Using Password "Keyprints" as Another Form of Authentication?

Adam Kiger asks: "I have written two programs with patents on both. The first program captures the keypress and keyup events per letter of a typed password in milliseconds and returns a numeric value per letter. I am also capturing the keypress of the first letter and the keyup of the next and returning a numeric value in milliseconds. My second program takes these values and runs an analysis of the values after 20 entries of your password to determine what I call a 'keyprint'. 91% of the time you enter the password my values captured matched each letter entry and the time between letters entered. I also can show the results of these tests in 2D graphical representaion. I used my wife as a test subject, gave her my password and she couldn't login to either Windows or my website! I have wrapped these programs around Windows Login and a Website's login control, and it works fine so far. The only problem I have found and not researched are the user using different keyboards. So I've come to ask Slashdot: Is this a viable security function?"

Yes it is

[NiceGeek]

Give me your password and I'll prove it. :)

May be defeated if password is keylogged

[Vendekkai]

While this adds an extra level of protection, how about a case where the user password is picked up by a keypress logger? In that case, the timings can be logged too, and it would be a simple matter of repeating those timings with a program to log in.

Further, I am not sure how widely applicable this is. Whenever I change a password to a new, cryptic one, I type it in slowly for the first few times till my fingers start "remembering" the sequence.

Re:May be defeated if password is keylogged

[Surye]

Further, I am not sure how widely applicable this is. Whenever I change a password to a new, cryptic one, I type it in slowly for the first few times till my fingers start "remembering" the sequence. This will be a huge problem for you, as when you "learn" your password better, you type it out faster. You'd have to apply this at "critical level of ...remeberance(I know, not a word =P), and that would cause implimentation to be horrible.

Sorry to burst your bubble

[droyad]

But prior art is screaming here:

http://216.239.53.100/search?q=cache:Dmq6W8su71gC: www.cs.columbia.edu/~angelos/teaching/COMS4180/lec ture10.ps+Biometrics+Password+Timing&hl=en&ie=UTF- 8

http://ctl.ncsc.dni.us/biomet%20web/BMKeystroke.ht ml

http://www.giac.org/practical/GSEC/Patricia_Wittic h_GSEC.pdf

http://searchsecurity.techtarget.com/originalConte nt/0,289142,sid14_gci801112,00.html

Re:Sorry to burst your bubble

[WasterDave]

Sure, but it is relevant for enforcing them. Presumably that's the point?

Dave

91% success means 9% failure

[porksodas]

91% of the time you enter the password my values captured matched each letter entry and the time between letters entered.

I don't want to have to retype my password one time out of ten just because I typed the third and fourth letter to close together. It's a good idea, but I think it needs a higher success rate (without compromising security, of course). I think a pattern-recognizer (like a neural network) might come in handy, though that may be slightly overkill for your Windows login screen.

No patents

[Roto-Rooter+Man]

This guy has no patents. He's just trying to scare us off from stealing his idea. Why else jump to mention his patents at the first available opportunity, on a website which hates patents no less?

Re:No patents

[Steve+Cox]

Actually I think it was a misspelling. He wrote two programs with patterns on them.

The first one has a nice plaid pattern, wheras the second one (and this is the clever bit) has a striking blue and green pattern on it.

Steve.

Ouch! I njust bnanged my finger!

[orthogonal]

This does add another layer of protection, but it has some drawbnacks.

I'm typing this on my Zaurus; the nnnnn key is hypersennnsitive, as you may have noticed by now.

I can switch to another input method, like the on-screen software keyboard, as I am now, but the timings are completely different. If I switch to the "handwriting", as now, you'd have to clock penstrokes, again totally different.

What about logging in remotely over a buffered or burst-y connection? You might be able to (roughly) time keystrokes, bnut not key-ups or key-downs (I'm nnback to the keyboard, see the extra "n"s?) .

Even worse, what if I innnjure my finger or hand (yeah, it's /., I know the njokes I've set myself up for)? Will I nbe able to log in at all?

With a password, as long as one finger works well enough to nhunt and peck, I can log in. With your method, I've got to nbe in the same physical shape, possibly as awake, as relaxed, etc. as when I recorded the password. Not to mention it's a pain to record a password 20 times.

However, I think your method does have a use; its drawbacks as a general password system makes it perhaps useful for other purposes: it is an innexpensive (i.e software only) way to deternmine that the user is in substantially the same state of health and mind as when the password was recorded.

This might make it a decent way to deny access to users under duress. I should note that users under duress might well be harmed when they cannnot make the password work, so it probnably should only be used to protect access the user considers more valuable than his own life.

It works well

[Pathwalker]

What you are describing sounds like one of the most basic techniques for biometric authentication. I remember being assigned to write programs to do what you describe for a class several years ago. It was one of the easier assignments we had.

If you are researching the subject, I strongly suggest Biometrics: Personal Identification in Networked Society, and anything else on the subject written or edited by Anil Jain.
(His webpage is here, the webpage of his lab is here).

Dr. Jain is (IMHO) the current leader in biometric research worldwide.

No free consultation for you.

[Chilles]

Please, open your source and throw your patents in the public domain. As soon as you do that I'll be more than happy to evaluate your system. Right now, my only incline is to look for prior art. (which I'm pretty sure exists).

Re:Sounds good

[perljon]

And maybe you don't want to use this for authentication, but it could set off bells and whistles so that an admin could look into the security violations. You could find out exactly when someone decided to share their password. Then you could walk up to their desk in a black suite and sun glasses, and remind them that they are not supposed to share their password, and that it's been changed.

This would also be a good measurement for hacker detection. If you keep a history of the password key stroke timing, and all of a sudden a seperate set of timings start to appear, you can start to look for other differences in the logins patterns. Finally, you could use this to see who is logging into root directly. Bad! Bad! Bad Boy!

20 values

[cgenman]

Why derive your key from the first 20 imputs? Why not continually re-derive the key from the last 20 imputs, to allow for typestyle drift over time?

-C

Arthritis

[Deanasc]

I have arthritis. Some day's are good. Some days are bad. Mostly it's in my knees and elbows. Lately it's been creeping into my knuckles. Now before I start yelling at the clouds like Grampa Simpson let me get to the point. The typing I can do today is probably not going to be the typing I do tomorrow. I see this as nothing but a bad idea. I don't want to be locked out because I've run out of Motrin.