Sign Your Name Online With A Mouse

icke writes "Soon, the way you use your mouse could help prove who you are. According to a BBC News article, scientists have found a way for people to sign their name online using a mouse instead of a pen. The technology, based on the research from Queen Mary College, University of London by Peter McOwan, 'uses a neural network to pick out the unique features of the way that someone uses a mouse.'"

How hard do you have to squeeze

[egg+troll]

To get ink from a mouse? Yeesh.

Re:How hard do you have to squeeze

I keep trying to write with a mouse, but the ink seems to keep coming out in little pellets... maybe it's time to replace the mouse balls?

Re:How hard do you have to squeeze

[EmbeddedJanitor]

I tried and the fscking thing bit me!

Re:How hard do you have to squeeze

[Warped-Reality]

It's just like getting baby oil from a baby..

This would be easy to fake

[Megor1]

You could just record the mouse movements with some macro software and then play it back whenever it asks for their signature.

Re:This would be easy to fake

[swtaarrs]

If the software is smart, it will look for perfect reproductions which no human would be capable of and give an error if it detects one.

Re:This would be easy to fake

[krymsin01]

Well, I suppose it'd be trivial to check an see if one of the last couple hundred times you signed your name is am exact match (something I think only a macro, and not a human, could do), and if so, reject it.

Re:This would be easy to fake

Yes, but if the human is smart, they would modify the playback macro just slighty, and in a believable way such that the algorithm determines that it is a valid signature.

Re:This would be easy to fake

[Andrewkov]

If you've ever tried drawing anything with a mouse, you probably agree that it's not easy .. I probably couldn't even write my name and have it be recognizable as being written by the same person, let alone be an exact digital match. Maybe I'm a spaz on the mouse, but I know for a fact I'm *much* better than the average Joe-Sixpack type I see at work. So I have a hard time believing this concept will work. Stylus tablets is another story, though.. If only everyone owned one of those! :-)

Re:This would be easy to fake

[localghost]

And pens won't work either, because you can easily photocopy a signature and trace over it. Oh well, back to the drawing board...

Re:This would be easy to fake

[G4from128k]

Obviously if someonce can log the mouse motions with an accurate timestamp, then they can replicate the signature. But then EVERY computer-connected biometric ID system is potentially susceptable to interception/replay of the biometric key signal.

In the case of this system, an arms race between the forger/loggers and the ID systems company would then ensue. The first countermeasure to mouse-loggers would be rejection of identical traces (as others have suggested). To this forgers would add statistical noise to the trace. The ID company would then need to create a more sophisticated statistical test that rejects traces that did not vary enough while staying within the statistical bounds of the 20 training samples that the systems asks for. An SVD on some transform of the sample signatures would help uncover both the strongest and weakest modes of variation. Signatures that did not match on the main pattern and did not vary sufficiently in expected way would be rejected. This would prevent either direct play-back or a simplistic addition of noise to the mouse trace.

The presence of both a predicable static pattern (the "average" signature) and modes of variation (because people don't actually sign their name identically to the nanometer/nanosecond) makes this biometric key better than other more invariant biometric features that can be copied.

Re:This would be easy to fake

[cpuffer_hammer]

The system could ask the user to also write something, (like the date, the name of the product, or the PO). This would make it hard to have the correct recording including all the connected letters. Of course this also make the training/preperation before the system can be used the first time harder.

Re:This would be easy to fake

[s88]

" If the software is smart, it will look for perfect reproductions which no human would be capable of and give an error if it detects one."

Why do you not assume that the macro software could be "smart" and simply add some white noise to the playback?

Re:This would be easy to fake

[c0dedude]

And if the human is smart, it will design software that embeds flaws.

Re:This would be easy to fake

[jackb_guppy]

Which then leads:

Why do people sign electronic pads at stores when they use credit cards?

You have just placed your last protection of who you are in a computer system that you have no control over.

Real dumb.

Re:This would be easy to fake

[srmalloy]

And pens won't work either, because you can easily photocopy a signature and trace over it.

Actually, the anti-forgery algorithms that have been developed can tell when you're doing that; the better algorithms don't look for the outline of the letters you write (sign your name five times, and there will be differences between them), but instead look for the patterns of movement and speed while you're writing your name; if you're tracing a signature, your pen movements are going to be very different than the original signer's was.

Re:This would be easy to fake

[E_elven]

Because we all know that *actual* signatures cannot be forged and the clerks at stores are really hawk-eyed when it comes to making sure the customer is who they say they are.

Re:This would be easy to fake

[quinkin]

"...EVERY computer-connected biometric ID system is potentially susceptable to interception/replay of the biometric key signal."

Well, a Challenge-Response mechanism that uses some sort of biometric feedback mechanism would seem to be the standard crypto authentication approach to this problem.

For example: use a subset of the bio-key to sign a packet, returned packet counter signed by authenticating service including a challenge mechanism (ie. pseudo-random light fluctuations to emitter in retinal scanner, measure and return eye muscle contraction patterns). This concept could possibly be implemented in the current system of 'mouse signatures' by the authenticator specifying a glyph or pattern for the user to input, rather than an (relatively) invariant pattern.

This does not exclude the possibility of compromise (even a 'statistically perfect' crypto algorithm can be extremely poorly implemented) but it would raise the bar - both in terms of complexity and time dependency.

The only perfect cryptographic solution is to not record anything, anytime, anywhere, ever...

Q.

Re:This would be easy to fake

[gfody]

everytime I sign one of those computer pad things (like at best buy). the sample rate is so slow that my "signature" ends up being five or six lines in different directions and it NEVER looks the same twice. whats the point of signing the thing? for a while now when I sign those things I just put an "X"

Re:This would be easy to fake

[untaken_name]

The signature on my credit card says 'Check Photo ID'. Not one clerk ever has.

I represent the opposite end of that spectrum. I got a Visa check card because I was sick and tired of having to show a photo id (with a photo already on my credit card). The commercials would seem to indicate that Visa check cards require no extra ID. However, I get asked for ID about twice as much now as I did before (with a regular credit card). I mean, my picture is RIGHT ON THE DEBIT CARD. *sigh* Why do you retail idiots ID me, when my picture is on my card, but the soccer mom writing a $2.50 check in front of me gets through with no hassle? I'm all for implanting lcd screens in our foreheads that display info like current bank balance. Think how much easier that'd make shopping, and dating! Now she can check out your salary before she even fake smiles at you.

Re:This would be easy to fake

[paRcat]

I wrote the software for my company's delivery handhelds that captures the signature of the person accepting the merchandise. I came up with a fairly novel way of storing the data so that each sig only uses ~1K... which makes it easy to send over a CDPD wireless connection to my server. At this point I have about 33000 sigs in a database.

The thing is... I really doubt this would be useful for 'stealing' an identity. Sure, when you're talking about credit card sigs, it might be slightly different, but really...

The reason I think technology like this will never be implemented is that everyone, depending on their current state of mind, can sign at two separate times and look like two different people. Once someone is turned away at a sale because they were too sleepy or had a couple beers, the whole point of this would be useless.

Re:This would be easy to fake

[Mr.+Slippery]

The signature on my credit card says 'Check Photo ID'. Not one clerk ever has.

If they did, and if they knew the right thing to do, they'd make you sign it - the card is not valid until signed. But yes, signatures are very rarely checked - and of course there are many instances (gas pumps with card readers, for example) where there're not even a pretext of possible checking.

Question

[AnimeFreak]

Would a signature created with a mouse be legally-binding?

Re:Question

[chill]

Would a signature created with a mouse be legally-binding?

Many of laws now on the books in the U.S. allow a digitial signature to be binding if all parties agree on the digital method used.

So, if you can all agree on wiggling the mouse for a sig, then it can be legally binding.

Warning:

[Exiler]

Vertical motions detected. Credit authorization failed.

Thank you for shopping at Victoria Secret.

How About...

[Suhas]

...I know all the kbd shortcuts and rarely use my mouse....err... ...You Insensitive CLOD!

Your John Handcock is not secure

[Dancin_Santa]

While it may be a huge flourish that impresses the ladies, your signature is not as secure as it would seem. Forgeries are easy to make by skilled criminals.

Use a cryptographic key to sign. You'll be glad you did.

Re:Your John Handcock is not secure

[heli0]

"Your John Handcock"

Honest mistake, or Freudian slip?

Re:Your John Handcock is not secure

[OmnipotentEntity]

The added fact that most skilled forgeries are identified by the depth of the pit in the paper (ie how hard you press down at certain points, you can imitate a shape but if you imitate it you're not doing it naturally and that shows in the patterns of heavy vs. light inking), and not by the shape of the writing, that makes the mouse signature doubly insecure. Any idiot can trace a pattern of pixels if they see it a few times.

___________

Re:Your John Handcock is not secure

[s-orbital]

A freudian slip is where you say one thing, and mean your mother.

Move to a new mouse?

[jpsowin]

And what happens when you change to a different type of mouse? My change to wireless optical was quite a change which took some getting used to, and I'm sure it didn't "sign" the way I used to. Or whatever. :)

Works great

[Gay+Nigger]

Until you get a wireless mouse. I've got one of those expensive Logitech mice, and even then, it moves erratically without warning. Not exactly good for predictable signatures, if you ask me.

... even easier with a pen mouse.

[OzPixel]

My girlfriend had a pen-shaped mouse for a while, (wrist problems), and I'd imagine signing would be much more "natural" with one of those. Neat idea, though ...

David.

Technology

[mao+che+minh]

"The technology, based on the research from Queen Mary College, University of London by Peter McOwan, 'uses a neural network to pick out the unique features of the way that someone uses a mouse..."

...and probably easily replicable, since an actual physical presence is unneeded, and the ability to play back a "mouse stroke" will be a capable feat by any second year CS major.

Great

[Crashmarik]

Just what I need. Computers to tell me I'm not me when I sign my name. At least with people I could make a convincing argument.

Types of mouse

[Cavalkaf]

What about if you change your mouse type to something like a trackball or a laptop mouse? Your signature wouldn't work anymore, and you cannot access anything from other computer!!!

Hmm..

[DroopyStonx]

I don't think this will take off. Ever tried signing your name with your mouse? Reminds me of pictures I'd draw and put my name on when I was 4. When I use my credit card in person, each and every time I sign it differently so it DOESN'T match the signature on the back of my card just to see if anyone says anything. No one says a word. Even got away with signing "Blooooopy!" and no one noticed (no, my name is not Blooooopy!) If existing methods are trivial, how would this method work?

Re:Hmm..

[Greventls]

Yeah. I agree with you. I sometimes alter the spelling of my name when I'm signing and no one says a damn thing. It is pretty noticable if my name is mispelled, since it is very common. Maybe the software will act like the lazy bank tellers and cashiers and just not care.

what about the differences between mice?

[strider3700]

Will I have 3 signatures since On this box I have a trackman that I prefer to use. Sitting right beside me I have a standard old mouse and at work I have an optical mouse. All three take time for me to get used to again each time I switch. I have to assume that it's because I'm using them slightly differently, due to the feedback. As well if I change something like the mouse acceleration because things seem to slow one day It takes awhile for me to come back into practice. How Do they deal with these changes?

right....

[hawkbug]

Because I always use a mouse the same way, this will work great.... Not. I have many different computers, all with different types of mice and software. Trackballs, eraser-head laptops, trackpad laptops, and don't even get me started about different operating systems and the software they use. This is not going to work for many reasons, and I hope business realize this sooner than later.

Re:right....

[oshy]

Not to mention people like my parents. They are starting out in the world of computing in their 'later years'.
Sometimes it dificult enough for them to get the mouse to click on things accuratly. How would they be expected to cope with it.

Oh and how secure is the system? Well I'm right handed, but use the mouse left handed (annoys the hell out of anyone sitting at my desk) so how would I have to sign it. The angle of stroke would vary between real world right hand and virtual world left hand.

Signatures

[jakek101]

Signatures are useless, there are no good way to check them. Hell, my signature seems to change every time I write it and nothing happens. The mouse signature will be at least slightly secure if there is software to check it. It would really be best if we switched to a differnt system for this kind of stuff. Thumb print or something. I know you can reproduce someone's thumb print, but it's not THAT easy.

Another odd idea that'll never work

[Rosco+P.+Coltrane]

"It's another way of indicating that you as an individual are sitting there on the end of the line."

Easy to fake with a mouse movement recorder.

Oh and what about people who use a trackball? does the smart biometric layer apply to those hand movements?

And the other obvious question : wouldn't it be easier to simply teach people why they should use properly formed passwords that are not "mom", "dad", "john1" or "s00persekrit"?

In short, yet another far-fetched solution to solve a non-problem.

Similar biometrics don't work

[thepacketmaster]

After recently studying for the CISSP, I learned a great deal about biometrics. The most accurate biometrics include things like iris scans, palm scans, retina scans, etc. These are so accurate because they measure characteristics that are totally unique to individuals. Signature dynamics and keystroke dynamics are some of the most ineffective biometrics around. A big problem is they can be faked. While the article states that early trials are 99% accurate, it doesn't detail how many people have actually tried this system. (A test group of 10 wouldn't be very good.) It also doesn't mention if they tried to fake it out. The real world is a harsh place on biometrics.

dudes, they're lying

[bongobongo]

it's just ms paint with a web front end and a bunch of offshore labourers visually verifying each one !!!! ! !!

it's 99% accurate because of carelessness and post-lunchbreak bloat factor

mouse only?

[thung226]

I use everything from a mouse to a touchpad to a roller ball.... is my signature the same using all of these things?

How will it know? I'd get really annoyed if I had to plug in a mouse on my laptop to sign for something.

Is this like Cybersign?

[G4from128k]

This looks like a variation on what the folks at Cybersign do. Their technology is based on matching the dynamical pattern of motion, not just the X-Y coordinate trace. A forger would have a hard time copying the variations in speed that the actual person uses even if the forger traces the same path or tries to "get good" at the signature.

pretty darn useless...

[Lumpy]

So the "signature" is tied to a specific pointing device...

so your signature is invalid if you use a laptop with a trackpoint,touchpad, or use a track ball or a tablet and a pen, etc.....

Neat idea, 100% useless in the real world.

Now if you can get a reliable identifier (How about something as simple as a ibutton ring (www.ibutton.com) and quit trying to invent the unique personal identifier that so far is only out DNA (no, no dna testers on our computers than you.)

Identification has always been tied to a unique card, number, whatever given out by a group or agency. Why not stick with the same thing just update it with current off the shelf technology that already works?

www.ibutton.com I use it to log into my computers at home, unlock my doors and even start my harley....

roll ball mouses

[wmaker]

what about the mice that are controlled with your thumb, you know the ball that you move. i doubt it would work well with one of those mice

Bullshit alert

[exp(pi*sqrt(163))]

+5, uses neural network technology
+2, academic researcher
+2, academic researcher studying biologically inspired hardware and software
+1, biometrics
+1, researcher teaches multimedia
+2, researcher teaches computers in society
+2, no history of employment in real world
-1, degree in physics
------------------
+14, almost certainly bullshit

Now I'm Confused

[the_mad_poster]

Christ... first thing I did when I read that was stop moving my mouse.. then the thought crossed my mind that by doing that, I was just setting up a new signature, so I started moving the mouse. Then, I started to think that maybe I was moving the mouse in my own special way, so I tried to make something up.

Then it occurred to me that I'm using lynx.

And the problem we're solving was ??

[richg74]

It's not clear to me that this is any more "secure" (in quotes because the context hasn't been defined) than a conventional signature (for example, made with a stylus on a touch-sensitive pad -- these are used by some places here in the US for credit card transactions).

It does, though, raise a related issue which troubles me: is it a good idea to use technology to remove the transaction from the realm of ordinary human experience?

If you use a conventional signature, the person on the other side of the transaction can at least make a gross check that the signatures (as written, and as on the credit card, for example) match. But, if I am understanding this proposal correctly, all the matching occurs "inside the machine". I worry a bit about the unintended side effects of this: "the machine is always right!"

(BTW, I think one has a very similar problem with some of the proposed electronic voting systems. Traditional ballot papers are not perfect, but I think that at least a normally intelligent person can understand the security model.)

Rich
SCO delenda est.

All I can picture is...

[bob670]

my current PHB who can't wait for anything to open or appear on the screen and just clicks/types/mouses incessantly, no matter how large the program or file. I just have a visual of all his email and Words files plastered in his signature.

paranoia...

[magarity]

uses a neural network to pick out the unique features of the way that someone uses a mouse

Great... as if I didn't have enough to worry about. Now I have to start more erratically using the mouse so I can't be tracked... except that being completely erratic can be a recognizable trait... ARGH!!!

I've done something like this

[n0nsensical]

When I bought a ticket online from GrooveTickets, I had to sign this Flash applet, although I'm not sure how that alone is going to prevent theft because if someone was trying to use a stolen credit card, I'm sure they wouldn't have much trouble forging a signature on a Flash form with a reset button.

John Handcock

[shigelojoe]

He was probably talking about the pornstar. And if there isn't a pornstar named John Handcock, there damn well needs to be one.

A lack of John Handcock is un-American(TM), dammit.

Doesn't sound promising

[jtheory]

A forger would have a hard time copying the variations in speed that the actual person uses even if the forger traces the same path or tries to "get good" at the signature.

The problem is that the actual person may also have a really tough time reproducing the same speeds, patterns, etc. in their signature.

This is why handwriting analysis/comparison is almost always inadmissable in court -- it's too variable.

The reasons for this are especially apparent when you look at the handwriting of people like myself whose fine motor control (like many guys) is not so "fine"... I can type quickly, but my signature varies *widely* each time I sign my name. The slant of the letters in my handwriting, type of loops, etc. also varies depending on my mood, the pen and writing surface, my posture, etc.

My real point here is that there's certainly a future in some kind of online "signature", but I'm guessing we'll end up with a system based more on asynchronous crypto as opposed to some kind of biometrics like this.

Normal hard-copy signatures aren't particularly secure -- no one pretends they are. That's why most of the time the cashier doesn't compare the signatures (in more automated systems like many gas stations, and online, they CAN'T). That's also why we have Notary Publics in the US who will certify that you were the one who marked the paper. The advantage of hard-copy signatures is that they're tough to scam safely, in bulk.

I suspect that most online signature methods *WILL* be comparitively easy to scam in bulk, simply because this is the internet, and it's all just data.

the EULA of the future?

[Low2000]

There has been a lot of talk about how the EULAs of computer software are pretty much void. That simply clicking ?I Agree? means nothing and that the EULA of today wouldn?t stand up in court.

What about the EULA of tomorrow? If, instead of an ?I Agree? button we are presented with a ?Sign Here? white space, and the EULA states that by signing, both people agree that it is a binding contract?

See where I?m going?

This is similar to Morse Code

[sQuEeDeN]

One of the legends of the early radio intelligence (and other classified military radio work) was that each coder (morse that is) had a very specific tapping style that was discernible by a trained professional. Such uniqueness was noticable even if the coder switched hands.

While this uniqueness didn't provide a surefire form of authentication, professionals who feared having a broadcast recognized would sometimes retire a coder after sending a particularly sensitive message.
Seems kinda like mouse analasys. You can't prove it's them, but it's another suggestion. Can't see how it'll be useful. The mouse is easy enough to hook into in the software side--it's by no means a secure device.

Re:That's the point though..

[whereiswaldo]

Interesting, but there's a big problem with using a mouse to write a signature: moving from machine to machine. The ergonomics are totally different between machines, for one thing. Plus, different brands of mouse. What about mice with the thumb-rollerball? Or notebook touchpads? Or optical mice vs. crappy old mice with crud stuck in the rollers?

A better (and fannier) one

[vvdd2]

There is a much fannier one (java required). Try it and you will find a lot about yourself

http://www.sitebits.com/2000/SIG/

It is available since 2000.

...lest we forget the lefties...

[uptownguy]

...let's not forget us lefties out there. We are using the mouse at a totally different angle then the righty -- unless, of course, we are forced to sit at someone else's machine -- in which case we can use the mouse but our dexterity isn't what it could be...

Except for those of us who have broken down and always use the mouse on the right side. Not sure what to say about that.

(My personal opinion is that lefties who switch their mouse buttons are just weak and only add confusion to the mix...but it is 4:45am and I am tired, so that is just a cheap shot at fellow southpaws, sorry!)

To get back on track -- I'd hate to see the system not take into account the unique differences that come from the way lefties use their mice. I know I had trouble with handwriting recognition on my PDA until I could use a program like Jot/TealScript to define my own input. I could make the characters like I was "supposed" to, but because of my input angle, I was still having a problem.

Variations in signatures are OK, even good

[G4from128k]

The problem is that the actual person may also have a really tough time reproducing the same speeds, patterns, etc. in their signature.

That is the entire point of a modal analysis of the signature. It captures not only the central tendency of the signature, but also the characteristic modes of variation. The idea is that everyone's signature varies in amounts and ways that are unique to that person. Some people might vary more on the first letter, the heights of letters, the shapes of loops, slant, the spacing where the hand scoots over, etc. Analyzing a population of samples from the person gives the system a good idea about what parts of the signature vary, how they vary, and how much they vary.

The reasons for this are especially apparent when you look at the handwriting of people like myself whose fine motor control (like many guys) is not so "fine"

Like you, I too was born without an analog plotter interface. A person like myself or jtheory will simply get logged by the system as being more variable than a person like Ms. Ima Caligrapher. If a forger or mouselogger tries to replicate our signature, they will be flagged as being too perfect.

Teaching about passwords is "easier"?

[ianscot]

And the other obvious question : wouldn't it be easier to simply teach people why they should use properly formed passwords that are not "mom", "dad", "john1" or "s00persekrit"?

Hmm. Why don't we ask the couple of generations of IT people who've tried to teach people this very lesson? Maybe they have something to say about that one. I could start with our call center: their number one call every month for the last five years has been "Please reset my password" despite several "education" campaigns.

People don't use "bad" passwords because they're uneducated nitwits, they do it because there are so many dang systems asking for passwords that they'd be driven crazy by the exercise of keeping them all straight otherwise. Either that or they'd have to write 'em all down, which kind of defeats the purpose, yes?

This motion signatures thing probably isn't the solution -- but hey, at least it does try to build on a model users know. Existing ID and authentication methods do sort of suck, so it's not like this is a solution without a problem.

All digital security is just an arms race

[LilJC]

Defense: Check mouse movements
Offense: Record and playback
Defense: Check for exact replica
Offense: Add slight differences
Defense: Check slight differences for consistency with original behavior
Offense: Analyze movement to make differences consistent with recorded macro

This sort of thing goes on and on - reminds me of using a sharpie to circumvent the null data track on copyrighted CD's.

The bottomline is that there is no real security. Even the number of bits in encryption has to be bumped as processors speed up to try to keep them from being crackable in a timely manner. Suppose encrypted credit card transcactions are being logged by someone, with only the last 3 months being kept on file. If there's a huge breakthrough with a diamond superconductor processor, the attacker can assume that most of the credit cards logged in the last few months haven't expired, crack them fairly quickly (even at a day per card), and go on a shopping spree.

The only way to never be behind in an arms race is to never start one, unfortunately this means no steps can be taken for security.

Perhaps a better answer is to start with a system already a few steps ahead of the "offense" from the word go, discouraging attempts to circumvent it. Of course this tends to be costly to develop and (with computers) processor intensive to use.