verification. These behavioral identifiers known as passthoughts allow it to gather information based on the unique patterns and behaviors that users exhibit, and consequently learn and adapt to each individual. (If you're interested in seeing a demo, you can find one at www.cogneto.com.)

"You can have as many pass thoughts as you'd like, you get a question at random every time," said Audley. "Then you will have as many as five questions-who, what, where, when and why, and as few as three. You can have a series of events. If I ask you to remember 10 passwords, you can't do that. But you can remember 10 or even 20 life events."

No credit unions are on board, and neither are any banks. But the company has presented the product to the latter.

"The back end is designed to appeal to the risk-management group. Part of what we are trying to introduce is risk-adaptive technology," said Audley. "For a lot of the smaller institutions it's easier to install. The integration part is quite small."

But what about those security breaches that have plagued the security industry? What if Cogneto is breached? "All we ask is for a unique identifier for the customer," said Audley. "We don't store any data. In fact we've engineered it so even if a hacker broke in and stole the source code they would not be able to do anything with it."

Because no one can steal your thoughts. Yet.

Frank J. Diekmann is Publisher of the Credit Union Journal and can be reached at fdiekmann<at>cujournal.com.