By Rick Beaudry, CEO, B Virtual
With over 200 clients in the online student exam monitoring sector (online proctoring and authentication), B Virtual integrates many forms of multi-factor authentication tools and techniques. As such, we are focused on the right solutions, for the right situation. More and more, research is servicing to help us guide institutions in their decision-making, and offering perspective on what are research-based results, versus product sales “sizzle”. There is much confusion and misunderstanding about the impact, accuracy and integration of multi-factor online student authentication techniques. Let’s explore some of the analysis.
Security questions and keystroke analysis are often used as part of identity verification “routine”. Both of these are increasingly seen by industry experts as outdated. Security questions, for example, have been known to have a 50% failure rate by allowing the bad actors to correctly answer these. This was validated in a recent IRS data breach and is public knowledge. So, 50% of the time, security questions are not working. In fact, it is well known that in student groups, especially younger students, the amount of credit card and other marketing data is sparse so they use more questions from social media and these are even easier to guess.
Keystroke dynamics, in the opinion of many industry experts, is very inaccurate. In a recent example from a test lab who tested Biometric Signature ID testing BioSig-ID by the same lab found keystroke was 27 times less accurate and 9 times less able to recognize current users. They did not report results that even met National Standards set by NIST. Biometric Signature ID’s gesture biometric results on the other hand reported , 3 times better than the typical national results. In essence use of keystroke dynamics is weak security and will has created very poor user experiences. Buyer beware the “sizzle” in using keystrokes is bad medicine.
Here are some high points of comparison:
A look at two of the most common of these options, gesture and keystroke biometrics.
- Dynamically assessed – Multiple points are used to determine the biorhythms. (Speed, angle, direction, length, height etc).
- Dynamically profiled – Learns more about the user’s biometrics with each use = easier to use with time
- Multifactor– Something you are, something you know and using SMS something you have
- Customizable – Different profiles for extreme swings in biorhythms
- Auditable – Using a dynamic profile to compare against allows for reporting and auditing for both forensic and user experience uses.
- Security – 3rdparty testing shows that gesture biometrics are 27 times more secure than keyboard
- Exceeds expectations – Gesture biometrics exceed the requirements set forth by NIST three-fold.
- Fully integrated with all major LMS systems.
- 98% positive user experience – 3rdparty testing of gesture biometric technology revealed a 98% positive user experience and a 45% entertainment value.
- Password reset using a secure layer, enhances the user experience so help desk calls <1%.
- Statically profiled – Rigid, set profiles that do not grow with the user. Stays as a set profile even as the user ages, changes keyboards or devices which means no flexibility.
- Security – Easy to mime/spoof. 27 times more false positives than gesture biometrics.
- Limited factors – As you are not required to know a secret and there is limited biometrics behind keystrokes, it does not fall into Something you have, something you know and this is why they have to add security questions.
- Minimal reporting – Without a dynamic profile audit trails for keystrokes simply tell a pass/fail and nothing more.
- Dynamically assessed – While supports will tell you that the speed, tempo and “pulse” of typing keyboard keys are the different factors used to obtain the biometrics, they are in fact the same thing and are easily mimed/spoofed.
- Not integrated within the LMS and has to have students go outside to another browser, which add to the security lapses.
If you are serious about authentication, do your homework. The solutions that stand up to the toughest scrutiny, if heaven forbid your school or association is ever called to defend your authentication tools, use the strongest form of security that has vastly and significant higher accuracy rates versus security questions, and poses NO liability to the school. With biometric solutions, always use a security company versus a proctoring company, with a track record of managing secure data, fully integrated into your learning management platform and proctoring service.