Slashdot Mirror


Typing Patterns for Authentication

Kelson writes "NPR's Marketplace is reporting on a new authentication scheme. BioPassword tracks the way you type your password: how long each key is depressed, the time between keystrokes, and overall speed. When someone tries to log into your account, it compares the pattern to what it has on file. It only allows you in if both the password and patterns match. The technique has been around a while. World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor."

7 of 259 comments (clear)

  1. Bad Idea by dynamo · · Score: 4, Insightful

    This will make it possible for a change of mood to deny your access to your own accounts. ..which will probably not help with the mood thing.

  2. No Soup For ... me? by mindlessLemming · · Score: 4, Insightful

    Great, now every time I fall off my bike or some other stupid accident that involves my hands, I won't be able to log in at all due to not matching the timing/pressure/etc. I can definitely see this ending in smashed keyboards. "It's me!!! Let me in you b@st@rd machine!"

  3. Re:Fist by OECD · · Score: 5, Insightful

    Oy. So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover? Because my typing pattern is going to be different in each case.

    --
    One man's -1 Flamebait is another man's +5 Funny.
  4. Nothing To See Here, Move Along by mmurphy000 · · Score: 4, Insightful

    I'm beginning to think we're going to have to work up a check-off-the-problems sheet for these new authentication schemes like we pass around for anti-spam "solutions".

    Here, I see two problems off the cuff:

    1. If it thinks you're not typing the password the same way, "it will ask some additional security questions". Hence, this is not significantly different than the cookie-based or IP-address based solutions used by some banks, where you need only a password if you're coming from a familiar PC and need to answer more questions if you're not. Phishers can just let the password-typing fail and fall back to collecting the answers to the security questions and break in that way.
    2. It'll only be reliable for people who use the same keyboard all the time. I know I type differently when I'm on my home PC (natural keyboard) vs. an office PC (flat keyboard) vs. my PDA (thumbboard). Particularly the way I type with two thumbs bears little resemblance to the way I touch-type. Now, it's possible they'll track different typing profiles, but eventually the profiles will grow to cover just about any typing pattern...

    Color me unimpressed. Is it an incremental improvement over plain passwords? Yes, but not enough to go with a $34,000 plus $1.15/user fee structure, as cited in the article.

    1. Re:Nothing To See Here, Move Along by Michael+Woodhams · · Score: 4, Insightful

      Furthermore, if the software can detect the password cadence, so can an appropriately programmed keylogger.

      Almost all security is a tradeoff against usability. This one looks like a bad trade - you lose lots of usability for only a small increase in security.

      --
      Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
  5. Seems like it would not work as I learn my passwd by rminsk · · Score: 5, Insightful

    When I first create a new password I typically stumble just a bit when typing it. After a few days/weeks I start building up motion memory for my password. How would the system handle when people impove typing their password?

  6. Re:Sharing Secrets by Anonymous Coward · · Score: 4, Insightful

    Never, EVER, give your wife your password! What the heck are you smoking?!?!