Authenticating With Your Mouse?

degauss asks: "I am looking into various authentication schemes form my home machine, and one that I thought would be interesting would to be having a dummy login screen up with a user/pass prompt, but instead of entering a user/pass, you click at certain points on the screen in certain rytmhmic patterns (all of this is of course unknown to any unauthorized users, who will pound at the password for years). I was wondering if there it any such software or interface currently being developed, as it provides an interesting [semi-]biometric security solution without dumping a ton of cash on new hardware."

Don't count on obscurity

[bkhl]

I don't know if this would work. I guess it would really give you less variation in possible passphrases than a normal password.

Maybe if you were to 'draw' the password on the screen and the computer would both use the password and analyze the writing it could give you an extra level of security. That would probably work better with a stylus or a touch screen than with a mouse, though.

As for hoping for people to try to type in passwords instead of using the mouse, that is only security by obscurity. Don't trust that.

Re:Don't count on obscurity

[ShmuelP]

As for hoping for people to try to type in passwords instead of using the mouse, that is only security by obscurity. Don't trust that.

By the way, relying on people to not type in your password is security through obscurity. Don't trust that. :-P

Seriously though, if you are going to use clicking as a password, you need to treat it the same way. Since anyone who watches you could easily see where the mouse is moving, this would be similar to letting other people watching the keyboard as you slowly typed your password: not a good idea. Even worse, a tempest-like system would allow someone to watch your "password", without your even seeing a person there!

Instead, I would suggest drawing as an extra layer of security before the password. Meaning, you have to draw the "password" before typing the real password. If you don't draw the correct "password" first, then even the real password isn't accepted.

Motive explanation?

[Ayanami+Rei]

Degauss:

Here is my thinking. This is your HOME machine. But you make it sound like this will be in a place where it will be exposed to a lot of people who have no business using it, or are desperate to break in.
I mean, are your siblings or spouse wanting to use your PC that badly? Are they after your porn stash? :-) Just kidding.
Or is your password that easily guessable... that is something you can fix without resorting to clever software that only belabors the authentication via obfuscation.

Even if it wasn't under attack, obfuscating the login screen is not really a good idea. All the malicious user would need to do to discover the secret is casually observe a legitimate user bypassing said fake login screen.

Moreover, your login program should not allow someone to sit at the computer all day and attempt passwords. It should lock unprivledged accounts out after a few wrong tries ( 5, preferably 3). If it does unlock itself, the cool off period should be at least an hour. Also, each attempt should take progressively longer to check after each failure. This is especially important for Administrator / root accounts which should not lock themselves out.

Nah....

[bpb213]

First, there is the question of how many clickable subdivisions that you divide the screen in. Second, it will take a lot longer, especially as the subdivisions get smaller, as it will require more precise mousing.

I think Gesture recognition would be a better method, personally.