Typing Patterns for Authentication
Kelson writes "NPR's Marketplace is reporting on a new authentication scheme. BioPassword tracks the way you type your password: how long each key is depressed, the time between keystrokes, and overall speed. When someone tries to log into your account, it compares the pattern to what it has on file. It only allows you in if both the password and patterns match. The technique has been around a while. World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor."
From the article:
"You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions."
Ahh, so really all they've really done is increased the number of passwords an attacker has to try by a factor of 3 or so. Then you hit the question and you know you have the right password. At that point you can either solve the security questions (probably not as nearly as tough as the password, especially since no one expects it to be used) or they keep making occational tries at logging in with the correct password until you find their cadence (probably not that hard).
Note that I doubt that an attacker getting the password then bailing when they hit the question will raise any red flags, chances are there will be so many false positives that no one will bother to follow up.
I stole this Sig
Sometime in the early 90s a company sent me a neural network demo that did typist identification. Users trained it by typing a paragraph, and you could enter several typists into the system. Then an unknown user typed some new text, and the system tried to identify the user.
Once trained, it was extremely hard to fool the thing, even by deliberately and extremely altering your typing habits. Of course, this was a multiple choice test and that's easier than the authentication situation, but it shows that the method can be more robust than would first appear.