Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Password "Keyprints" as Another Form of Authentication?

Posted by Cliff on from the constructive-criticism-for-an-interesting-idea dept.

Adam Kiger asks: "I have written two programs with patents on both. The first program captures the keypress and keyup events per letter of a typed password in milliseconds and returns a numeric value per letter. I am also capturing the keypress of the first letter and the keyup of the next and returning a numeric value in milliseconds. My second program takes these values and runs an analysis of the values after 20 entries of your password to determine what I call a 'keyprint'. 91% of the time you enter the password my values captured matched each letter entry and the time between letters entered. I also can show the results of these tests in 2D graphical representaion. I used my wife as a test subject, gave her my password and she couldn't login to either Windows or my website! I have wrapped these programs around Windows Login and a Website's login control, and it works fine so far. The only problem I have found and not researched are the user using different keyboards. So I've come to ask Slashdot: Is this a viable security function?"

5 of 100 comments (clear)

  1. May be defeated if password is keylogged by Vendekkai · · Score: 3, Insightful

    While this adds an extra level of protection, how about a case where the user password is picked up by a keypress logger? In that case, the timings can be logged too, and it would be a simple matter of repeating those timings with a program to log in.

    Further, I am not sure how widely applicable this is. Whenever I change a password to a new, cryptic one, I type it in slowly for the first few times till my fingers start "remembering" the sequence.

    1. Re:May be defeated if password is keylogged by Surye · · Score: 3, Insightful

      Further, I am not sure how widely applicable this is. Whenever I change a password to a new, cryptic one, I type it in slowly for the first few times till my fingers start "remembering" the sequence. This will be a huge problem for you, as when you "learn" your password better, you type it out faster. You'd have to apply this at "critical level of ...remeberance(I know, not a word =P), and that would cause implimentation to be horrible.

  2. 91% success means 9% failure by porksodas · · Score: 3, Insightful

    91% of the time you enter the password my values captured matched each letter entry and the time between letters entered.

    I don't want to have to retype my password one time out of ten just because I typed the third and fourth letter to close together. It's a good idea, but I think it needs a higher success rate (without compromising security, of course). I think a pattern-recognizer (like a neural network) might come in handy, though that may be slightly overkill for your Windows login screen.

  3. Re:Sorry to burst your bubble by WasterDave · · Score: 3, Insightful

    Sure, but it is relevant for enforcing them. Presumably that's the point?

    Dave

    --
    I write a blog now, you should be afraid.
  4. No free consultation for you. by Chilles · · Score: 4, Insightful

    Please, open your source and throw your patents in the public domain. As soon as you do that I'll be more than happy to evaluate your system. Right now, my only incline is to look for prior art. (which I'm pretty sure exists).