Patrick Colm Audley

Alex Howard

Hello, and welcome to Tech Buzzwords from whatis.com. I'm Alex Howard. In this episode, you learn about cognitive biometrics, a fast-growing new field of authentication used in online security, specifically the financial industry. You learn the answers to questions like, how are modern authentication methods in the digital world similar to those used by the ancient Sumerians or those by the Israeli security forces in the protection of the Israeli Airline El Al? What is risk-adaptive authentication? What is a pass thought? What is the balance between privacy and compliance? And what is the future of cognitive biometrics in 2007? To learn more about this complex topic, I recorded an interview with Patrick Audley, the CTO of Cognito, a risk-adaptive authentication firm based in Vancouver, Canada. Cognito has developed a cognitive biometric solution designed to beat the determined efforts of phishers, scammers, identity thieves, and the rest of the crowd trying to get access to your personal and financial information. Before I get to the interview, don't forget to go to whatis.com and sign up for the Word of the Day newsletter. Learn one new thing every day. And while you're there, try out the Buzzword Alert newsletter as well to get the best news, blogs, and podcasts you need to know to stay current in enterprise IT. Now, let's get to that interview with Patrick.

Alex Howard

Patrick, thanks so much for joining me today.

Patrick Audley

Ah, it's great to be here.

Alex Howard

Cognito is a risk-adaptive security firm based out of Vancouver, Canada, and I hear was founded in 2006 early this year to address some of the authentication issues out there. What brought you to Cognito?

Patrick Audley

Ah, that's a good question. Uh, we have a small group of people who specialize in taking technologies out of academia and moving them into real-world companies. And we came across this excellent technology about the end of last year that we felt had the potential to revitalize how people log into financial sites. And we first thought it was so compelling that we had to wrap a company around it. And we've been working very, very hard over the last year, throwing a huge amount of resources at it to attempt to bring it fully to market, and we're now at the point where we're actively approaching banks.

Alex Howard

And is that your role? Are you in on that side of things, or are you in more involved in technology? What do you actually do at Cognito?

Patrick Audley

Oh, it's a little bit of both. Uh, just about everybody here at the company does uh has a very broad skill set, and we try and leverage that. So my job is effectively to set the technology direction of the company, but because it's such a small company, my job is also uh to actively work with the customers, which in this case is very large banks, to try and reassess their security in light of new research that has come out in the last couple of years, try and modernize it.

Alex Howard

Speaking of modernization and the need for it, there was a recently released Nucleus Research and KnowledgeStorm report, I imagine you're familiar with it, that stated that uh more than one in three enterprise users keep a clear, written record of their passwords, despite all their security admins imploring them not to do so. And of those third, almost a third of those do it on paper, like a sticky note, and many of others actually write down their passwords in a text file on their laptop or even on their PDA, which of course are quite often stolen these days. What experience are you having substantiating that, and and if so, what sorts of things are people actually doing to fix the issue?

Patrick Audley

It's a good question. It's been a problem forever. Uh, it isn't getting any better, it isn't getting any worse. I'm actually kind of surprised one-third feels a little bit low. Um, my guess would have been about one-half. The the problem is that passwords are not designed to be remembered. Really. I mean, we're encouraged to pick passwords that are difficult for people to guess. Unfortunately, difficult to guess also means difficult to remember, most often. So people either end up picking very weak passwords that are very simple to remember, or they pick very complex ones, and because they can't remember them, they come up with other ways of coping. Either they write them down, or uh, you know, they use the same password absolutely everywhere and memorize it. So, you know, for years, the industry has been struggling with attempting to to get users to actively try and be secure when they authenticate. It's very, very hard. You have to remember that when most people go to use a resource that requires authentication, the authentication isn't what they're actually going there for. It's just an annoyance that they have to go through to do what they need to do. So there's been all kinds of attempts in the industry to make that easier for people to be secure. Uh, one of the biggest ones is biometrics. The idea of of using the person themself as a key, so that they don't have to remember something or they don't have to try and struggle every time they use it. Um, there's been some other focuses uh on other ways of authenticating people, but really none of them have panned out. It's uh everybody's pinned their hopes on biometrics.

Alex Howard

Well, for the benefit of our listeners, I'll just offer a quick definition of biometrics, and this is straight from the whatis.com definition. If anyone wants to follow up and get the whole thing, but uh simply put, biometrics is the science and technology of measuring and analyzing biological data. Uh, in IT, biometrics refers to technologies that measure and analyze human body characteristics like fingerprints, eye retinas and irises, uh voice patterns, facial patterns, and hand measurements, uh all for authentication purposes. And uh as I understand it, authentication by biometric verification is becoming increasingly common in corporate and public security systems, consumer electronics, and point of sale or POS applications. Does that sound about right, Patrick?

Patrick Audley

It's true, but do keep in mind that the adoption rates, even though they've been they've been increasing very, very rapidly, um are are still fractional in the market. Um, username and password is still king today. Everybody thinks that it's going to be trending towards more biometrics, but we're all struggling with the same set of problems in biometrics, which is, you know, uh for instance, the the fingerprint trial in California where they were doing payments by fingerprints, uh was a great, great system, but they only had a few stores opt into it, and the technology that they have to deploy is very expensive, and it's difficult to train people. So the industry still is in a lot of ways in its infancy.

Alex Howard

Well, I can see a lot more of the fingerprint scanners coming online in different places. I've so far really only seen retinal scanners uh in in Washington and in the movies.

Patrick Audley

Actually, believe it or not, facial recognition is probably the fastest-growing area.

Alex Howard

Interesting. And what's driving that? Is that Defense Department spending?

Patrick Audley

Uh, no, no. Strangely enough. The Defense Department's really happy with composite biometrics that look at things like iris and hand geometry. And they're OK with that. Keep in mind the military is happy to inconvenience people. I mean, that doesn't really bother them. The major driver of facial recognition, believe it or not, is customs. And airport security.

Alex Howard

Interesting.

Patrick Audley

Yeah, I mean, if you think about it, you have this massive stream of people flowing past a checkpoint. And you know that some of them may or may not be risky. Um, if you can wade through that huge stream of video and identify individuals just by, just by looking at their faces, it makes an excellent system for border security.

Alex Howard

Makes sense. Well, then that brings us back to what you just mentioned before, which is cognitive biometrics. Can you briefly, or even in some length, define cognitive biometrics for us?

Patrick Audley

Sure. Cognitive biometrics is very, very simply any biometric which is looking at someone's mind, how they think, how they react to information. Uh, it looks at the way that people form and structure memory. Uh, if you think about it, um, a lot of a lot of the existing techniques for analyzing people look at physical characteristics, which can be cloned. For instance, I can take a copy of your fingerprint. Um, a lot of the fingerprint readers uh are actually very easy to spoof, especially the cheaper ones. Uh, you can spoof them, you can get by with a with a baggy full of warm water and uh someone's old print on it. Um, the advantage of cognitive biometrics is because they look at something that often a person themselves doesn't understand, which is how they think, how they form memory. Most of us can't answer those questions of of how we do that. So it makes a very, very good thing to look at for authentication purposes because effectively it's it's a biometric that you can't share. You don't even know what it is, so it's very difficult for anybody else to observe it or copy it.

Alex Howard

So does that lead us to a place in terms of somebody trying to analyze those things as looking at cognometrics? Is that about right?

Patrick Audley

Yes, that's correct.

Alex Howard

And so a cognometric is some way of actually measuring, analyzing, interpreting the way that somebody is thinking as expressed in certain actions on screen or even uh potentially in an observable behavior offline?

Patrick Audley

Exactly. Uh, although in general, when we're talking about cognometrics, there are very, very discrete measurements that we're talking about. And uh they're they're often things that people don't even recognize as something that would be measurable. Those are the best ones, actually. So for instance, uh in our product, we we show a person a series of information on the screen that relates somewhat to an event in their past. While they're going through this process, they think that what they're entering is their password, but that's not actually how we're authenticating them. We're actually looking at how they're reacting to information that's displayed and how that information relates to their own history and their own event. Uh, and because the the linkages between those things are are not something that the person's aware of, um, they're very consistent. We can measure them all the time and they're not they're not affected by things like how much coffee someone's had or other things like that.

Alex Howard

Well actually, that was certainly one of my questions in reading about the technology. Uh, how how much uh in terms of the measurement, you know, do you uh offer for uh variability in someone's behavioral patterns, for instance if they've been uh working very late, have had a lot of coffee, or even uh logging on late Saturday night after going out to a a bar, so-called uh, you know, drunk emailing. Um, you know, is is that going to become a problem with their computer system uh shutting them off?

Patrick Audley

It's actually a an issue with all behavioral biometrics. Where behavioral biometrics are looking at unique behaviors in people, rather than unique physical properties of the person. So a fingerprint is not a behavioral biometric, because a fingerprint is your fingerprint, regardless of how you're behaving. If you're stressed out, it's your fingerprint, if you're angry, it's still your fingerprint. So in behavioral biometrics, we have to be very, very careful to look at things which don't uh don't suffer from conscious modification. Um, things like uh, you know, measuring uh someone's facial expression is a great example. It's a very, very bad thing to look at, because, you know, people have very conscious control over whether they're smiling or not. Um, you you want to look at things that are that are deeper than than the conscious level in people. And we generally find that the more subconscious the the item is that we're that we're tracking, the the more uniform it is across their states. So we try and look at things which don't change first thing in the morning before you've had your cup of coffee or after you've been out drinking, although I I should say the after you've been out drinking, almost all authentication systems suffer from that one. If you if you can imagine fumbling with a password after you've had, you know, four or five beers, it's it's just as tricky.

Alex Howard

Right. Well, ideally you don't have users logging onto the server room or anything else, uh, you know, in that spot. But, you know, I I have to ask in terms of just looking at altered consciousness or sickness, which does strike me as being much more realistic in terms of looking what, you know, network admins work on a more or less a 365-day-a-year basis these days. So, you know, if you're sick, you might still have to try to log in, and I can imagine in a um, you know, bleary state with a bad flu or cold, um, certainly voice recognition wouldn't go over well.

Patrick Audley

No, that's that's true. I mean, a lot of these uh a lot of these techniques have have serious flaws. Uh, one of the reasons that that we identify ourselves more as a as a risk-adaptive authentication solution is because we we firmly believe that you cannot look at any individual measure of someone and be 100% accurate all the time. We don't think it's possible. Um, you can't even look at someone's fingerprint and be 100% accurate all the time. Um, you know, people get cuts, they they might have injured that hand. I mean, there's there's no guarantees in this world. So the approach that we take is to look at a a whole series of smaller measures, and then we attempt to look at them the way a human would in terms of consensus. So, you know, if you think about meeting someone on the street, you know, you don't look at at somebody who might be your friend and say, well, I know that's Joe, but he's not wearing a red shirt, and Joe always wears a red shirt, so I'm not going to talk to him. And that type of assessment wouldn't make sense, but we we do that all the time in the computer world. So we try to step back and and say, we know these methods are going to be fallible, so we're going to use a lot of them and compare all the answers.

Alex Howard

Interesting. Now, and I understand that's actually how uh Unomi, which is your risk management software uh product uh actually does its cognitive authentication. It it evaluates user behavior during the process by looking at um your responses on input devices to various questions. Uh, can you describe a little bit more about how Unomi works and whether it's gone live yet?

Patrick Audley

Yep. Um, Unomi at its at its core is an attempt to bring human security back to the digital world. We we take all of our inspiration from classical security. We look at uh, you know, old problems of, you know, in the in the days of city-states in ancient Sumeria, you know, how did people how did people know whether, you know, the the person approaching was the vanguard of an enemy soldier or whether he was a friend? We we try and figure out how people themselves make those authentication decisions, and we try and map that logic back into the into the digital world. So for people, we look at uh a lot of the things that a teller would look at in banking. Um, you know, if you come into the bank and you present the correct ID and you say I'd like $2,000, um, the teller will verify your identity and probably give it to you. But if you come in and you're dead drunk, um, or you bang on the door of the bank at 2:00 a.m. and demand your money, you'll probably get a very different response. We do a very, very similar thing. We look at uh measures of the person which are biometric, um in terms of uh their kinematics, how they move their their input device, um, or cognometrics, how they respond to data that's displayed. But we also look at a lot of other behavioral characteristics. We look at things like, is this a normal time of day for this person to be using the system? Is this normally the computer they use it from? Uh, is this normally the city? We do a lot of the same analysis that Visa does for fraud correlation between different locations. We do travel time calculations and the rest. And then we look a little bit deeper and we we ask more vague questions, things like, is today a risky day to be doing business online? Not for you specifically, but in general. Has there been a lot of phishing activities today? A lot of Trojan activity? Because all those things actually make it riskier. In the same way that if a bank gets robbed, the next day all the banks around them put on extra security guards, because statistically, if someone gets away with a bank robbery, they're likely to commit another robbery in the same area. We allow banks and all of our customers to make those similar human assessments online. And Unomi is really the the platform that allows us to plug in all of those all of those methods into a a consensus model. Um, this has actually been uh the focus of a lot of uh research in the industry recently. Uh, most of it's being driven originally by uh NSA projects in the States. But as is usually the case, this stuff trickles out of out of military and eventually gets its way into finance and then after it's in finance for a while, it trickles down to corporate. So we're sort of in that in that nascent phase of of risk-adaptive security in the market right now. And our entrance into it coincides very, very closely with the requirements for banks to have second-factor authentication. We feel that um, you know, now is a great time for banks to be looking at, or actually for anybody to be looking at, where is security going in the next five years. You know, instead of instead of asking questions like what have people been using to secure sites for the last five years, we really encourage people to look a little bit further ahead. Don't secure against yesterday's threat, try and try and secure against tomorrow's.

Alex Howard

Well, it's interesting, the the two things that come to mind um in hearing you talk about this, uh you know me, uh first is is that I'd love to hear more uh about some of the academic research on cognitive psychology and behavioral biometrics and online behavior that has gone into the risk analysis. And the other actually goes to what the very old style and effective style of of security is, and this goes to online and offline behavior. The Israelis have had an enormous success in preventing any kind of terrorism or other issues on El Al uh by actually interviewing people at the gates. And they they actually use a lot of the same behavioral analysis that you're describing. Is Unomi in a way a way of taking that and actually codifying it into algorithms and into a software product such that more complex and and more subconscious behaviors are analyzed and and uh you can actually, in a way, throw back to the future with a software?

Patrick Audley

It's exactly true. Uh, in fact, you've you've hit it right on the head. Uh, Israeli security was one of the models that we looked at when we were developing our consensus method. And we were attempting to to see, you know, how do people who do security well, do security? It's it's a question that no one ever asks. Everybody always asks, how are the criminals going to get in? But the problem is that's a historical question. That's asking, you know, how did people do this in the past? Um, we we like to look at at models that have been very, very successful in prevention, and there aren't a lot of them, to be honest. The Israeli airport security model for El Al is is absolutely beautiful. I mean, it relies on no technology. It relies on on observational security. The the same techniques that police use in in questioning suspects in crimes and have used since, you know, the dawn of humanity. You sit someone down in a chair, and you ask them questions. You actually don't care what the answers are in most cases, you know, whether you you travel to the West Bank or not probably isn't as relevant. What's more relevant is your body language, your your your cadence, your tone of voice. Are you nervous? Are you sweating? You know, as the questions become more intense, do you get more nervous? We do a similar thing, although of course, you can imagine if we asked a consumer to go through an El Al style interview as they logged into their bank, they might be kind of cranky. So a lot of our research has been focused on how do you take these techniques and security that have been that have been very effective and how do you make them something that's actually usable, that that you can you can subject people to on a regular basis, and it's not going to annoy them. That's actually really, really tricky, and it's the bulk of where our research time in our company has has been going into. We we really want to bring security to the point where it's fun and enjoyable, because at the point that it becomes fun and enjoyable, users stop seeing it as something to avoid. And to that end, we we tried to look at what in El Al was was actually driving the success. Was it was it the way they were asking the questions, was it was it the fact that it was very stressful? And in the end, the conclusion that we've come to is that it's the distraction element that seems to be most useful in those interviews. The person is thinking very, very, very hard about the answers to those questions. And the act of thinking very, very hard about something, they're they're rifling through their past memories, they're trying to figure out if they've done anything wrong, the very act of doing that allows the observer to see things that the person might not want them to see, right? It's uh in many ways we're looking for the poker player's tell. And we found that you can do that with good memories as well, which is nice, because, you know, it'd be awful if it was just bad ones.

Alex Howard

So is your next market after banking uh Vegas?

Patrick Audley

Actually, it's funny you should say that. We just brought the entire company back from a big trade show in Vegas. The the gambling industry is is an interesting one, but uh one that, you know, for the moment we've uh we've set aside. It's uh it's a touchy industry right now. And uh yeah, it's it's not something we'd like to be involved in. But unfortunately, it's a very applicable industry for our technology.

Alex Howard

Well uh, speaking to an earlier question, uh can you describe a little bit of the academic research that uh again, in cognitive psychology, behavioral biometrics, and online behavior, that has gone into uh the cognitive biometrics that you've actually created?

Patrick Audley

Sure. I mean, we build on a about 20 or 30 years of research in cognitive psychology to do to do what we do that looks mainly at uh how people remember. How people recognize data. Um, it it turns out that the the act of recognizing data is something that's that's deeply ingrained in the human mind. And there's a very, very large difference in the way that we process information with things that we've personally experienced and things that we've been told. So our goal was to design a system that you could sit down at, and if it was an event from your life, you could authenticate. But if you wrote down the answers for someone else, and sat them down, they shouldn't be able to do it. So the the bulk of our research has been focused on the areas that specifically differ between synthetic memories or memories that you're attempting to create or that you're attempting to learn, and recognition where you're actually recognizing data from your own past.

Alex Howard

And is that recognition what makes up a pass thought? A pass thought is certainly one of the most memorable phrases I've seen come out of uh the authentication industry in a while. And uh I re- everybody thought on that. Yeah, I you should be. You know, I I'm going to be describing uh what a pass thought is to many people over Christmas dinner, I'm sure. Um, but it it immediately makes me think of um other more sinister words. Um, you know, when you when you think about pass thoughts, it certainly brings to mind uh privacy or people scanning your mind, or other, you know, moral questions. You know, um, how do you see users uh accepting or adjusting to that level of cognitive profiling, and uh what kind of balance do you see the, you know, need to be uh struck between violating privacy and also actually, you know, compliance, making sure that there's genuine, solid authentication?

Patrick Audley

Right. This is a very tricky issue. And it's a tricky industry issue across the entire industry. I mean, the fact that we're collecting novel data about how people process information isn't really new in the industry. You see a lot of products out there which track people's trends over a long period of time. Uh, business signatures, for instance, has a banking product which looks at how people make transactions normally in their account. They're effectively looking at how you normally spend money. Um, Visa does this all the time. Those are all very sensitive areas, and some of those companies have done very well regarding that data, and some have not. We've taken the moral high ground on this issue. We don't collect anything which is uniquely identifying to individuals. Um, everything that we look at is uh is filtered through one-way functions. So for the for the unenlightened, a one-way function is essentially a a mathematical function that you can only work one direction. So if you have the answer, you can't work back to what the question was or vice versa. And we use we use a lot of this this type of math to protect the user's data. Our end goal was that if someone managed to steal all the data that we had on a user, that it actually wouldn't help them at all. And we feel that's often the best way to guarantee privacy is just to make sure that you're not collecting anything that's inherently private.

Alex Howard

Well, that makes sense. The only way to ensure your computer will be secure from being hacked is to make sure that no one ever gets access to it.

Patrick Audley

It's true. And to to speak to the the issue of of pass thoughts being sinister. Uh, the the data that we're actually looking at is amazingly non-descript in terms of events about people's lives. When we when we ask them something, it's like a a good example is uh, one time you went traveling. Um, it could be any time. It could be a trip that you did when you were a kid, it could be a trip that you you you did when you were an adult. We try and make our our pass thoughts uh very, very generic. And vague. This actually serves two purposes. Not only does it protect the user because they're not giving out very specific information like the name of their dog or their mother's maiden name, but it actually also enhances our system quite a bit. Because the events are very, very vague, people naturally pick the strongest associations from their past. So for an outsider attempting to to get into their account, even if they knew the answers that the person had given, it really doesn't tell them which event the person went in their past. You know, they might know that you went by plane. That really doesn't tell you which trip it was, does it?

Alex Howard

Not at all. And let me just make sure that, uh, just for our listeners' sake, that you uh give them a definition for a pass thought, just so they can take it uh to the office cooler as well.

Patrick Audley

Sure. So uh a pass thought is a a vivid life memory that you have that you can use to authenticate online. It's not the actual data about the memory itself that's important. The important part about a pass thought is the fact that it's your vivid life memory.

Alex Howard

Interesting. So it's not necessarily that my first dog's name was Skip, it's that I first remember my dog Skip when he killed a groundhog in the backyard.

Patrick Audley

Exactly. Okay. So it's a specific association with whatever the keyword is.

Alex Howard

How do you see the science and practice and use of cognitive biometrics um changing in 2007?

Patrick Audley

It's a good question. The the field is really in its infancy. And we're one of the major drivers in the field at the moment. Uh, we we don't feel that we'll hold that position forever, obviously. Um, there will be other people in this industry uh very shortly. The uptake that we've seen from uh potential customers and partners in the industry has been obscene. I mean, everybody everybody likes the idea and the underlying technology. So that's that's great for us in the short term, and it also means that the industry um is probably going to grow quite a bit over the next couple of years. The other component to to that is the idea of risk-adaptive security, which we feel is going to grow very, very strongly over 2007 and 2008. And a lot of technologies like cognitive biometrics are going to be major drivers into that.

Alex Howard

And again, risk-adaptive security or risk-adaptive authentication uh is essentially where whatever the gatekeeper mechanism is, it actually adjusts based upon exterior security environment.

Patrick Audley

It that's that's certainly a part of it. We we take a little bit of a broader view of it as well. We expect the entire banking experience to adapt to the amount of risk that a user is presenting. So for instance, if I'm in Vancouver, and I normally bank from home, and I'm logging in with my pass thought and I get a very, very low risk rating because I'm a low risk person, I can do any transaction that I want with my account. Any transaction that the bank would normally let me do. But assume that I pack up my little laptop and I head off to Russia, and I log in in the middle of the night from some Russian hotel. And my laptop didn't work, so I'm downstairs in the lobby using one of their computers. In that in that instance, I'm presenting a huge amount more risk. Even though I might be the correct person, that's actually not relevant to the bank. The bank doesn't care whether you're the correct person or not as much as they care how risky your behavior is. Because really, if you were a thief, and you managed to get into my account, and all you did was view my balances, you really haven't done any damage. So we feel that the the bank experience, everything that the person is allowed to do, should be inherently shaped by how risky they are. For instance, if you're in Russia, you know what, maybe you don't allow international money wires. Because that's a very risky activity coming out of that part of the world.

Alex Howard

So essentially, if we use the gap analysis, say, from uh Pentagon defense theory, you know, which is to say that there are dark zones of the globe, is it theoretically possible that in a not-so-distant future, say five years, you know, maybe even 10 years down the road, that if you're traveling and your banking system is actually certified under risk-adaptive authentication, that you might actually not be able to do much or or even any banking from certain parts of the world?

Patrick Audley

In fact, that actually happens right now, it's just you're not aware of it. Um, we we tend to we tend to think that technology like that is very futuristic, but most of the banks right now employ blacklists um for various different locations and networks. Just as part of normal security. What we propose is making those a little bit more dynamic. We we don't think that any one measure of of risk is good enough. So having the Pentagon say this is a risky country, well, it might be a risky country, but if you yourself are presenting very, very little risk, and that country is only marginally risky, the system should really be able to adapt to that. We don't we don't think you can make black and white decisions. And so really our goal for the next couple of years is to to stop people from trying to make those hard-and-fast rules about security because they don't work in real life, and even worse, they don't change to new threats.

Alex Howard

Interesting. Well, Patrick, thanks so much for talking with us about what cognitive biometrics is.

Patrick Audley

Not a problem at all. Thank you for having me.

Alex Howard

To learn more about authentication, online security, and biometrics, make sure to visit whatis.com or our sister sites, searchsecurity.com or searchappsecurity.com. And while you're there, don't forget to sign up for the Word of the Day and Buzzword newsletters. Thanks again to Patrick Audley for taking the time, and to you, our listener. If you have comments, questions, or other feedback, please email us at editor@whatis.com. Thank you.