AdmitOne Security finds way to track web account sharing

When users try to share an online subscription that only one person is paying for, there’s usually no way to detect such cheating. That costs companies a lot of money in lost revenue. But three-year old startup AdmitOne Security has a way to verify just how many people are using a single account.

The company is launching an analytics solution today dubbed AdmitOne Security Scout. The technology can tell users apart based on patterns in the way people type keystrokes on a keyboard when logging into an account. AdmitOne identifies a user based on the speed of the keystrokes and how hard the person hits the keys.

Since April, customers have been paying AdmitOne to determine whether someone signing into an account is really the user they claim to be.

The service launched in April is meant to verify the identity of a user and to check whether someone else has stolen that user’s password. For this service, AdmitOne charges its customers about $25,000 a year. In turn, AdmitOne tells the companies whether or not everyone logging into a site is really who they say they are.

But the same technology can be used for the new service in determining just how big a problem a company has with account sharing, said Matt Shanahan, the company’s senior vice president of marketing and strategy. This new service will give a company a kind of dashboard for seeing how many people are logging into each account.

The only way most companies can detect account sharing now is if multiple people try to log into one account at the same time from different locations. But AdmitOne uses a combination of the keystroke identification, the digital fingerprints of the computer used, and the Internet Protocol (IP) address of the Internet connection used to access the account.

A lot of companies could benefit from this service. There are, for instance, market research companies that charge thousands of dollars for reports that aren’t meant to be shared. Many people also share passwords when accessing the paid online version of the Wall Street Journal. And quite often there are multiple real estate agents who share one account for a Multiple Listing Service for home sales data. AdmitOne estimates there are 800 MLS companies it could target as customers in the U.S. alone.

Honest users often pay for the costs of the cheaters, since the subscription companies have to compensate for the cheaters by charging higher fees or creating more elaborate security mechanisms.

AdmitOne has been using the technology for several months with a handful of customers. Those customers have found that 10 percent to 20 percent of online accounts are being shared. Among the customers is the Greater Fairfield County CMLS, which heartily endorses the technology.

Companies can use the tool to assess their accounts for three months. Then they have the option to pay AdmitOne. The company hasn’t yet set its fee for the service.

The Security Scout software needs 12 keystrokes to recognize a user. On those keystrokes, the software records 47 different measurements. Among the important measurements are “dwell time,” or the amount of time someone holds down a key and “flight time,” or the time between keystrokes.  Security Scout then presents the data on the account sharing in a graphical way.

The original research was done at SRI. That keystroke recognition technology by itself wasn’t good enough to catch everything. But used in combination with other authentication means, it’s pretty effective, Shanahan said. The company was founded in 2005 under the name BioPassword. The firm tried to pitch its technology to small businesses at first, but it was unsuccessful there and shifted strategy to focus on the enterprise market. As a result of that change, it was rebranded as Admit One in April.

The company has 32 employees. It has raised three rounds of funding for a total of $33 million to date. Investors include Benaroya Capital, Ignition Partners, OVP Venture Partners, Citrix Systems, and RRE Ventures.

Competitors include ID Control BV, which also says it has a keystroke recognition technology. Earlier competitors have used biometric identification, which employs special hardware to recognize someone’s fingerprint or retina. And still other solutions include RSA SecureID, which requires someone to type in a code from a radio-connected hardware token with ever-changing codes. But such solutions often cost more than keystroke recognition, which doesn’t require any special hardware.