Slashdot Mirror
Using Password "Keyprints" as Another Form of Authentication?
Adam Kiger asks: "I have written two programs with patents on both. The first program captures the keypress and keyup events per letter of a typed password in milliseconds and returns a numeric value per letter. I am also capturing the keypress of the first letter and the keyup of the next and returning a numeric value in milliseconds. My second program takes these values and runs an analysis of the values after 20 entries of your password to determine what I call a 'keyprint'. 91% of the time you enter the password my values captured matched each letter entry and the time between letters entered. I also can show the results of these tests in 2D graphical representaion. I used my wife as a test subject, gave her my password and she couldn't login to either Windows or my website! I have wrapped these programs around Windows Login and a Website's login control, and it works fine so far. The only problem I have found and not researched are the user using different keyboards. So I've come to ask Slashdot: Is this a viable security function?"
Give me your password and I'll prove it. :)
While this adds an extra level of protection, how about a case where the user password is picked up by a keypress logger? In that case, the timings can be logged too, and it would be a simple matter of repeating those timings with a program to log in.
Further, I am not sure how widely applicable this is. Whenever I change a password to a new, cryptic one, I type it in slowly for the first few times till my fingers start "remembering" the sequence.
http://216.239.53.100/search?q=cache:Dmq6W8su71gC: www.cs.columbia.edu/~angelos/teaching/COMS4180/lec ture10.ps+Biometrics+Password+Timing&hl=en&ie=UTF- 8
http://ctl.ncsc.dni.us/biomet%20web/BMKeystroke.ht ml
http://www.giac.org/practical/GSEC/Patricia_Wittic h_GSEC.pdf
http://searchsecurity.techtarget.com/originalConte nt/0,289142,sid14_gci801112,00.html
91% of the time you enter the password my values captured matched each letter entry and the time between letters entered.
I don't want to have to retype my password one time out of ten just because I typed the third and fourth letter to close together. It's a good idea, but I think it needs a higher success rate (without compromising security, of course). I think a pattern-recognizer (like a neural network) might come in handy, though that may be slightly overkill for your Windows login screen.
This guy has no patents. He's just trying to scare us off from stealing his idea. Why else jump to mention his patents at the first available opportunity, on a website which hates patents no less?
The goatse guy for president. Win one for the gaper!
This does add another layer of protection, but it has some drawbnacks.
.
/., I know the njokes I've set myself up for)? Will I nbe able to log in at all?
I'm typing this on my Zaurus; the nnnnn key is hypersennnsitive, as you may have noticed by now.
I can switch to another input method, like the on-screen software keyboard, as I am now, but the timings are completely different. If I switch to the "handwriting", as now, you'd have to clock penstrokes, again totally different.
What about logging in remotely over a buffered or burst-y connection? You might be able to (roughly) time keystrokes, bnut not key-ups or key-downs (I'm nnback to the keyboard, see the extra "n"s?)
Even worse, what if I innnjure my finger or hand (yeah, it's
With a password, as long as one finger works well enough to nhunt and peck, I can log in. With your method, I've got to nbe in the same physical shape, possibly as awake, as relaxed, etc. as when I recorded the password. Not to mention it's a pain to record a password 20 times.
However, I think your method does have a use; its drawbacks as a general password system makes it perhaps useful for other purposes: it is an innexpensive (i.e software only) way to deternmine that the user is in substantially the same state of health and mind as when the password was recorded.
This might make it a decent way to deny access to users under duress. I should note that users under duress might well be harmed when they cannnot make the password work, so it probnably should only be used to protect access the user considers more valuable than his own life.
Opinions on the Twiddler2 hand-held keyboard?
What you are describing sounds like one of the most basic techniques for biometric authentication. I remember being assigned to write programs to do what you describe for a class several years ago. It was one of the easier assignments we had.
If you are researching the subject, I strongly suggest Biometrics: Personal Identification in Networked Society, and anything else on the subject written or edited by Anil Jain.
(His webpage is here, the webpage of his lab is here).
Dr. Jain is (IMHO) the current leader in biometric research worldwide.
Please, open your source and throw your patents in the public domain. As soon as you do that I'll be more than happy to evaluate your system. Right now, my only incline is to look for prior art. (which I'm pretty sure exists).
Instead of denying access when someone's keypressed don't match, which is a perfectly possible thing that could happen in a number of situations, just use the keypress score to alter how the system audits the user's actions. If he's under the threshhold, you can send a page to your beeper, just notifying that it happened, if he's way off, then grant him only basic privledges, no root, but if he's only a little off then let him have normal access, but turn the logging on for every action he does. Most of the time he won't be an intruder, just someone who was a little sleepy that morning, but when it is an intruder, you'll be able to watch more closely and roll back any changes he makes.
... not for joe l. user! try to imagine explaining grandma why she can't log in to her windows me - box with the same password she used yesterday...
;)
or was it last week?
mortimer! how did you type 'depression' again? with a coffee break between the 'p' and the 'r'??
the computer is online
i am not at it
what a waste of ressources
And maybe you don't want to use this for authentication, but it could set off bells and whistles so that an admin could look into the security violations. You could find out exactly when someone decided to share their password. Then you could walk up to their desk in a black suite and sun glasses, and remind them that they are not supposed to share their password, and that it's been changed.
This would also be a good measurement for hacker detection. If you keep a history of the password key stroke timing, and all of a sudden a seperate set of timings start to appear, you can start to look for other differences in the logins patterns. Finally, you could use this to see who is logging into root directly. Bad! Bad! Bad Boy!
This isn't the sig you are looking for... Carry on...
Why derive your key from the first 20 imputs? Why not continually re-derive the key from the last 20 imputs, to allow for typestyle drift over time?
-C
The ______ Agenda
I have arthritis. Some day's are good. Some days are bad. Mostly it's in my knees and elbows. Lately it's been creeping into my knuckles. Now before I start yelling at the clouds like Grampa Simpson let me get to the point. The typing I can do today is probably not going to be the typing I do tomorrow. I see this as nothing but a bad idea. I don't want to be locked out because I've run out of Motrin.
I've hit Karma 50 and gotten a Score:5, Troll... I win!
> Personally, I am really used to punch in my password(s) and I
S ionismmxi
> would not be surprised if other could imitate me simply by trying
> to input it very efficiently.
Me too, _except_ that I use a modified keyboard layout, which makes
certain things take different amounts of time than usual. (For
example, switching between upper and lower case is faster, because
shift is under a home position on my layout. OTOH, k is rather
out of the way and generates an extra pause before or after.)
I still prefer the long-nasty-password approach. Use a password
like cEveNaughtDiVulge-canceroussGRANDpapy;rot14impreS
(not my real password, of course), type it fast, and nothing but
a sniffer is going to compromise it. Yet something like that is
only barely more difficult to memorise than something traditional
like Rx7QvGOc0b. (You remember, "seven naught divulge cancerous
grandpappy rot14 impressionism xi", eight words (except rot14,
which is easy to remember because it's one more than Caesar), but
then you make minor tweaks such as elided and doubled letters and
case shifts, which your muscle memory will do for you automatically
after a dozen times typing it.)
Cut that out, or I will ship you to Norilsk in a box.
Telnet will "work", for example. Open up an instance of tcpdump or some other real-time packet sniffer and telnet into your local machine. Type in your password. For every character you type in a telnet session, a packet is sent. This is one reason it is such a poor protocol for restricted or secure access. Add the fact that it's a plain text protocol, and someone could mimic your biometric quite easily.
SSH, on the other hand, has lots of little enhancements to combat the network sniffer. Firstly, the traffic is encrypted. Secondly, ssh doesn't send your password one character at a time. It varies the packet sizes and timings "randomly", and well, it's just plain cool. So, unless you add a biometric test to password timing for the local ssh client used to connect to the server, you couldn't gather the information at all.
Use with HTTP would also depend upon the cooperation of the remote client, but if there's anything a knowledgable programmer has learned over the years, it's that you NEVER trust client information fully. (Just as people don't fully trust closed-source software, but that's way off topic.) Always validate your input.
So, although such biometric validation can be useful under certain circumstances, it's not reliable enough to be depended upon. I do like the idea that one poster presented for auditing user behavior, such as violating a system policy of sharing passwords for a single account, but once again, it's a very limited biometric.
assert(expired(knowledge));
This is very typical of very bright, but narrow-minded people. What about people who don't touch type (gasp). What about if cut your finger and put a bandage over the end? What about people who don't always type the same way? I'm often eating or doing something else while I'm on the comptuer, and use [Backspace] more than any other key. I might have a burrito in my hand, and thus be typing with my pinkys.
And for those of you reading this comment, it's not just stuff like this, but any time you make something for more than just yourself you can't use your "ultimate" idea because it is only ultimate for you. For example, my mom organizes our pots & pans by when she bought them - she can find anything blindfolded, but none of the rest of us can find anything.
Remember, that if you're designing something for others, you're designing it for those that have trouble driving cars (how many of those people do you see every day?) and need to be told that food will be hot after microwaving.
Kurdt
I'm not anti-social. Just pro-technology.
Then you could walk up to their desk in a black suite...
I read this and had a strange image of a sofa and 2 chairs turning up at my desk... Maybe that's the lack of coffee this morning.
-- You ain't seen me, right?
I did a summer research project implementing this kind of a system using a neural network. The professor with whom I worked had patents on the system he had developed with one of his Masters students back in 1990/91. They are published. But, of course, the patent is for the *implementation* of the idea, not the idea itself. The idea has, as many have thankfully testified, been around since keyboards.
8 02 00052X.html
My work was to improve the results using a different neural network. I later used this work as the basis for my thesis. I didn't quite achieve the results I was hoping for, but my test samples were small. I am also published.
My research was purely academic. I distributed the source code to my implementation. I used an open-source implementation of an ART2 neural network. So, my entire project can be picked up where I left off and continued.
Your affinity for patents is rather silly at this stage of the game and you probably wasted a lot of money on those patents. Your implementation sounds rather simplistic, as well. In my extensive literature survey, statistical methods *always* lagged neural networks in their results. If you want to see my literature survey, it is in the IJCIA:
http://www.worldscinet.com/157/02/0202/S1469026
(I know, you would have to pay. Use this info to find it at a library.)
Oh yeah, I also implemented it in Java for my senior project and got lousy results because you can't get millisecond timing accuracy from that technology. The other implementation is in Tcl/Tk.
Finally, to address all the brilliant observations like "what if you hurt your hand?" or "what about logging/network attacks?". Yes, obviously this has limited application. In fact, my senior project combined this approach with Java iButtons. And yes, there will always have to be a backup authentication method, with a human involved, OR this is stealth authentication, allowing any typing style to get through, but triggering a warning if it doesn't match.
Jason