Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Password "Keyprints" as Another Form of Authentication?

Posted by Cliff on from the constructive-criticism-for-an-interesting-idea dept.

Adam Kiger asks: "I have written two programs with patents on both. The first program captures the keypress and keyup events per letter of a typed password in milliseconds and returns a numeric value per letter. I am also capturing the keypress of the first letter and the keyup of the next and returning a numeric value in milliseconds. My second program takes these values and runs an analysis of the values after 20 entries of your password to determine what I call a 'keyprint'. 91% of the time you enter the password my values captured matched each letter entry and the time between letters entered. I also can show the results of these tests in 2D graphical representaion. I used my wife as a test subject, gave her my password and she couldn't login to either Windows or my website! I have wrapped these programs around Windows Login and a Website's login control, and it works fine so far. The only problem I have found and not researched are the user using different keyboards. So I've come to ask Slashdot: Is this a viable security function?"

5 of 100 comments (clear)

  1. Sorry to burst your bubble by droyad · · Score: 5, Informative
    But prior art is screaming here:

    http://216.239.53.100/search?q=cache:Dmq6W8su71gC: www.cs.columbia.edu/~angelos/teaching/COMS4180/lec ture10.ps+Biometrics+Password+Timing&hl=en&ie=UTF- 8

    http://ctl.ncsc.dni.us/biomet%20web/BMKeystroke.ht ml

    http://www.giac.org/practical/GSEC/Patricia_Wittic h_GSEC.pdf

    http://searchsecurity.techtarget.com/originalConte nt/0,289142,sid14_gci801112,00.html

  2. It works well by Pathwalker · · Score: 4, Informative

    What you are describing sounds like one of the most basic techniques for biometric authentication. I remember being assigned to write programs to do what you describe for a class several years ago. It was one of the easier assignments we had.

    If you are researching the subject, I strongly suggest Biometrics: Personal Identification in Networked Society, and anything else on the subject written or edited by Anil Jain.
    (His webpage is here, the webpage of his lab is here).

    Dr. Jain is (IMHO) the current leader in biometric research worldwide.

  3. 20 values by cgenman · · Score: 4, Informative

    Why derive your key from the first 20 imputs? Why not continually re-derive the key from the last 20 imputs, to allow for typestyle drift over time?

    -C

    --
    The ______ Agenda
  4. Input locality... Local or Remote by runswithd6s · · Score: 2, Informative
    This type of biometric measurement, bogus patent claim excluding, can be useful. It is limited, however, to how the input is collected. For local machine access, it is possible, given that the OS allows access to the input device. Remote access, however, is another beast altogether. If we were to limit the use of this biometric to simple 100BaseT full duplex ethernet LANS, and if you allow for a larger standard deviation of timing, there are only a few communication protocols that you could use this test on.

    Telnet will "work", for example. Open up an instance of tcpdump or some other real-time packet sniffer and telnet into your local machine. Type in your password. For every character you type in a telnet session, a packet is sent. This is one reason it is such a poor protocol for restricted or secure access. Add the fact that it's a plain text protocol, and someone could mimic your biometric quite easily.

    SSH, on the other hand, has lots of little enhancements to combat the network sniffer. Firstly, the traffic is encrypted. Secondly, ssh doesn't send your password one character at a time. It varies the packet sizes and timings "randomly", and well, it's just plain cool. So, unless you add a biometric test to password timing for the local ssh client used to connect to the server, you couldn't gather the information at all.

    Use with HTTP would also depend upon the cooperation of the remote client, but if there's anything a knowledgable programmer has learned over the years, it's that you NEVER trust client information fully. (Just as people don't fully trust closed-source software, but that's way off topic.) Always validate your input.

    So, although such biometric validation can be useful under certain circumstances, it's not reliable enough to be depended upon. I do like the idea that one poster presented for auditing user behavior, such as violating a system policy of sharing passwords for a single account, but once again, it's a very limited biometric.

    --
    assert(expired(knowledge)); /* core dump */
  5. my thesis by himynameisbrak · · Score: 2, Informative

    I did a summer research project implementing this kind of a system using a neural network. The professor with whom I worked had patents on the system he had developed with one of his Masters students back in 1990/91. They are published. But, of course, the patent is for the *implementation* of the idea, not the idea itself. The idea has, as many have thankfully testified, been around since keyboards.

    My work was to improve the results using a different neural network. I later used this work as the basis for my thesis. I didn't quite achieve the results I was hoping for, but my test samples were small. I am also published.

    My research was purely academic. I distributed the source code to my implementation. I used an open-source implementation of an ART2 neural network. So, my entire project can be picked up where I left off and continued.

    Your affinity for patents is rather silly at this stage of the game and you probably wasted a lot of money on those patents. Your implementation sounds rather simplistic, as well. In my extensive literature survey, statistical methods *always* lagged neural networks in their results. If you want to see my literature survey, it is in the IJCIA:

    http://www.worldscinet.com/157/02/0202/S14690268 02 00052X.html

    (I know, you would have to pay. Use this info to find it at a library.)

    Oh yeah, I also implemented it in Java for my senior project and got lousy results because you can't get millisecond timing accuracy from that technology. The other implementation is in Tcl/Tk.

    Finally, to address all the brilliant observations like "what if you hurt your hand?" or "what about logging/network attacks?". Yes, obviously this has limited application. In fact, my senior project combined this approach with Java iButtons. And yes, there will always have to be a backup authentication method, with a human involved, OR this is stealth authentication, allowing any typing style to get through, but triggering a warning if it doesn't match.

    Jason