Sign Your Name Online With A Mouse

icke writes "Soon, the way you use your mouse could help prove who you are. According to a BBC News article, scientists have found a way for people to sign their name online using a mouse instead of a pen. The technology, based on the research from Queen Mary College, University of London by Peter McOwan, 'uses a neural network to pick out the unique features of the way that someone uses a mouse.'"

How hard do you have to squeeze

[egg+troll]

To get ink from a mouse? Yeesh.

Re:How hard do you have to squeeze

I keep trying to write with a mouse, but the ink seems to keep coming out in little pellets... maybe it's time to replace the mouse balls?

Re:How hard do you have to squeeze

[EmbeddedJanitor]

I tried and the fscking thing bit me!

This would be easy to fake

[Megor1]

You could just record the mouse movements with some macro software and then play it back whenever it asks for their signature.

Re:This would be easy to fake

[swtaarrs]

If the software is smart, it will look for perfect reproductions which no human would be capable of and give an error if it detects one.

Re:This would be easy to fake

[krymsin01]

Well, I suppose it'd be trivial to check an see if one of the last couple hundred times you signed your name is am exact match (something I think only a macro, and not a human, could do), and if so, reject it.

Re:This would be easy to fake

[Andrewkov]

If you've ever tried drawing anything with a mouse, you probably agree that it's not easy .. I probably couldn't even write my name and have it be recognizable as being written by the same person, let alone be an exact digital match. Maybe I'm a spaz on the mouse, but I know for a fact I'm *much* better than the average Joe-Sixpack type I see at work. So I have a hard time believing this concept will work. Stylus tablets is another story, though.. If only everyone owned one of those! :-)

Re:This would be easy to fake

[localghost]

And pens won't work either, because you can easily photocopy a signature and trace over it. Oh well, back to the drawing board...

Re:This would be easy to fake

[G4from128k]

Obviously if someonce can log the mouse motions with an accurate timestamp, then they can replicate the signature. But then EVERY computer-connected biometric ID system is potentially susceptable to interception/replay of the biometric key signal.

In the case of this system, an arms race between the forger/loggers and the ID systems company would then ensue. The first countermeasure to mouse-loggers would be rejection of identical traces (as others have suggested). To this forgers would add statistical noise to the trace. The ID company would then need to create a more sophisticated statistical test that rejects traces that did not vary enough while staying within the statistical bounds of the 20 training samples that the systems asks for. An SVD on some transform of the sample signatures would help uncover both the strongest and weakest modes of variation. Signatures that did not match on the main pattern and did not vary sufficiently in expected way would be rejected. This would prevent either direct play-back or a simplistic addition of noise to the mouse trace.

The presence of both a predicable static pattern (the "average" signature) and modes of variation (because people don't actually sign their name identically to the nanometer/nanosecond) makes this biometric key better than other more invariant biometric features that can be copied.

Re:This would be easy to fake

[s88]

" If the software is smart, it will look for perfect reproductions which no human would be capable of and give an error if it detects one."

Why do you not assume that the macro software could be "smart" and simply add some white noise to the playback?

Re:This would be easy to fake

[c0dedude]

And if the human is smart, it will design software that embeds flaws.

Re:This would be easy to fake

[jackb_guppy]

Which then leads:

Why do people sign electronic pads at stores when they use credit cards?

You have just placed your last protection of who you are in a computer system that you have no control over.

Real dumb.

Re:This would be easy to fake

[E_elven]

Because we all know that *actual* signatures cannot be forged and the clerks at stores are really hawk-eyed when it comes to making sure the customer is who they say they are.

Re:This would be easy to fake

[quinkin]

"...EVERY computer-connected biometric ID system is potentially susceptable to interception/replay of the biometric key signal."

Well, a Challenge-Response mechanism that uses some sort of biometric feedback mechanism would seem to be the standard crypto authentication approach to this problem.

For example: use a subset of the bio-key to sign a packet, returned packet counter signed by authenticating service including a challenge mechanism (ie. pseudo-random light fluctuations to emitter in retinal scanner, measure and return eye muscle contraction patterns). This concept could possibly be implemented in the current system of 'mouse signatures' by the authenticator specifying a glyph or pattern for the user to input, rather than an (relatively) invariant pattern.

This does not exclude the possibility of compromise (even a 'statistically perfect' crypto algorithm can be extremely poorly implemented) but it would raise the bar - both in terms of complexity and time dependency.

The only perfect cryptographic solution is to not record anything, anytime, anywhere, ever...

Q.

Question

[AnimeFreak]

Would a signature created with a mouse be legally-binding?

Re:Question

[chill]

Would a signature created with a mouse be legally-binding?

Many of laws now on the books in the U.S. allow a digitial signature to be binding if all parties agree on the digital method used.

So, if you can all agree on wiggling the mouse for a sig, then it can be legally binding.

Warning:

[Exiler]

Vertical motions detected. Credit authorization failed.

Thank you for shopping at Victoria Secret.

How About...

[Suhas]

...I know all the kbd shortcuts and rarely use my mouse....err... ...You Insensitive CLOD!

Your John Handcock is not secure

[Dancin_Santa]

While it may be a huge flourish that impresses the ladies, your signature is not as secure as it would seem. Forgeries are easy to make by skilled criminals.

Use a cryptographic key to sign. You'll be glad you did.

Re:Your John Handcock is not secure

[OmnipotentEntity]

The added fact that most skilled forgeries are identified by the depth of the pit in the paper (ie how hard you press down at certain points, you can imitate a shape but if you imitate it you're not doing it naturally and that shows in the patterns of heavy vs. light inking), and not by the shape of the writing, that makes the mouse signature doubly insecure. Any idiot can trace a pattern of pixels if they see it a few times.

___________

Move to a new mouse?

[jpsowin]

And what happens when you change to a different type of mouse? My change to wireless optical was quite a change which took some getting used to, and I'm sure it didn't "sign" the way I used to. Or whatever. :)

Works great

[Gay+Nigger]

Until you get a wireless mouse. I've got one of those expensive Logitech mice, and even then, it moves erratically without warning. Not exactly good for predictable signatures, if you ask me.

... even easier with a pen mouse.

[OzPixel]

My girlfriend had a pen-shaped mouse for a while, (wrist problems), and I'd imagine signing would be much more "natural" with one of those. Neat idea, though ...

David.

Great

[Crashmarik]

Just what I need. Computers to tell me I'm not me when I sign my name. At least with people I could make a convincing argument.

Types of mouse

[Cavalkaf]

What about if you change your mouse type to something like a trackball or a laptop mouse? Your signature wouldn't work anymore, and you cannot access anything from other computer!!!

what about the differences between mice?

[strider3700]

Will I have 3 signatures since On this box I have a trackman that I prefer to use. Sitting right beside me I have a standard old mouse and at work I have an optical mouse. All three take time for me to get used to again each time I switch. I have to assume that it's because I'm using them slightly differently, due to the feedback. As well if I change something like the mouse acceleration because things seem to slow one day It takes awhile for me to come back into practice. How Do they deal with these changes?

right....

[hawkbug]

Because I always use a mouse the same way, this will work great.... Not. I have many different computers, all with different types of mice and software. Trackballs, eraser-head laptops, trackpad laptops, and don't even get me started about different operating systems and the software they use. This is not going to work for many reasons, and I hope business realize this sooner than later.

Signatures

[jakek101]

Signatures are useless, there are no good way to check them. Hell, my signature seems to change every time I write it and nothing happens. The mouse signature will be at least slightly secure if there is software to check it. It would really be best if we switched to a differnt system for this kind of stuff. Thumb print or something. I know you can reproduce someone's thumb print, but it's not THAT easy.

Another odd idea that'll never work

[Rosco+P.+Coltrane]

"It's another way of indicating that you as an individual are sitting there on the end of the line."

Easy to fake with a mouse movement recorder.

Oh and what about people who use a trackball? does the smart biometric layer apply to those hand movements?

And the other obvious question : wouldn't it be easier to simply teach people why they should use properly formed passwords that are not "mom", "dad", "john1" or "s00persekrit"?

In short, yet another far-fetched solution to solve a non-problem.

Similar biometrics don't work

[thepacketmaster]

After recently studying for the CISSP, I learned a great deal about biometrics. The most accurate biometrics include things like iris scans, palm scans, retina scans, etc. These are so accurate because they measure characteristics that are totally unique to individuals. Signature dynamics and keystroke dynamics are some of the most ineffective biometrics around. A big problem is they can be faked. While the article states that early trials are 99% accurate, it doesn't detail how many people have actually tried this system. (A test group of 10 wouldn't be very good.) It also doesn't mention if they tried to fake it out. The real world is a harsh place on biometrics.

dudes, they're lying

[bongobongo]

it's just ms paint with a web front end and a bunch of offshore labourers visually verifying each one !!!! ! !!

it's 99% accurate because of carelessness and post-lunchbreak bloat factor

Is this like Cybersign?

[G4from128k]

This looks like a variation on what the folks at Cybersign do. Their technology is based on matching the dynamical pattern of motion, not just the X-Y coordinate trace. A forger would have a hard time copying the variations in speed that the actual person uses even if the forger traces the same path or tries to "get good" at the signature.

pretty darn useless...

[Lumpy]

So the "signature" is tied to a specific pointing device...

so your signature is invalid if you use a laptop with a trackpoint,touchpad, or use a track ball or a tablet and a pen, etc.....

Neat idea, 100% useless in the real world.

Now if you can get a reliable identifier (How about something as simple as a ibutton ring (www.ibutton.com) and quit trying to invent the unique personal identifier that so far is only out DNA (no, no dna testers on our computers than you.)

Identification has always been tied to a unique card, number, whatever given out by a group or agency. Why not stick with the same thing just update it with current off the shelf technology that already works?

www.ibutton.com I use it to log into my computers at home, unlock my doors and even start my harley....

Bullshit alert

[exp(pi*sqrt(163))]

+5, uses neural network technology
+2, academic researcher
+2, academic researcher studying biologically inspired hardware and software
+1, biometrics
+1, researcher teaches multimedia
+2, researcher teaches computers in society
+2, no history of employment in real world
-1, degree in physics
------------------
+14, almost certainly bullshit

Now I'm Confused

[the_mad_poster]

Christ... first thing I did when I read that was stop moving my mouse.. then the thought crossed my mind that by doing that, I was just setting up a new signature, so I started moving the mouse. Then, I started to think that maybe I was moving the mouse in my own special way, so I tried to make something up.

Then it occurred to me that I'm using lynx.

And the problem we're solving was ??

[richg74]

It's not clear to me that this is any more "secure" (in quotes because the context hasn't been defined) than a conventional signature (for example, made with a stylus on a touch-sensitive pad -- these are used by some places here in the US for credit card transactions).

It does, though, raise a related issue which troubles me: is it a good idea to use technology to remove the transaction from the realm of ordinary human experience?

If you use a conventional signature, the person on the other side of the transaction can at least make a gross check that the signatures (as written, and as on the credit card, for example) match. But, if I am understanding this proposal correctly, all the matching occurs "inside the machine". I worry a bit about the unintended side effects of this: "the machine is always right!"

(BTW, I think one has a very similar problem with some of the proposed electronic voting systems. Traditional ballot papers are not perfect, but I think that at least a normally intelligent person can understand the security model.)

Rich
SCO delenda est.

I've done something like this

[n0nsensical]

When I bought a ticket online from GrooveTickets, I had to sign this Flash applet, although I'm not sure how that alone is going to prevent theft because if someone was trying to use a stolen credit card, I'm sure they wouldn't have much trouble forging a signature on a Flash form with a reset button.

John Handcock

[shigelojoe]

He was probably talking about the pornstar. And if there isn't a pornstar named John Handcock, there damn well needs to be one.

A lack of John Handcock is un-American(TM), dammit.

the EULA of the future?

[Low2000]

There has been a lot of talk about how the EULAs of computer software are pretty much void. That simply clicking ?I Agree? means nothing and that the EULA of today wouldn?t stand up in court.

What about the EULA of tomorrow? If, instead of an ?I Agree? button we are presented with a ?Sign Here? white space, and the EULA states that by signing, both people agree that it is a binding contract?

See where I?m going?

This is similar to Morse Code

[sQuEeDeN]

One of the legends of the early radio intelligence (and other classified military radio work) was that each coder (morse that is) had a very specific tapping style that was discernible by a trained professional. Such uniqueness was noticable even if the coder switched hands.

While this uniqueness didn't provide a surefire form of authentication, professionals who feared having a broadcast recognized would sometimes retire a coder after sending a particularly sensitive message.
Seems kinda like mouse analasys. You can't prove it's them, but it's another suggestion. Can't see how it'll be useful. The mouse is easy enough to hook into in the software side--it's by no means a secure device.

Re:That's the point though..

[whereiswaldo]

Interesting, but there's a big problem with using a mouse to write a signature: moving from machine to machine. The ergonomics are totally different between machines, for one thing. Plus, different brands of mouse. What about mice with the thumb-rollerball? Or notebook touchpads? Or optical mice vs. crappy old mice with crud stuck in the rollers?