Slashdot Mirror
Authenticating With Your Mouse?
degauss asks: "I am looking into various authentication schemes form my home machine, and one that I thought would be interesting would to be having a dummy login screen up with a user/pass prompt, but instead of entering a user/pass, you click at certain points on the screen in certain rytmhmic patterns (all of this is of course unknown to any unauthorized users, who will pound at the password for years). I was wondering if there it any such software or interface currently being developed, as it provides an interesting [semi-]biometric security solution without dumping a ton of cash on new hardware."
tinfoil hat linux does this, to some degree. IIRC, The login screen is called "arcade mode" for good reason.
Keep your packets off my GNU/Girlfriend!
I don't know if this would work. I guess it would really give you less variation in possible passphrases than a normal password.
Maybe if you were to 'draw' the password on the screen and the computer would both use the password and analyze the writing it could give you an extra level of security. That would probably work better with a stylus or a touch screen than with a mouse, though.
As for hoping for people to try to type in passwords instead of using the mouse, that is only security by obscurity. Don't trust that.
How about using both of these ideas together? Have it to where even the correct username/password is not accepted unless the user clicks on the right section of the screen, or right sequence of sections of the screen in place of simply clicking "Ok"!? So in essence the "Ok" button would be a dummy and the correct "button" would be another portion of the screen entirely?
"1984" was ment to be a warning, not a guidebook. You hear that Kim Jong-il!? BushCo?!
How about logging in by executing some steps on your Dance Dance Revolution pad?
Opinions on the Twiddler2 hand-held keyboard?
I did something similiar (in terms of security) when I was developing a client/server app. What I did was trap for the backspace key after entering the first and last letter of a password, for instance if your password was "monkeyfeces", you would have to type "m(backspace)monkeyfeces(backspace)s". That way, if someone knew your password, watched you type it in or even had some rouge program monitoring your keystrokes they would still have a tough time figuring out why your password doesn't work. I am not saying this is foolproof but it's better than the man with the rubber glove who isn't suprisingly gentle.
IIRC there was a Slashdot article (or a quickie) not long ago related to this. I think the password was actually a sequence of symbols which appeared on the screen and they had to be clicked on in the proper order and the order that they appeared in a grid with other abstract symbols would change at each login. Hope I explained that right.
I have also heard about a bio auth method that takes into account your typing rythym. As a simple example, if you type your password in to the beat of 'Shave and a haircut... two bits' it would only accept that valid password if it were typed with this rythym.
But since the timer resolution on a computer is so small it can detect minute differences between you and an imposter. A neural network can be trained to learn your pattern of typing. Each successful login becomes a sample in its training set. That way it learns your natural variations and you don't have to perform perfectly each time or risk being rejected. Again no expensive biometric hardware required.
Degauss:
:-) Just kidding.
Here is my thinking. This is your HOME machine. But you make it sound like this will be in a place where it will be exposed to a lot of people who have no business using it, or are desperate to break in.
I mean, are your siblings or spouse wanting to use your PC that badly? Are they after your porn stash?
Or is your password that easily guessable... that is something you can fix without resorting to clever software that only belabors the authentication via obfuscation.
Even if it wasn't under attack, obfuscating the login screen is not really a good idea. All the malicious user would need to do to discover the secret is casually observe a legitimate user bypassing said fake login screen.
Moreover, your login program should not allow someone to sit at the computer all day and attempt passwords. It should lock unprivledged accounts out after a few wrong tries ( 5, preferably 3). If it does unlock itself, the cool off period should be at least an hour. Also, each attempt should take progressively longer to check after each failure. This is especially important for Administrator / root accounts which should not lock themselves out.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
First, there is the question of how many clickable subdivisions that you divide the screen in. Second, it will take a lot longer, especially as the subdivisions get smaller, as it will require more precise mousing.
I think Gesture recognition would be a better method, personally.
This
"Creating a drawing would be a great way to authenticate for some people"
:)
Want to take a bet on how many stick people you get as passwords?
This
Why can't you remotely log in? Why can't you click a sequence of coordinates on an imagemap on a web page? The images, and their reactions to being clicked, need not reflect their occult nature.
Giving someone the password would be akin to the Second Trial getting to the Grail in 'Indiana Jones and the Last Crusade', where they spell the name of God by jumping on stones; clicketh upon said obscureth spots, in this order, etc. Timed pauses between events should be easy to implement, like 'click here, count to three, then click there'.
Sounds like fun.
Many years ago, I needed to secure my work PC (a spanking-new IBM XT-286) from the night shift; since I was doing CAD I had an EGA and a fast machine so my office became the midnight game room.
:-) COM2 had a plotter attached & I would turn the plotter on and off appropriately to boot the system. I never booted when there was somebody else in the room.
I wrote a routine which put a login prompt on the screen, and then waited for a particular cadence on the DTR line of COM2. I patched this code into some blank space on the EGA's BIOS extension ROM, and executed it before the keyboard was even enabled during POST
Then came a change in company ownership, with its attendant politics... I was canned on a Friday afternoon with no notice whatsoever. Nobody asked about my password. Of course the vultures descended on my office, and among the first things to go was the plotter. No plotter, no password.
Apparently after several frustrating weeks in Software Engineering the PC was returned to IBM for an expensive "repair" -- if someone had asked I'd have told them to swap the original EGA ROM from my desk drawer back into the EGA. Nobody asked.
I've always thought that it would be interesting to watch the way that someone types in the password as well as what they type in. If your cadence isn't within your normal parameters, then you don't get in even if you have the right password.
It would have to be auto adjusting, or subtle changes in they way you type in general could throw it off, and heaven help you if you break your hand, but an interesting idea anyway.
There are other reasons why it would be problematic as well. You'd probably bet out of luck if you needed to log in on a keyboard that was different in some substantial way from your own.
Anyone know if anything like this has been done?