Multifactor authentication is all the rage these days, thanks to increasingly sophisticated trojans and phishing attacks and even rootkits aimed at stealing passwords and sensitive data. High-stakes online crime has even spurred financial services companies and some enterprises to consider new, "risk-based authentication" solutions, which examine behavioral patterns and session characteristics to identify rogue users.
One of a number of security vendors introducing risk analysis to the authentication equation is Cogneto, a London-based startup with offices in Vancouver and Seattle. Launched in September 2006, Cogneto's Unomi solution verifies user identity through behavioral characteristics (namely mouse movements) and measures risk based on both biometric and behavioral factors.
The technology behind Unomi is the brainchild of Cogneto chief scientist Martin Renaud, based on his research in cognitive psychology. He founded the company with a small group of information technologists including Cogneto's CTO and identity evangelist Patrick Audley and Ryan McArthur.
"The way that people interact with information is incredibly unique," Audley explains. "So if you can find a way to capture that, then you can measure someone's identity."
Unomi captures the unique way each user interacts with a mouse or trackpad or trackball. According to Audley, the behavioral analysis can detect when a user is under stress or intoxicated. When calculating risk, the system also considers such factors as the type and location of the connection, whether the client machine is known or unknown, and whether the user is performing a certain task at an unusual time of day, given his or her history.
As Audley puts it, "You might be the right person but if you're in the wrong environment or you're doing the wrong thing it's still not a good situation. Our technology identifies situational risk."
The same principle applies to shutting out the bad guys, Audley concludes, adding wryly, "Obviously, if you're the wrong person, that's generally considered risky."
That kind of security is attractive to banks concerned about phishing attacks and other forms of online fraud. But Cogneto is thinking even bigger: looking beyond authentication to what co-founders Audley and McArthur view as a larger opportunity in "identity services."
"We're developing an extension of our technology, which is really more a reapplication of our core technology to extend identity brand outside of (our customers) Web site," Audley says.
For member banks and their customers, Cogneto's authentication technology becomes a gateway into a broader trusted environment. The customers benefit from the bank's ability to serve as a trust authority, which makes it safer and easier for them to shop on the Web. The bank benefits from the opportunity to form lucrative partnerships through Cogneto's "identity network."