Using Password "Keyprints" as Another Form of Authentication?

Adam Kiger asks: "I have written two programs with patents on both. The first program captures the keypress and keyup events per letter of a typed password in milliseconds and returns a numeric value per letter. I am also capturing the keypress of the first letter and the keyup of the next and returning a numeric value in milliseconds. My second program takes these values and runs an analysis of the values after 20 entries of your password to determine what I call a 'keyprint'. 91% of the time you enter the password my values captured matched each letter entry and the time between letters entered. I also can show the results of these tests in 2D graphical representaion. I used my wife as a test subject, gave her my password and she couldn't login to either Windows or my website! I have wrapped these programs around Windows Login and a Website's login control, and it works fine so far. The only problem I have found and not researched are the user using different keyboards. So I've come to ask Slashdot: Is this a viable security function?"

Sorry to burst your bubble

[droyad]

But prior art is screaming here:

http://216.239.53.100/search?q=cache:Dmq6W8su71gC: www.cs.columbia.edu/~angelos/teaching/COMS4180/lec ture10.ps+Biometrics+Password+Timing&hl=en&ie=UTF- 8

http://ctl.ncsc.dni.us/biomet%20web/BMKeystroke.ht ml

http://www.giac.org/practical/GSEC/Patricia_Wittic h_GSEC.pdf

http://searchsecurity.techtarget.com/originalConte nt/0,289142,sid14_gci801112,00.html

No patents

[Roto-Rooter+Man]

This guy has no patents. He's just trying to scare us off from stealing his idea. Why else jump to mention his patents at the first available opportunity, on a website which hates patents no less?

Ouch! I njust bnanged my finger!

[orthogonal]

This does add another layer of protection, but it has some drawbnacks.

I'm typing this on my Zaurus; the nnnnn key is hypersennnsitive, as you may have noticed by now.

I can switch to another input method, like the on-screen software keyboard, as I am now, but the timings are completely different. If I switch to the "handwriting", as now, you'd have to clock penstrokes, again totally different.

What about logging in remotely over a buffered or burst-y connection? You might be able to (roughly) time keystrokes, bnut not key-ups or key-downs (I'm nnback to the keyboard, see the extra "n"s?) .

Even worse, what if I innnjure my finger or hand (yeah, it's /., I know the njokes I've set myself up for)? Will I nbe able to log in at all?

With a password, as long as one finger works well enough to nhunt and peck, I can log in. With your method, I've got to nbe in the same physical shape, possibly as awake, as relaxed, etc. as when I recorded the password. Not to mention it's a pain to record a password 20 times.

However, I think your method does have a use; its drawbacks as a general password system makes it perhaps useful for other purposes: it is an innexpensive (i.e software only) way to deternmine that the user is in substantially the same state of health and mind as when the password was recorded.

This might make it a decent way to deny access to users under duress. I should note that users under duress might well be harmed when they cannnot make the password work, so it probnably should only be used to protect access the user considers more valuable than his own life.