Slashdot Mirror
Using Password "Keyprints" as Another Form of Authentication?
Adam Kiger asks: "I have written two programs with patents on both. The first program captures the keypress and keyup events per letter of a typed password in milliseconds and returns a numeric value per letter. I am also capturing the keypress of the first letter and the keyup of the next and returning a numeric value in milliseconds. My second program takes these values and runs an analysis of the values after 20 entries of your password to determine what I call a 'keyprint'. 91% of the time you enter the password my values captured matched each letter entry and the time between letters entered. I also can show the results of these tests in 2D graphical representaion. I used my wife as a test subject, gave her my password and she couldn't login to either Windows or my website! I have wrapped these programs around Windows Login and a Website's login control, and it works fine so far. The only problem I have found and not researched are the user using different keyboards. So I've come to ask Slashdot: Is this a viable security function?"
Give me your password and I'll prove it. :)
They'll just record the way you type your password and play it back when necessary.
While this adds an extra level of protection, how about a case where the user password is picked up by a keypress logger? In that case, the timings can be logged too, and it would be a simple matter of repeating those timings with a program to log in.
Further, I am not sure how widely applicable this is. Whenever I change a password to a new, cryptic one, I type it in slowly for the first few times till my fingers start "remembering" the sequence.
http://216.239.53.100/search?q=cache:Dmq6W8su71gC: www.cs.columbia.edu/~angelos/teaching/COMS4180/lec ture10.ps+Biometrics+Password+Timing&hl=en&ie=UTF- 8
http://ctl.ncsc.dni.us/biomet%20web/BMKeystroke.ht ml
http://www.giac.org/practical/GSEC/Patricia_Wittic h_GSEC.pdf
http://searchsecurity.techtarget.com/originalConte nt/0,289142,sid14_gci801112,00.html
Will be great for a lone ranger, but sometimes certain passwords need to be shared and this would eliminate it. Unless, at the time the password is shared, you measure timing for that new user as well - but each successive time would weaken the strength of this new layer of security.
Not much of a problem though. Sounds good to me in some ways.
91% of the time you enter the password my values captured matched each letter entry and the time between letters entered.
I don't want to have to retype my password one time out of ten just because I typed the third and fourth letter to close together. It's a good idea, but I think it needs a higher success rate (without compromising security, of course). I think a pattern-recognizer (like a neural network) might come in handy, though that may be slightly overkill for your Windows login screen.
This guy has no patents. He's just trying to scare us off from stealing his idea. Why else jump to mention his patents at the first available opportunity, on a website which hates patents no less?
The goatse guy for president. Win one for the gaper!
This does add another layer of protection, but it has some drawbnacks.
.
/., I know the njokes I've set myself up for)? Will I nbe able to log in at all?
I'm typing this on my Zaurus; the nnnnn key is hypersennnsitive, as you may have noticed by now.
I can switch to another input method, like the on-screen software keyboard, as I am now, but the timings are completely different. If I switch to the "handwriting", as now, you'd have to clock penstrokes, again totally different.
What about logging in remotely over a buffered or burst-y connection? You might be able to (roughly) time keystrokes, bnut not key-ups or key-downs (I'm nnback to the keyboard, see the extra "n"s?)
Even worse, what if I innnjure my finger or hand (yeah, it's
With a password, as long as one finger works well enough to nhunt and peck, I can log in. With your method, I've got to nbe in the same physical shape, possibly as awake, as relaxed, etc. as when I recorded the password. Not to mention it's a pain to record a password 20 times.
However, I think your method does have a use; its drawbacks as a general password system makes it perhaps useful for other purposes: it is an innexpensive (i.e software only) way to deternmine that the user is in substantially the same state of health and mind as when the password was recorded.
This might make it a decent way to deny access to users under duress. I should note that users under duress might well be harmed when they cannnot make the password work, so it probnably should only be used to protect access the user considers more valuable than his own life.
Opinions on the Twiddler2 hand-held keyboard?
What you are describing sounds like one of the most basic techniques for biometric authentication. I remember being assigned to write programs to do what you describe for a class several years ago. It was one of the easier assignments we had.
If you are researching the subject, I strongly suggest Biometrics: Personal Identification in Networked Society, and anything else on the subject written or edited by Anil Jain.
(His webpage is here, the webpage of his lab is here).
Dr. Jain is (IMHO) the current leader in biometric research worldwide.
But it could be used for musical applications.
...
Plenty of prior art in this area though, I'm afraid
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Personally, I am really used to punch in my password(s) and I would not be surprised if other could imitate me simply by trying to input it very efficiently. I guess I would be able to obfuscate my password with some pauses, but I would probably make it more difficult for myself to get it right in the process.
But more research on this would be fun to see.
Reality or nothing.
Hi,
I actually tried to do this in a java applet for the second year project at reading university in 1995. But my neural networks teacher said that it had been done years before and we had to do someting inovative.
Shame I have no docs to prove it!
Please, open your source and throw your patents in the public domain. As soon as you do that I'll be more than happy to evaluate your system. Right now, my only incline is to look for prior art. (which I'm pretty sure exists).
Instead of denying access when someone's keypressed don't match, which is a perfectly possible thing that could happen in a number of situations, just use the keypress score to alter how the system audits the user's actions. If he's under the threshhold, you can send a page to your beeper, just notifying that it happened, if he's way off, then grant him only basic privledges, no root, but if he's only a little off then let him have normal access, but turn the logging on for every action he does. Most of the time he won't be an intruder, just someone who was a little sleepy that morning, but when it is an intruder, you'll be able to watch more closely and roll back any changes he makes.
... not for joe l. user! try to imagine explaining grandma why she can't log in to her windows me - box with the same password she used yesterday...
;)
or was it last week?
mortimer! how did you type 'depression' again? with a coffee break between the 'p' and the 'r'??
the computer is online
i am not at it
what a waste of ressources
17:31 21/5/2546
...
TOPIC: security
great idea!
i wish they would put this technology into cars! so if you drunk or druged or whatever (not fit to drive) you just can't open the car door or start the engine *g*.
oh, and i agreed "patends are evil".
and then there are taperecorders and microphones
Adam Kiger asks: "I have written two programs with patents on both. The first program captures the keypress and keyup events per letter of a typed password in milliseconds and returns a numeric value per letter. I am also capturing the keypress of the first letter and the keyup of the next and returning a numeric value in milliseconds. (...)"
Droyad is right of course. (Please mod parent up.) Well, Adam, I'm terribly sorry to prove your incompetence, pal, but patents have to be not only innovative (i.e. NO prior art), but also non-trivial for crying out loud! I have written a program doing exactly what your first program does, when I was twelve years old, for God's sake! This program recorded typed messages and later displayed them exactly how they were being written, storing intervals in miliseconds between every typed character and control key. And now, sixteen years later, you are saying this is oh-so-innovative and non-trivial, that you patent it? What the fuck were you smoking, man?! Please take no offence, but I am forced to question your doubtful intelligence. Meanwhile please do try not to overdose crack ever again. Thank you.
Damn, I had thought of this many years ago but discarded it as a novelty. Good job!
On a side note, this will help keep me off my computer while drunk too!!
__________
Love conquers all... except CANCER
..but doesn't work completely as previous posts has pointed out.
I think that it would be better to use a camera and iris authentication but dont let anyone to get a closeup picture of you.. ;)
Presumably he has filed with the patent office but no patent has been granted yet.
/.?
Are we already outnumbered by morons?
I guess it's time to move to k5... *sigh*
Presumably he has filed my arse! This guy is a crackpot! Do a little Google search and you'll know for yourself. Excuse me, but does this sound like someone who has got IQ higher than 20?
Adam Kiger asks: "I have written two programs with patents on both. (...) So I've come to ask Slashdot: Is this a viable security function?"
Think, people, THINK! What the hell happened to smart people on
This is a BAD THING! I have a keyboard where the 'f' key sometimes sticks, sometimes works slowly, and sometimes is fine. Different keyboards have different rates of key-up/key-down, as well as resistance and just tactile sensations. If you're *that* bloody worried about security, buy a darn fingerprint scanner - they're about 150 euro now, right?
Why derive your key from the first 20 imputs? Why not continually re-derive the key from the last 20 imputs, to allow for typestyle drift over time?
-C
The ______ Agenda
What about when the user siets down at a different type of keyboard; ie normal vs 'natural'?
I don't always type my password at the same speed (i've got good finger memory, so i can type it fast, but i sometimes need to delete a letter or 2
Try again...
I have arthritis. Some day's are good. Some days are bad. Mostly it's in my knees and elbows. Lately it's been creeping into my knuckles. Now before I start yelling at the clouds like Grampa Simpson let me get to the point. The typing I can do today is probably not going to be the typing I do tomorrow. I see this as nothing but a bad idea. I don't want to be locked out because I've run out of Motrin.
I've hit Karma 50 and gotten a Score:5, Troll... I win!
Gee, a patent.
Those in Australia will remember a TV show called 'Towards 2000', later 'Beyond 2000' for obvious reasons.
Anyway, one episode featured just that. I was so inspired I implemented it in Extended Basic (woohoo) on my TI-99/4a.
Hang around and I'll post the source code... or would you like to sue me first?
What about when im drunk? Or injure one hand? Or havent had coffee yet. Or need a co-worker to login as me?
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
...bzzzt, try again. No one will adopt it until you can offer a permanent irrevocable guarantee that you'll grant royalty-free access to the patents.
Otherwise, you're just another schmoe who thinks he's come up with something unique.
Telnet will "work", for example. Open up an instance of tcpdump or some other real-time packet sniffer and telnet into your local machine. Type in your password. For every character you type in a telnet session, a packet is sent. This is one reason it is such a poor protocol for restricted or secure access. Add the fact that it's a plain text protocol, and someone could mimic your biometric quite easily.
SSH, on the other hand, has lots of little enhancements to combat the network sniffer. Firstly, the traffic is encrypted. Secondly, ssh doesn't send your password one character at a time. It varies the packet sizes and timings "randomly", and well, it's just plain cool. So, unless you add a biometric test to password timing for the local ssh client used to connect to the server, you couldn't gather the information at all.
Use with HTTP would also depend upon the cooperation of the remote client, but if there's anything a knowledgable programmer has learned over the years, it's that you NEVER trust client information fully. (Just as people don't fully trust closed-source software, but that's way off topic.) Always validate your input.
So, although such biometric validation can be useful under certain circumstances, it's not reliable enough to be depended upon. I do like the idea that one poster presented for auditing user behavior, such as violating a system policy of sharing passwords for a single account, but once again, it's a very limited biometric.
assert(expired(knowledge));
I was one of my super-paranoid thought paths the other day, and ended up trying to think of a way to restrict access.
Passwords are vulnerable to keylogging and snooping, your method would require that the keylogging/snooper timed the keystrokes - definately in the realm of possibility. Some sort of combined graphical/mouse/keyboard login would be more difficult, but snooping/screen captures/Van Eck freaking would do the trick. Biological measures would also be difficult, since you can be coerced into accessing the machine.
In the end, probably the best way of doing it that I could come up with was to use a laptop (integrated design makes hardware screen capture/ key logging harder, and I'm under the [possibly mistaken] impression that Van Eck's freaking would be harder with a LCD display then a CRT display), use a non-writeable boot CD and keep all data on an USB keydrive, mounted noexec. No network connection, and some sort of combined graphical/keyboard login. Then always carry a method of quickly destroying the USB keydrive. (Thermite would be a dramatic, but quick way of doing it.)
Of course, this is far from perfect, since there is always the possibility of being drugged through food/environment, then being interrogated with the USB drive out of your possession, until they have your password.
As a password ages, finger familiarity increases. You type that sequence faster than the 1st few times. Especially if it is a strong pw, and not a standard word.
At some point, you have to reset the timing. Say every n logons. But at that point, a cracker could reset the timming for you...:)
I found a program that did this in nibble. It was early 80s. I used it as protection on my disc. Its really annoying to have your password rejected when you've typed it correcty..
You can pay to get two patents but can't spring for a couple of keyboards?
This is very typical of very bright, but narrow-minded people. What about people who don't touch type (gasp). What about if cut your finger and put a bandage over the end? What about people who don't always type the same way? I'm often eating or doing something else while I'm on the comptuer, and use [Backspace] more than any other key. I might have a burrito in my hand, and thus be typing with my pinkys.
And for those of you reading this comment, it's not just stuff like this, but any time you make something for more than just yourself you can't use your "ultimate" idea because it is only ultimate for you. For example, my mom organizes our pots & pans by when she bought them - she can find anything blindfolded, but none of the rest of us can find anything.
Remember, that if you're designing something for others, you're designing it for those that have trouble driving cars (how many of those people do you see every day?) and need to be told that food will be hot after microwaving.
Kurdt
I'm not anti-social. Just pro-technology.
That idea is so obvious as to be painfull. It isn't novel or original at all. If you really have patents on this then the patent office was smoking crack that day. I read about this being done YEARS ago. Didn't you do some research into prior art? Remeber, computing existed LONG before Google. Go look in the library - perhapse look through old ACM Journal - DO SOME HOMEWORK then go work on something really novel.
Just becuase you can do it, doesn't mean you should get a patent on it.
Jibe!
I did a summer research project implementing this kind of a system using a neural network. The professor with whom I worked had patents on the system he had developed with one of his Masters students back in 1990/91. They are published. But, of course, the patent is for the *implementation* of the idea, not the idea itself. The idea has, as many have thankfully testified, been around since keyboards.
8 02 00052X.html
My work was to improve the results using a different neural network. I later used this work as the basis for my thesis. I didn't quite achieve the results I was hoping for, but my test samples were small. I am also published.
My research was purely academic. I distributed the source code to my implementation. I used an open-source implementation of an ART2 neural network. So, my entire project can be picked up where I left off and continued.
Your affinity for patents is rather silly at this stage of the game and you probably wasted a lot of money on those patents. Your implementation sounds rather simplistic, as well. In my extensive literature survey, statistical methods *always* lagged neural networks in their results. If you want to see my literature survey, it is in the IJCIA:
http://www.worldscinet.com/157/02/0202/S1469026
(I know, you would have to pay. Use this info to find it at a library.)
Oh yeah, I also implemented it in Java for my senior project and got lousy results because you can't get millisecond timing accuracy from that technology. The other implementation is in Tcl/Tk.
Finally, to address all the brilliant observations like "what if you hurt your hand?" or "what about logging/network attacks?". Yes, obviously this has limited application. In fact, my senior project combined this approach with Java iButtons. And yes, there will always have to be a backup authentication method, with a human involved, OR this is stealth authentication, allowing any typing style to get through, but triggering a warning if it doesn't match.
Jason
Nope -- not good, for a variety of reasons listed in other posts.
Reminds me of a story by Orson Scott Card called Dogwalker . The protagonist is someone who groks passwords. He ends up caught because he got a password correct on the first try, which the owner never ever did.
In walking, just walk. In sitting, just sit. Above all, don't wobble.
-- Yun-Men
I'm not sure I like the idea that you're not sure about the validity, from a security standpoint, of the concept, but you've already patented it
So you'll forgive me for briefly commenting, because I have to type very slowly.
Actually, that should answer your question.
Someone named an OS for me.
If we all start Using Password "Keyprints" as Another Form of Authentication, pretty soon someone will catch on, and we'll have to change to something more obscure like "K3ypr1nts".
Doesn't mean it doesn't have other applications though. Sounds like it might be a better measurement of typing speed than what most use. Perhaps it could add complexity to games as well.
Hoist Number One and Number Six.
Well at least I know I'm not the only one who wastes money on worthless ideas...
remebers reading about some ancient l33wt hacker tricks. His hacker buddies stand back in awe as he... Changes the password without typing anything 20 times.
Yeah, I remember that trick. It's called a boot disk.
I'm not sure if boot disks are "l33wt", but I know that if anyone has physical access to your machine, they can access your machine. This keystroke monitoring program is silly.
The theory of relativity doesn't work right in Arkansas.
These people state that their 'patented keystroke dynamics technology, a proprietary algorithm to make biometric measurements of a keyboard user's individual typing rhythm' was originally developed by SRI between 1979 and 1985. 'Today, the company has re-engineered keystroke dynamics into a software only biometric solution for user authentication in modern computers.'
As others have mentioned, morse code users recognized the style of each other's signals a long time ago. Typing patterns have been used in various ways also; one of the less obvious was in decoding typed documents through spy transmitters which provided recorded audio of typing. Of course, Turing test tools have done the reverse when a computer emulated human typing for the purpose of seeming to be a human typist. An obvious extension of the concept were the several writing pattern devices which measure pen pressure, speed, and/or acceleration during a signature. Several of these have also been used in fiction over several decades, but "Seven Days of the Condor" contains the major example of fiction idea searching and I'm not aware of a central source (unless The Encyclopedia Of Science Fiction has relevant index entries).
I will note that acquiring patents and then asking Slashdot to do your prior art search is a novel approach. Have you patented this?