Lost credentials and compromised accounts are everyday headlines. Despite best-practice policies and stringent password controls, even the best organizations fall prey to social engineering hacks, successful phishing attacks, and the occasional employee who keeps their password written on a desk blotter.

Multifactor authentication would seem like a good solution, but there are a variety of drawbacks depending on the approach: smartcards and hardware dongles can easily be lost or stolen, and physical biometrics are expensive to install, create privacy issues, and add support costs. Some out-of-band solutions are out there, like cell phone-based products that send a one-time key via SMS. That’s great, until your battery is dead, you can’t get a signal, or you just left your phone in a cab. Plus, all these solutions require specialized hardware, and add friction to the use of the system.

TickStream.KeyID brings a whole new approach to multi-factor authentication. Using the standard hardware in front of them, the user enters their username and password as normal. Nothing is different about the user experience, they don’t have to have a piece of hardware in hand, and there is no device to deploy and support. It provides a second authentication factor by incorporating "something the user does" into the authentication process which can be quickly added to existing applications.

How it Works

Using our patent pending KeyID technology we create a behavioral profile for each component of the user’s credentials (i.e. login, password). Profiles are created by collecting multiple examples of how the user types their credentials and feeding them to our KeyID algorithm. User profiles are encrypted and stored in a database. At login and after the users credentials have been validated, we compare the user’s current instance of typing timing against the profile stored in the database. Our compare algorithm will return a yes/no answer along with multiple other metrics which can be used to tailor the performance of the system. For example, if the compare returns a no, denying access, we also provide a metric which is a measure of how close the user was to getting in. This information can be used to decide how many more login attempts to allow that user.

Depending on your implementation requirements, our solution can be configuring to collect the behavioral profile in one of two different ways.
  1. Visible to User – Some of our customers prefer to have their users know we are there. For this case, users will be queried to enter the credentials multiple times until a secure profile is obtained. The number of times a user must type their credentials to create their profile varies but we have found that 12 to 15 times works well.
  2. Invisible to User – Alternatively some of our customers prefer to minimize any friction that would be felt by their users. For this case once our software is installed we begin collecting and depending on how often the users log in on a daily basis we build their profile over time without the user knowing we are even there.

Independently Tested and Validated

To validate the performance and reliability of our patented algorithm, we approached two of the most respected researchers in the field: Dr. Donald Gantz, Emeritus Professor, Founding Chair of the Department of Applied Information Technology, and past Dean of the Volgenau School of Engineering at George Mason University, and Dr. John Miller, a well-published and world-reknown expert on biometric statistical analysis, and Professor of Applied Engineering and Statistics at George Mason University. They designed an independent study, and the results were outstanding, even when applied to just a single field (password). The full study can be downloaded by clicking here.


Password field only
97.97% rejection
of the bad guys

Password & Username
99.77% rejection
of the bad guys

Password, Username
& Passphrase
99.99% rejection
of the bad guys

TickStream® is easy to deploy – it’s as simple as a two-minute software installation or the addition of a few lines of HTML code on your login page. There is no special hardware. Users self-enroll. It is frictionless in everyday use. Welcome to the new thinking in security, where the machine does the work, instead of you.