Slashdot Mirror
Authenticating With Your Mouse?
degauss asks: "I am looking into various authentication schemes form my home machine, and one that I thought would be interesting would to be having a dummy login screen up with a user/pass prompt, but instead of entering a user/pass, you click at certain points on the screen in certain rytmhmic patterns (all of this is of course unknown to any unauthorized users, who will pound at the password for years). I was wondering if there it any such software or interface currently being developed, as it provides an interesting [semi-]biometric security solution without dumping a ton of cash on new hardware."
How about using both of these ideas together? Have it to where even the correct username/password is not accepted unless the user clicks on the right section of the screen, or right sequence of sections of the screen in place of simply clicking "Ok"!? So in essence the "Ok" button would be a dummy and the correct "button" would be another portion of the screen entirely?
"1984" was ment to be a warning, not a guidebook. You hear that Kim Jong-il!? BushCo?!
This would certainly foil those hardware keylogger devices that nip between your keyboard and computer to grab passwords and the like. As far as I know, nothing comparable has been done for the mouse as the relative movements of the mouse aren't particularly useful, both because they don't always map to the relative position of the mouse, and because you don't know what the user is clicking on without a screen grab too.
Hmm, now that could be useful - a program that sits in the background doing a screen grab everytime the user clicks the mouse. Saves having to capture every change in the screen to figure out what they are doing with the mouse.
I did something similiar (in terms of security) when I was developing a client/server app. What I did was trap for the backspace key after entering the first and last letter of a password, for instance if your password was "monkeyfeces", you would have to type "m(backspace)monkeyfeces(backspace)s". That way, if someone knew your password, watched you type it in or even had some rouge program monitoring your keystrokes they would still have a tough time figuring out why your password doesn't work. I am not saying this is foolproof but it's better than the man with the rubber glove who isn't suprisingly gentle.
IIRC there was a Slashdot article (or a quickie) not long ago related to this. I think the password was actually a sequence of symbols which appeared on the screen and they had to be clicked on in the proper order and the order that they appeared in a grid with other abstract symbols would change at each login. Hope I explained that right.
I have also heard about a bio auth method that takes into account your typing rythym. As a simple example, if you type your password in to the beat of 'Shave and a haircut... two bits' it would only accept that valid password if it were typed with this rythym.
But since the timer resolution on a computer is so small it can detect minute differences between you and an imposter. A neural network can be trained to learn your pattern of typing. Each successful login becomes a sample in its training set. That way it learns your natural variations and you don't have to perform perfectly each time or risk being rejected. Again no expensive biometric hardware required.
Why can't you remotely log in? Why can't you click a sequence of coordinates on an imagemap on a web page? The images, and their reactions to being clicked, need not reflect their occult nature.
Giving someone the password would be akin to the Second Trial getting to the Grail in 'Indiana Jones and the Last Crusade', where they spell the name of God by jumping on stones; clicketh upon said obscureth spots, in this order, etc. Timed pauses between events should be easy to implement, like 'click here, count to three, then click there'.
Sounds like fun.
Many years ago, I needed to secure my work PC (a spanking-new IBM XT-286) from the night shift; since I was doing CAD I had an EGA and a fast machine so my office became the midnight game room.
:-) COM2 had a plotter attached & I would turn the plotter on and off appropriately to boot the system. I never booted when there was somebody else in the room.
I wrote a routine which put a login prompt on the screen, and then waited for a particular cadence on the DTR line of COM2. I patched this code into some blank space on the EGA's BIOS extension ROM, and executed it before the keyboard was even enabled during POST
Then came a change in company ownership, with its attendant politics... I was canned on a Friday afternoon with no notice whatsoever. Nobody asked about my password. Of course the vultures descended on my office, and among the first things to go was the plotter. No plotter, no password.
Apparently after several frustrating weeks in Software Engineering the PC was returned to IBM for an expensive "repair" -- if someone had asked I'd have told them to swap the original EGA ROM from my desk drawer back into the EGA. Nobody asked.
I've always thought that it would be interesting to watch the way that someone types in the password as well as what they type in. If your cadence isn't within your normal parameters, then you don't get in even if you have the right password.
It would have to be auto adjusting, or subtle changes in they way you type in general could throw it off, and heaven help you if you break your hand, but an interesting idea anyway.
There are other reasons why it would be problematic as well. You'd probably bet out of luck if you needed to log in on a keyboard that was different in some substantial way from your own.
Anyone know if anything like this has been done?