Multifactor authentication is all the rage these days, thanks to increasingly sophisticated trojans and phishing attacks and even rootkits aimed at stealing passwords and sensitive data. High-stakes online crime has even spurred financial services companies and some enterprises to consider new, "risk-based authentication" solutions, which examine behavioral patterns and session characteristics to identify rogue users.
One of a number of security vendors introducing risk analysis to the authentication equation is Cogneto, a London-based startup with offices in Vancouver and Seattle. Launched in September 2006, Cogneto's Unomi solution verifies user identity through behavioral characteristics (namely mouse movements) and measures risk based on both biometric and behavioral factors.
The technology behind Unomi is the brainchild of Cogneto chief scientist Martin Renaud, based on his research in cognitive psychology. He founded the company with a small group of information technologists including Cogneto's CTO and identity evangelist Patrick Audley and Ryan McArthur.
"The way that people interact with information is incredibly unique," Audley explains. "So if you can find a way to capture that, then you can measure someone's identity."
Unomi captures the unique way each user interacts with a mouse or trackpad or trackball. According to Audley, the behavioral analysis can detect when a user is under stress or intoxicated. When calculating risk, the system also considers such factors as the type and location of the connection, whether the client machine is known or unknown, and whether the user is performing a certain task at an unusual time of day, given his or her history.
As Audley puts it, "You might be the right person but if you're in the wrong environment or you're doing the wrong thing it's still not a good situation. Our technology identifies situational risk."
The same principle applies to shutting out the bad guys, Audley concludes, adding wryly, "Obviously, if you're the wrong person, that's generally considered risky."
That kind of security is attractive to banks concerned about phishing attacks and other forms of online fraud. But Cogneto is thinking even bigger: looking beyond authentication to what co-founders Audley and McArthur view as a larger opportunity in "identity services."
"We're developing an extension of our technology, which is really more a reapplication of our core technology to extend identity brand outside of (our customers) Web site," Audley says.
For member banks and their customers, Cogneto's authentication technology becomes a gateway into a broader trusted environment. The customers benefit from the bank's ability to serve as a trust authority, which makes it safer and easier for them to shop on the Web. The bank benefits from the opportunity to form lucrative partnerships through Cogneto's "identity network."
For example, the bank's customers could use their bank account to make purchases directly without going through an intermediary such as Visa, Audley points out. The end result could be a kind of identity federation between large financial services, banking and e-commerce vendors and their countless business partners.
"Let's say you're a Bank of America customer," Audley continues. "Bank of America does a co-marketing deal with an insurance company to offer insurance to their customers at better rates. Our system allows those other companies to authenticate you as a Bank of America customer without knowing your bank account number or any of your private details."
Cogneto plans to unveil the identity network this summer. Audley says that, in addition to banks, the company is seeking partnerships to crack the enterprise and e-commerce markets, with Cogneto functioning as a broker between organizations that are looking for secure authentication options.
"You can think of it as a metadirectory," adds McArthur, the company's director of marketing and business development. "But I can't stress enough that we don't actually store any of the data. All we do is we help people get in touch with other people."
Audley and McArthur say that Cogneto can help merchants exchange useful information, such as the date of a last purchase, amount of last purchase, customer status, credit status, and so on -- without compromising customers' privacy or confidentiality.
"In some cases the only thing that's really relevant to the merchant is the fact that the user who is coming to them has a bank account in good standing," Audley says. "That information is actually quite valuable."