Slashdot Mirror
Typing Patterns for Authentication
Kelson writes "NPR's Marketplace is reporting on a new authentication scheme. BioPassword tracks the way you type your password: how long each key is depressed, the time between keystrokes, and overall speed. When someone tries to log into your account, it compares the pattern to what it has on file. It only allows you in if both the password and patterns match. The technique has been around a while. World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor."
A Morse-operator's style was referred to as his "fist". This is referenced in Cryptonomicon.
I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.
Hail Eris, full of mischief...
E pluribus sanguinem
This will make it possible for a change of mood to deny your access to your own accounts. ..which will probably not help with the mood thing.
Great, now every time I fall off my bike or some other stupid accident that involves my hands, I won't be able to log in at all due to not matching the timing/pressure/etc. I can definitely see this ending in smashed keyboards. "It's me!!! Let me in you b@st@rd machine!"
No, I'm no going to say you invoked Godwin's Law right at the top of the article...
I immediately thought of WW2 when I read the title. A Morse Code operator's style was called their "fist". German operators became quite adept at mimicing the fist of other operators, and using the fist to identify captured operators didn't work well. This is why they had other signals for identifying that an operator was not captured. Things that would look like a typographical or crypto error to a third party, but which was known to both the sender and receiver, and the absence of them would indicate capture. Of course, under stress, sometimes these were forgotten.
The book Silk and Cyanide has a great discussion of the fist and other identification techniques and how they failed and succeeded (mostly the former). Highly recommended.
Sean
So now I won't be able to log in to forums and make a fool of myself when I'm drunk :(
Wonder if it can be used to prevent people from editing important documents while you take a quick break (hint: preventing your little brother from posting comments with your account)... "Error: Your Words Per Minute Do Not Match Your Normal Style. Please Try Again."
Give Kashyyyk back to the Wookies
While I think measuring typing speed as well as the password itself might work, comparing it to morse code speed is ludicrous.
Richards has apparently forgotten that morse code uses 1-key as opposed to passwords which use 47 character keys with the ability for a person to hold down the shift key to enter in an alternate version of any of those.
Which means that, when a person starts using a new password, they type it fairly slowly. However, as they get used to typing it, they gradually get faster at it.
What do you do when your own system locks you out because you've gotten better at typing your own password?
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
Short arms?
Long penis.
The higher the technology, the sharper that two-edged sword.
I read about this semi-recently (as in within the last year) and at that point the recognition based on the actual keystroke timing was pretty poor. With only 2 or 3 people they could tell who it was something like 90% of the time if I remember right. It got considerably worse as there were more people to recognize.
Now, you could possibly argue that it only needs to be able to recognize 1 person or at most 2, you and "not you", as once it determines it is not you the system does not care about the specific identify. Still, until they get that number to 100% it's going to be more hassle than it's worth, especially at a place with a 3 attempt lockout policy or the like.
I'm beginning to think we're going to have to work up a check-off-the-problems sheet for these new authentication schemes like we pass around for anti-spam "solutions".
Here, I see two problems off the cuff:
Color me unimpressed. Is it an incremental improvement over plain passwords? Yes, but not enough to go with a $34,000 plus $1.15/user fee structure, as cited in the article.
The Busy Coder's Guide to Android Development
Start drinking before you set your password!
Turning coffee into code.
When holding a book or other items, I type one-handed. (joke as required)
I'd think that this system would have the user type their password multiple times looking for consistent spacing.
When I first create a new password I typically stumble just a bit when typing it. After a few days/weeks I start building up motion memory for my password. How would the system handle when people impove typing their password?
So I haven't RTFA and am just thinking out loud. Couldn't the problem of your typing speeding up or whatever due to your "comfort" level be solved by using an evolving stream? You've got the algorithm to determine similarity. Let's assume it's tuned to a 99% significance level. This is security right? But instead of comparing to an original, or arbitrary previous time, it compares it to your previous login, or perhaps a composite of the previous 2 logins. This way, your stored "fist" will evolve with you. I like it. It's conceptually easy at least. Any ideas on the CPU hit for this? Proof of concept?
World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor.
It was all netware back then....
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
Yeah, not only that, but imagine when you've forgotten something important and you call home to talk to your spouse to get it.
Kent M Pitman
Philosopher, Technologist, Writer
From the article:
"You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions."
Ahh, so really all they've really done is increased the number of passwords an attacker has to try by a factor of 3 or so. Then you hit the question and you know you have the right password. At that point you can either solve the security questions (probably not as nearly as tough as the password, especially since no one expects it to be used) or they keep making occational tries at logging in with the correct password until you find their cadence (probably not that hard).
Note that I doubt that an attacker getting the password then bailing when they hit the question will raise any red flags, chances are there will be so many false positives that no one will bother to follow up.
I stole this Sig
We have been offering BioPassword as an additional security feature for our web based application (Doc Mgmt). I have been fairly impressed with its capabilities.
You can configure a number of options such as # of attempts before activation which allows it to 'learn' your typing style.
You can also set the 'Pass/Fail' percentage. For instance 80% match so you don't have to type it in EXACTLY the same way every time.
Additionally you can disable BP for individual users if you wish (broken hand, etc).
Plenty of other configs for it as well. By and large, it has been a fairly hands-free security system once configured.
RighT! Because that's an easy thing for the 90% of users who use their pet or spouse or birthday for their password. (Yes, I did pull 90% out of my ass, but it's probably true in spite of that.)
while you were drunk, I intercepted the email you wrote to
- the girl from the office
would you like to read it again before it is sent?[No] [Ignore] [Cancel]
You can't take the sky from me...
Well, it has been done before. I graduated from the Academy of Arts in Rottterdam in 1996 with some fonts that changed their shape depending on how you typed. Inspiration fo these fonts was exactly this technique, which I had heard about, on some big IT show, at least 5 years before.
A JAVA version of one of the fonts (Typschrift-B, a rather crude version but my JAVA-knowledge is kind of non-existent) is the only thing that is still on line of the whole project.
Well, it is not new at all, even in the IT field, and Biopassword is not the only company editing such kind of software. Take a look also at all the patents already registered, and if it is not enough to convince you, here is a list of free available pdf documents I have collected about keytroke dynamics:
1993-10 Pattern classification and scene analysis.pdf
1997-00 Keystroke Dynamics as a Biometric for Authentication.pdf
1997-04 User Recognition by Keystroke Latency Pattern Analysis.pdf
2001-10 Password hardening based on keystroke dynamics.pdf
2001-11 User authentication using keystroke dynamics.pdf
2002-06 Keystroke Biometrics.pdf
2002-10 typing dynamics biometric authentication.pdf
2003-00 Identity verification through dynamic keytroke analysis.pdf
2003-11 Keystroke dynamics.pdf
2004-00 dealing with different languages and old profiles in keystroke analysis of free text.pdf
2004-03 Identity Verification using Keyboard Statistics.pdf
2004-04 An analysis of keystroke dynamics use in user authentifcation.pdf
2004-05 Keystroke Dynamics Verification Using a Spontaneously Generated password thesis.pdf
2004-12 keystroke dynamics based authentication.pdf
2005-00 Username and Password Verification through Keystroke Dynamics thesis.pdf
2005-00 the potential for analysing free-text.pdf
2005-07 Biometric Authenticatio using Random Distributions(BioART).pdf
2006-00 Keystrok Dynamics and Corporate Security.pdf
2006-00 Keystroke Dynamics Verification Using a Spontaneously Generated password.pdf
2006-09 Keystroke dynamics- Low Impact Biometric Verification.pdf
1977, Rome:
G. Forsen, M. Nelson, and R. Staron, "Personal Attributes Authentication Techniques," Rome Air Development Center Report RADC-TR-77-1033, Air Force Base Griffis (New York, 1977).
1980, Rand:
R. Gaines, W. Lisowski, S. Press, and N. Shapiro, "Authentication by Keystroke Timing: Some Preliminary Results," Technical Report Rand report R-256-NSF, Rand Corporation (1980).
1990, Gupta:
R. Joyce and G. Gupta, "Identity Authentication Based on Keystroke Latencies," Communications of the ACM 33:2 (1990), 168-176.
1995, IBM:
http://ieeexplore.ieee.org/Xplore/login.jsp?url=/
1999, ATT:
http://avirubin.com/fgcs.pdf
2005, MIMOS:
http://digital.ni.com/worldwide/singapore.nsf/web
"whether a message was sent by an ally or an impostor..."
...or a cat.
--Rob
Towards the Singularity.
I touch type, and am very used to my own particular keyboard. The moment I sit down at a different keyboard (my wife's laptop, a public station, a horrendous split-ergonomic keyboard), then I revert to hunt-and-peck mode. I'll also type differntly if I don't have my ergonomic puffy wrist pad for my hands.
Simply a horrid idea.
----- And all that the Lorax left here in this mess was a small pile of rocks, with one word...UNLESS.
How useful is this method going to be when it can't be used with web-based applications?
For one, how's the web browser going to obtain that keystroke timing info and pass it on to the host? A Javascript implementation would be trivial to circumvent. And an ActiveX-like implementation would be a security risk.
For another, what about stored passwords? I may use an identifiable cadence when typing in a new password for the first time, but if I choose to let my browser store that password, it's going to subsequently get pasted in at the speed of . How many false negatives will this cause?
Je fume. Tu fumes. Nous fûmes!