Slashdot Mirror
Typing Patterns for Authentication
Kelson writes "NPR's Marketplace is reporting on a new authentication scheme. BioPassword tracks the way you type your password: how long each key is depressed, the time between keystrokes, and overall speed. When someone tries to log into your account, it compares the pattern to what it has on file. It only allows you in if both the password and patterns match. The technique has been around a while. World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor."
A Morse-operator's style was referred to as his "fist". This is referenced in Cryptonomicon.
I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.
Hail Eris, full of mischief...
E pluribus sanguinem
This will make it possible for a change of mood to deny your access to your own accounts. ..which will probably not help with the mood thing.
Great, now every time I fall off my bike or some other stupid accident that involves my hands, I won't be able to log in at all due to not matching the timing/pressure/etc. I can definitely see this ending in smashed keyboards. "It's me!!! Let me in you b@st@rd machine!"
Yeah, and if you're drunk, you're pretty much screwed. That could be a good thing however... I always remember my root password when I've had a few... even though it takes me a few minutes to login.
And then there are my friends who partake in other drugs and use their computers. My friend Ryan would have a hard time getting in when he's hopped up on benzodiazepines, and David, that amphetamine addict would type just too fast.
... of a guy who could only login successfully while sitting down, but not standing up. It took him some time to figure out why.
Any takers?
No, I'm no going to say you invoked Godwin's Law right at the top of the article...
I immediately thought of WW2 when I read the title. A Morse Code operator's style was called their "fist". German operators became quite adept at mimicing the fist of other operators, and using the fist to identify captured operators didn't work well. This is why they had other signals for identifying that an operator was not captured. Things that would look like a typographical or crypto error to a third party, but which was known to both the sender and receiver, and the absence of them would indicate capture. Of course, under stress, sometimes these were forgotten.
The book Silk and Cyanide has a great discussion of the fist and other identification techniques and how they failed and succeeded (mostly the former). Highly recommended.
Sean
So, how do they use it to authenitcate over the wire?
Isn't everything bulk encrypted (i.e. whole password at once, rather than char by char) and then sent? How would this be useful then?
So now I won't be able to log in to forums and make a fool of myself when I'm drunk :(
Wonder if it can be used to prevent people from editing important documents while you take a quick break (hint: preventing your little brother from posting comments with your account)... "Error: Your Words Per Minute Do Not Match Your Normal Style. Please Try Again."
Give Kashyyyk back to the Wookies
While I think measuring typing speed as well as the password itself might work, comparing it to morse code speed is ludicrous.
Richards has apparently forgotten that morse code uses 1-key as opposed to passwords which use 47 character keys with the ability for a person to hold down the shift key to enter in an alternate version of any of those.
Which means that, when a person starts using a new password, they type it fairly slowly. However, as they get used to typing it, they gradually get faster at it.
What do you do when your own system locks you out because you've gotten better at typing your own password?
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
I heard this first discussed in the 1980s.
I read about this semi-recently (as in within the last year) and at that point the recognition based on the actual keystroke timing was pretty poor. With only 2 or 3 people they could tell who it was something like 90% of the time if I remember right. It got considerably worse as there were more people to recognize.
Now, you could possibly argue that it only needs to be able to recognize 1 person or at most 2, you and "not you", as once it determines it is not you the system does not care about the specific identify. Still, until they get that number to 100% it's going to be more hassle than it's worth, especially at a place with a 3 attempt lockout policy or the like.
I'm beginning to think we're going to have to work up a check-off-the-problems sheet for these new authentication schemes like we pass around for anti-spam "solutions".
Here, I see two problems off the cuff:
Color me unimpressed. Is it an incremental improvement over plain passwords? Yes, but not enough to go with a $34,000 plus $1.15/user fee structure, as cited in the article.
The Busy Coder's Guide to Android Development
Start drinking before you set your password!
Turning coffee into code.
The demo that they have for you to try it out shows a person who wrote their password on a piece of paper. I suppose it would help against that sort of password stealing, but it seems trivial to add the key entry timing to a password logger.
This method makes sense for analog movement. The WWII morse code example applies, since it's the rate of the dot/dash signal that matters (it's a pressure or sound wave, essentially the telephone). Also, biometric writing signatures have unique speed and direction.
Keyboards, on the other hand, give mostly discrete signals. Each key is an ASCII (eg.) code. The keystroke speed is secondary, based on the keyboard. I type faster on my work keyboard than a tiny laptop; I have practice typing my password here. If I used a DVORAK keypad, then my password might take much longer to hunt-and-peck.
Besides, log-in is an *authorization* (permission) concern. Biometric is used to *authenticate* who the user is. X509 certificates or keycards are good for this, and have lower rejection rates.
When holding a book or other items, I type one-handed. (joke as required)
I'd think that this system would have the user type their password multiple times looking for consistent spacing.
When I first create a new password I typically stumble just a bit when typing it. After a few days/weeks I start building up motion memory for my password. How would the system handle when people impove typing their password?
So I haven't RTFA and am just thinking out loud. Couldn't the problem of your typing speeding up or whatever due to your "comfort" level be solved by using an evolving stream? You've got the algorithm to determine similarity. Let's assume it's tuned to a 99% significance level. This is security right? But instead of comparing to an original, or arbitrary previous time, it compares it to your previous login, or perhaps a composite of the previous 2 logins. This way, your stored "fist" will evolve with you. I like it. It's conceptually easy at least. Any ideas on the CPU hit for this? Proof of concept?
World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor.
It was all netware back then....
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
Perhaps it is just because I don't think like a marketoid, but it seems to me that it would be much simpler, and more effective (not to mention cause less problems in the long-run) to just use longer passwords.
Rather than recording the timings between keypresses or other such nonsense, just add more keypresses.
Besides, if you are worried about keyloggers on your system, you've already lost.
When I choose passwords, I make them such that they are memorable by pattern vs. memorable by content. This accomplishes two important things: 1.) This make my password entry VERY fast as it relies on muscle memory to a greater extent than thinking about the words I need to type and then typing them, and 2.) I am able to 'sense' typos without really thinking about it. Adding a system side authentication scheme that sense my tempo, strike, etc. would be cool in order to defeat impostors. Cool stuff.
What happens if I'm on the laptop keyboard, then the desktop keyboard? As I'm more attuned to the laptop atm, the desktop keyboard will have a different usage pattern. If I go from this keyboard to one on another desktop, it will be even more off.
Slashdot: Playing Favorites Since 1997
Wasn't there an attack for SSH challenge-response authentication that used the timing of packets to make it easier to brute-force your password?
According to TFA, incorrectly typing the password a number of times will allow one to log in by spelling the password correctly and answering a second security question. Thus there is absolutely no point to this implementation, as it's the exact functional equivalent of simply having a user enter _two_ passwords. It can still be circumvented as easily.
With a more sophisticated password, there will always be a more sophisticated keylogger to capture all your keystroke information.
Yeah, not only that, but imagine when you've forgotten something important and you call home to talk to your spouse to get it.
Kent M Pitman
Philosopher, Technologist, Writer
What if you just came in from the cold and your fingers are stiff? What if you're using your laptop on your lap... top... and don't type the same way you do at your desk?
This is a stupid idea.
Comment of the year
From the article:
"You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions."
Ahh, so really all they've really done is increased the number of passwords an attacker has to try by a factor of 3 or so. Then you hit the question and you know you have the right password. At that point you can either solve the security questions (probably not as nearly as tough as the password, especially since no one expects it to be used) or they keep making occational tries at logging in with the correct password until you find their cadence (probably not that hard).
Note that I doubt that an attacker getting the password then bailing when they hit the question will raise any red flags, chances are there will be so many false positives that no one will bother to follow up.
I stole this Sig
A Morse Code signaler's distinctive style was referred to as their "fist". I thought it was also called their "hand" but couldn't find a reference for this.
Cat-like typing not detected.
What's new here? This was available back in 2005 if I am not wrong.
Or mine for that matter. (I'm spastic...)
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
We have been offering BioPassword as an additional security feature for our web based application (Doc Mgmt). I have been fairly impressed with its capabilities.
You can configure a number of options such as # of attempts before activation which allows it to 'learn' your typing style.
You can also set the 'Pass/Fail' percentage. For instance 80% match so you don't have to type it in EXACTLY the same way every time.
Additionally you can disable BP for individual users if you wish (broken hand, etc).
Plenty of other configs for it as well. By and large, it has been a fairly hands-free security system once configured.
You must be new here. Welcome to /.
"Tu fui, ego eris" - Virgil
Someone listening to my typing could match my timing well enough to get in if they also knew the password.
Support SETI@home
Seriously. Does anyone else feel like they are taking a lot more Turing Tests than are really necessary. I feel like i'm trying not to be a computer an awful lot lately. By the way, the neural networks that are capable of cracking the little picture puzzles they give us to get new accounts, they could probably be trained to learn a persons typing habits.
Prediction: The real iPhone killer is going to be sex robots from Japan. Think about it.
Does anybody else get the feeling that biometric features like this are going to make it more difficult to service user's PCs without already having a maintenance account on them?
tasks(723) drafts(105) languages(484) examples(29106)
I first ran into this when trying to forge consent forms.
...
So
yeah, nevermind. I probably don't even want to know.
Why would this work any better than just having two distinct passwords, a regular one and a "distress" one?
I've often thought that they should do something like this for ATMs. You should have another PIN code that you can enter, which will work just like your regular one, but will also trigger an immediate silent alarm and mark the machine's video record that something was amiss.
Or on a computer, you have two passwords, one that's the real login, and another that causes the computer to open to a fake main screen, display dummy data, and silently start deleting the real stuff every time it has an opportunity to access the disk. It could also try to transmit some sort of a distress message, although that's harder to do on a computer where you have to assume that it can be disconnected from the outside world pretty trivially.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
while you were drunk, I intercepted the email you wrote to
- the girl from the office
would you like to read it again before it is sent?[No] [Ignore] [Cancel]
You can't take the sky from me...
So hopefully they don't go applying for patents or I'll go prior art on their ass.
When I first create a new password I typically stumble just a bit when typing it. After a few days/weeks I start building up motion memory for my password. How would the system handle when people impove typing their password?
Also by the time it learns to understand the pattern, the SysAd forces to change the password.I know a lot of people mentioned web-based things. How would this work with browsers (would they then have to memorize exactly how you entered in the password?) As another, probably more relevant issue, does it need to have 90% accuracy or any such measure? Suppose it only has 50% accuracy, isn't this still an improvement (provided it allows the true user in 99-100% of the time). It is afterall in addition to a password, and so adds another level of complexity, similar to adding a new character or possible characters. It also should completely deny programs which guess passwords - or slow them down significantly, as they need to wait at least 1-2 seconds between each password attempt.
I am not an expert. If I am misled in something, please correct me.
I used to do that, but lately I just make a prototype password that's a real word or pair of words, and figure out what changes would let me type it faster. Then I change it, making it both a stronger password (not a word any more) and easier to type. And it's memorable because of the process of deciding what would be the best way to change it.
Anyway, I like the idea of letting the password evolve a little.
Sustain a hand injury of whatever sort, and you could be locked out big time.
I hope this won't spread too far, as it will render macro-style form-fillers unusable!
Set your password for things only when you are incredibly frustrated or bitter. Then after your computer ruins your mood because it won't let you log on, at least you'll be able to finally get in. It might make you hate everything though.
Relax I just want some peanuts.
Keystroke patterns is a well-established method for intrusion detection. In fact it predates computers, as in the old days of Morse code an operator would typically have a recognizable signature.
The proposal will reduce the vulnerability to shoulder surfing (a problem in lab and public environments). However, it is still susceptible to keystroke logging (the more common problem in a home or office environment). Cadence is just another factor that needs to be recorded.
Cadence measurement is still susceptible to replay attacks, which is one of the biggest problems in authentication. To protect against replay attacks, the authentication needs to be different each time. Examples are one-time-passwords and challenge-response authentication mechanisms. I have never seen a biometric authentication factor which addresses the issue of replay attacks.
I've used this method in around 1990 when I was a kid to ensure that my little browser could
not use my computer even if he knew the password. The password were stored as combinations of
(letter, hit time). Of course they were not ciphered, but the principle was there. And I can
say it's really effective. Nobody can type your password like you.
Willy
Hmmm... so will this pass for two factor authentication for PCI and other security standards?
This is dumb.
1) it will have too many false errors due to the inconsistent way people type. Things change as we age, as we trim our nails, how rushed we are, etc.
2) a decently sophisticated keylogger can record and play back key strokes as if the original typist was doing the typing. People who want in badly enough WILL have that sort of tool so don't laugh it off.
3) The in thing is computing anywhere. One login from any computer gets you to your particular desktop or set of apps. This is becoming the norm where I work. But not all the computers are the same. Some Dell, some HP, some Mac, some IBM. Most of the keyboards are different so it stands to reason the *exact* timing on keystrokes will differ from one to the next. The margin of error may be enough to cause trouble. We don't know. Nothing has ever looked into keypresses so deeply before.
4) No matter how many key-press passwords and other biometric junk (easily bypassed + woefully oversold) you attach to a computer, it's still easy to steal the entire computer or at least the hard drive and do all sorts of evil to it as much as you want. Sure, encrypt the drive but how many people actually DO that?
PS: for everybody chattering about how morse operators "used to" have a "fist" or style, please note that morse code users STILL exist along with all those terms and techniques and whatever. So maybe it might seem like something from 1935, but it is still in use in amateur radio. So drop the "used to" stuff OK?
PPS: I think morse is long past its date with destiny. Bring on NO CODE baby! But I have to stand up for my fellow CW users. They are out there, tapping away even now. It's very bandwidth efficient and it's rather easy to use for SMS too. Mobile phones should have it as an option instead of T-9 or alpha-numeric.
This simply reduces the existing security. We spent years enciphering passwords, salting them, shadowing them so that it would be difficult to guess the password.
Now, patterns would have to be kept in plaintext? Today no administrator can know the password of the user (though he can change it or set it to null, he can't know the actual password)
Even if the complete password is not stored in a straightforward way, only triplets,tetralets is stored, the brute force method now requires very few permutations-combinations.
This technology has been out for years now, and has never been reliable enough to count on. The patent was purchased for six digits (100 or 750 k, I forget which) years ago, and since then they've been trying to make this dog bark.
(In disclosure, I'm working on a similiar, competing product, but for legal/business/my-boss-kicking-my-ass reasons am not going into it).
I'll just mention the opposite idea, which I've never got around to bothering with.
If you voip a lot, this idea might come to your attention.
Pattern analysis of your typing, and then decoding that typing to extract passphrases.
Known plaintext correlated with typing audio, [imagine the scenario], could be helpful.
As they say, "Working code trumps all theories."
If you need text styles to communicate then you don't have a message.
... is people using Ctrl (Apple) Enter to enter passwords, are pretty much screwed. :)
This is the worst news I've had for months. You see, this was MY idea. I had it for a few years. I was planning to do my masters on it. I have recently wrote a paper on it. See: here is the introduction "The currently predominate system for user identification is obsolete, and has been broken in the past numerous times. It relies on a secret password that in theory only the user and the secure server know, which means that there are tons of ways to wrongfully obtain access to the system. Worse, users often forget the passwords; making them go through a usually painful password recovery procedure, and they often mishandle the password. The idea behind my proposal is to identify users based on their typing habits, therefore eliminating all these problems." That company is now my enemy #1!!!
Every Monday, I type slower and make more mistakes, mostly because my hands are still sore / stiff from climbing or packing canopies on the weekend. By Friday I'm back up to my normal speed.
Will I ever be allowed to login again ?
This is not a new technology. Take a look at Psylock, it is a similar mechanism developed by a group in a German university.
I know in person a guy who is working on it, and I've tried it myself in October 2006 at the Systems expo in Munich. I guess they've had a working version of it long before that.
The saddest poem
What makes you think I won't be denied login when my cable internet is being flakey and dropping packets in a manner that makes it seem like someone else typing? :(
Kent M Pitman
Philosopher, Technologist, Writer
This is the second commercialized BioPassword product to hit the market recently behind Deepnet Technologies.
a sp
...
http://www.deepnettechnologies.com/products/type.
I wonder who if anyone has the patents yet
Well, it has been done before. I graduated from the Academy of Arts in Rottterdam in 1996 with some fonts that changed their shape depending on how you typed. Inspiration fo these fonts was exactly this technique, which I had heard about, on some big IT show, at least 5 years before.
A JAVA version of one of the fonts (Typschrift-B, a rather crude version but my JAVA-knowledge is kind of non-existent) is the only thing that is still on line of the whole project.
I happen to be doing my Master's thesis on exactly this subject. The problem currently with the technology is that there's not enough data for scientists to work on and extract the best metrics. Plus, it's dominated by corporations. My idea was to gather enough data and make them available for future researchers as well as set up an open-source program implementing the best algorithms I'll come up with. Analysis of the data will be done with R and the actual program written in Python. It'd be nice if you could take a minute to send in a sample of your writing on this page: http://www.malti.org/
My thesis proposal is publically available here http://www.malti.org/paper.odt.
Thanks in advance,
Res publica non dominetur
... might be a problem here. So: no more sports, please ;)
On all laptop macintoshes there are now always webcams on the screens, and go figure there are already maybe 5 or 6 such utilities, taking regular snapshots of the mugger and sending them silently back somewhere... :-(
o ver
I agree this still sounds stupid, but just because there is a LED aside the cam
see for instance: http://www.macupdate.com/info.php/id/20425/underc
The icon itself says it all...
Herve S.
What about when you copy paste your password? Or when you use a password vault? Oh... now the system will tell you ALERT ALERT hacker robot detected typing too fast :P
This is being seriously looked at by some financial institutions in the UK as a further way of protecting themselves: some institutions have got it into their head that two factor authentication (2FA) is the be all and end all of security. The press hasn't helped this misunderstanding.
I'm in talks with a bank to use this as part of their security strategy. If this fails for whatever reason, authentication will be moved to a separate channel, such as a challenge/response via SMS on your mobile phone. Shifting out of band drastically reduces risk and doesn't completely piss off the end user. It also doesn't mandate rolling out a token/reader/whatever to the end user as we're trying to authenticate who they are rather than what they have.
Combined with fingerprinting their usual access mechanisms and other bits of behavioural data, banks/FIs get get very cute, get high security and get wide acceptance from their userbase. 2FA is not, IMHO, the way of doing this as ABN Amro have found out despite the warnings that 2FA does not stop MITM attacks...
As a lot of other posters have pointed out, there might be serious problems when one is in another mood or if something happens (even if only you bought a new keyboard) which deviated enough from the pattern to be refused access. Now, in TFA they say they solved that by asking you additional questions, if you don't get it right a few times. But, if that's the case, it isn't any better then a security system with additional passwords.
;-) if you are drunk or what not. But what would that accomplish, you ask? Well, it would leave all brute force attacks useless (even quantummechanical ones), because those systems rely on crunching huge amounts of numbers (well, characters) superfast. Thus, if all passwords are rejected that doesn't take at least one second, and this is an integral part of getting access, then this means a computer can at most try out one pasword each second, instead of, say, a billion.
However, I do see an important possibility where the *speed* of the pattern is used as an integral part of the paswordprotection. Say, for instance, it needed at least a one second interval between each character typed, or otherwise, it would refuse the pasword. Now, that is easy to do, even (or maybe even easier
This in turns means that such a system, when the code is long enough, can't be beaten by a brute-force attack (well, not in the lifetime of the universe) because such an attack would intrinsically need huge amounts of time to decypher it. While a human, knowing the password, would have no trouble at all. His 'slowiness' compared to a computer using a decryption algorithm would be exactly his strong point.
--- "To pee or not to pee, that is the question." ---
The only reason that detecting such patterns is so hard and will in most cases need to be represented by some kind of mathematical model captured by some clever analytical engine, is because you have to examine a wide range of exemplars. My behaviour will be off every now and then and the software will need to cater for that. It's like automated trading, where you still need human input and various checks to make sure that you're not bankrupted by your software.
What happens when I come back to work with a hangover, or after my dog's gone in for surgery, or when my hands are tired from holding too many coffee cups, or my fingers unfunctional from playing too many video games or something. The day back after the holiday, when you just can't remember your password. The day after you've changed your password. In fact with every new password.
I certainly don't want to be locked out of my accounts, simply because today is a crap day and I'm feeling rather odd and out of the ordinary - as are my fingers.
Reduce, reuse, cycle
whether stealing someones typing profile with trojans will be called Phisting :)
Yes, very clever especially if you're using the browser's password manager.
Besides the obvious mood changes, etc. There's also the issue of injury.
I fell and hurt my hand while in Germany. When I got back, I sat down to work and tried to type, and I found that my pinkie was hovering over the CapsLock key?! Despite having no broken bones (according to the doc) I somehow managed to mess up my hand such that I can't hold my last two fingers close together anymore. As a result my 'natural' typing stance now puts the pinkie over the shift/Lock/Tab column instead of ZAQ; and if I pull that finger in to hit the correct key, then my ring finger is pushed slightly out of alignment with *its* column, etc. Needless to say, my typing pattern has changed. I'm actually back up to speed, but I'm certain there's a delay in hitting the A key vs. how I typed before.
Any biometric system should have a fallback, just in case something like this happens. And you'd better be darn sure that you can remember the answers to those "security questions", even several years after you set them up.
1977, Rome:
G. Forsen, M. Nelson, and R. Staron, "Personal Attributes Authentication Techniques," Rome Air Development Center Report RADC-TR-77-1033, Air Force Base Griffis (New York, 1977).
1980, Rand:
R. Gaines, W. Lisowski, S. Press, and N. Shapiro, "Authentication by Keystroke Timing: Some Preliminary Results," Technical Report Rand report R-256-NSF, Rand Corporation (1980).
1990, Gupta:
R. Joyce and G. Gupta, "Identity Authentication Based on Keystroke Latencies," Communications of the ACM 33:2 (1990), 168-176.
1995, IBM:
http://ieeexplore.ieee.org/Xplore/login.jsp?url=/
1999, ATT:
http://avirubin.com/fgcs.pdf
2005, MIMOS:
http://digital.ni.com/worldwide/singapore.nsf/web
New authentication scheme? This technique has been around for awhile--and not just in Morse code. I wrote working code that did this about 7 or 8 years ago. It was only 300 lines of C code. So, having first-hand experience, I am able to address some of the issues brought up here.
Typing patterns can change slightly over time or different keyboards, but some (if not most) of that variation can be accounted for statistically. Every time the user is correctly authenticated, you just add that pattern to the database. This won't handle drastic changes (like a broken hand), but it does pretty well for most cases. My system was originally trained on 10 training runs of typing the user's first name, last name, user name, and password. The login sequence required all of these, so it was a little bit longer than the standard username-password sequence.
Now, you probably can't tell your wife your password and have her log in for you, but the system could still be useful in government systems where per-user traceability is mandatory. The assumption here would be that the recognized failure modes would be acceptable, and sysadmins would be willing to handle them individually.
The system I wrote did not just measure typing speed. It actually looked at the latency patterns between each keystroke. By tweaking the similarity threshold, I could get it so that it would accept most of my attempts, but reject a lot of other people trying to log in as me. I type faster than 100 WPM, so just matching my speed was impossible for most people. I had a friend who was also a fast typist try to impersonate me. It took him a long time, but he was finally able to get in after many tries. His primary problem was typing my user name correctly and fast enough. This was difficult since it's a one-handed finger-twister. My impression after this test was that accomplished typists are consistent enough that there is minimal variation and that the recognition essentially degenerates to a speed measurement (although I don't have quantitative results to prove this). I did not do any testing on poor typists. I would have concerns about whether hunt-and-peckers would be recognized. The system did take into account the user's volatility, but it's possible that the keystroke latencies of poor typists are not normally distributed. This would pose a problem, but it might be ameliorated by using a dynamic threshold based on the users' consistency.
"whether a message was sent by an ally or an impostor..."
...or a cat.
--Rob
Towards the Singularity.
What's gonna happen when I get drunk? I think my typing patterns change dramatically when I get stoned.
Early mornings tend to blur my senses a bit. An average 8AM sends me from "PASSRDD" to "PASSWROD" and eventually the 1 second per key "P A S S W O R D" to make sure I'm not locked out. The JOY that this will bring to sys admins across the globe when unlocking accounts!
"Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
If you're interested by this topic, have a look at http://www.ece.cmu.edu/~reiter/papers/2002/IJIS.pd f
It explains the learning process, and will tell you more specifically how it modify the password file to match the progress of the user.
When I was in the biometrics industry over ten years ago, this method of biometric identification was well-known and researched. There's nothing "new" about it at all.
As a network admin, I was on the phone to a remote site talking with a guy who used to be a military morse operator. With quite surprising accuracy he could discern what keys I was typing on the keyboard.
It would seem the human brain and now with software, has a base reference of how long it takes for your finger to travel from one key to another. Each just has to customize per user based on quirks in their typing pattern.
I wrote an application many years ago that would do authentication based on keyboard input and mouse movement and daily practices. I even filed for a patent for the idea but never followed through on it. My system would record time between keyboard strokes for the password as well as watch the user's actions over a given period of time to determine if really was the authenticated user.....so even if somebody knew your password and could replicate your timing they could still be caught when they try to do abnormal tasks and the keyboard/mouse input didn't match with the authenticated user.
I touch type, and am very used to my own particular keyboard. The moment I sit down at a different keyboard (my wife's laptop, a public station, a horrendous split-ergonomic keyboard), then I revert to hunt-and-peck mode. I'll also type differntly if I don't have my ergonomic puffy wrist pad for my hands.
Simply a horrid idea.
----- And all that the Lorax left here in this mess was a small pile of rocks, with one word...UNLESS.
If the program has a proper "slop" allowance you shouldn't have any problem. That's a big if and how hung over are you planning to be? Bagels are bad for your teeth anyway so have a doughnut instead. :)
Speak for yourself!
One of the greatest joys I get each week is coming home and seeing a package on the doorstep that I can not - for the life of me - recall ordering.
What I've learned is that I order some pretty cool shit when I'm wasted. And it's kind of cool to have a Christmas every week.
How useful is this method going to be when it can't be used with web-based applications?
For one, how's the web browser going to obtain that keystroke timing info and pass it on to the host? A Javascript implementation would be trivial to circumvent. And an ActiveX-like implementation would be a security risk.
For another, what about stored passwords? I may use an identifiable cadence when typing in a new password for the first time, but if I choose to let my browser store that password, it's going to subsequently get pasted in at the speed of . How many false negatives will this cause?
There was an interesting (to me at least) short story written at least 10 years ago that used this as a major plot point. The story had two guys writing security packages for a system. In the story, the "pattern of typing" security was secretly layered over the strong password system, and when the bad/compromised developer tried to use someone else's password to get it, he was logged into a similar system that contained fake data instead. I'm only including details in case someone else read it and can remember the author and/or title... My gray matter is failing me on those points.
Biometrics will ultimately be a dead-end because their entire premise is based on the fallacy that the identity of the individual you want to allow access to your system is tied to a unique physical body. It's strange that in this computer-based age, people who obviously /use/ computers keep trying to allow people to authenticate with computers based on the assumption that only a single inalterable and non-transferable meat-being is involved.
"lolz! We'll worry about that when we have the ability to transfer consciousnesses!"
=> That's not what I'm talking about, but you raise a valid point about how this system will be even more flawed five minutes from now.
-- 'The' Lord and Master Bitman On High, Master Of All
Author David Gerold described such a system back in 1972 in his SF novel, "When Harlie Was One." I'd call that prior art.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I didn't know that. I've also heard that Morse code operators used this technique to identify the operator at the other side of the line.
Also, it's been used before by Morse code operators.
Slagborr
For the record, Marketplace is not a National Public Radio program. Though it is carried on many stations that identify themselves as being an NPR affiliate, Marketplace is actually distributed by American Public Media.
End of Line.
No Thanks, some of us deal very will with id/password scheme. But so far all of the 2 level authentication routines are a failure. The more layers of authentication you put on users,the more likely they're going to be to write stuff down and lose it.
This is even worse, because users are going to open notepad, type their password in clear text, then paste it into the password field, and hopefully they will remember to exit notepad without saving.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
Will it let your other personality access the account?
Not an employee, but we've tried BP. Maybe I can shed some light on these questions since the arcticle was so light.
You don't actually have to go through a forced enrollment. There is an option to "silently" learn a user's profile. I also believe in the newer versions the learning is continual, so say you change your password and at first you stumble with it for a few days. No big deal really, BP (under silent enrollment) won't engage strict enforcment until its seen a pattern enough times that it can qualify against. Note that even under strict enrollment, if a user types their password 9 different ways it will fail the process and they'll have to try again later.
Also configurable is how strict it is when comparing input to your profile. I believe the default rating is 30 (out of 100, but I am told it doesn't mean 30% accuracy) and you can adjust this for all users or on an individual basis. From our testing, once that rating was much over 60 it was starting to throw failed attempts for good typists. The good side to this is there is also a log you can use that will help show how often it kicks out a login attempt so you can help control your organization and feel out what a proper setting would be. Even with a default setting though we didn't see many failed attempts but not once was someone able to mimic another.
BP does protect alot more than what the article suggests. I believe it actually also grades your username, not just the password. It also forces windows to clear out any username/password boxes that originate from explorer and other parts of the OS. If you have an intranet site that uses basic authentication (prompting a normal windows password box) that will be BP protected. Anyone that invokes the RunAs through explorer or CLI will also get BP protected input fields. Though most of this stuff is configurable.
For all those saying "oh no I hurt my hands and now I can't login!" I suppose thats true, but it only takes a few clicks in the ADU&G and your profile is cleared out and will start learning your new one handed sequences. Personally I like the idea that someone too inebreiated to type their password normally gets locked out for awhile. I'm sure some CxOs and HR Admins agree.
Hopefully that clears up at least a little air.
What if I don't even type my password? I keep some of my more difficult to remember passwords stored in Password Safe. This allows me to simply copy and paste those annoying passwords that are impossible to remember.
No one cares what your captcha was
Houston TX, USA
This looks like it's harder to crack then Vidoop. I watched their demo on Tuesday, and I relized how easy it is to watch someone's mouse pointer click on different pictures. I think after 2-3 tries I can figure out that someone chose boats over cars.
No, I will not work for your startup
Invalid Pattern.
BioPassword is not the only company with authentication by typing rhythms. Imagic Software http://www.imagicsoftware.com/ has been in the business for 5 years and has just been issued a patent for keystroke recognition. Their product, Trustable Passwords, is in use by some big companies. Lots of information on the website. Some of the questions posed here are addressed in the FAQ http://www.imagicsoftware.com/FAQ.htm. This technology is real.