Typing Patterns for Authentication

Kelson writes "NPR's Marketplace is reporting on a new authentication scheme. BioPassword tracks the way you type your password: how long each key is depressed, the time between keystrokes, and overall speed. When someone tries to log into your account, it compares the pattern to what it has on file. It only allows you in if both the password and patterns match. The technique has been around a while. World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor."

Fist

[Nimey]

A Morse-operator's style was referred to as his "fist". This is referenced in Cryptonomicon.

I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.

Re:Fist

[OECD]

Oy. So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover? Because my typing pattern is going to be different in each case.

Re:Fist

[justinbach]

So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover?

Man, I don't know about those circumstances, but I would welcome an online financial transaction system that's good enough to recognize whether or not I'm drunkenly typing in my credit card number after a night on the town. The combination of woot.com and a few too many beers has on more than one occasion proved fatal to both my self-respect and my checking account...as if two Roombas isn't enough as it is!

Re:Fist

man, what an exciting life... getting drunk and buying stuff online! You're giving Keith Richards a run for his money...

Re:Fist

[cyphercell]

Man if I was you, I would drink more before I stole money from myself. Two Roombas? When you're drunk? What the hell is wrong with renting a hotel room and puking in the pool? Or renting a limo to drive you out, without enough cash to get back? Or, hire a stripper to sneak into bed with your best friend and his wife, so you can buy him a beer the next night, then claim poverty on him. Dude, you need some alcoholism.

Re:Fist

[Ailicec]

Sometime in the early 90s a company sent me a neural network demo that did typist identification. Users trained it by typing a paragraph, and you could enter several typists into the system. Then an unknown user typed some new text, and the system tried to identify the user.
Once trained, it was extremely hard to fool the thing, even by deliberately and extremely altering your typing habits. Of course, this was a multiple choice test and that's easier than the authentication situation, but it shows that the method can be more robust than would first appear.

Re:Fist

[isaac]

A Morse-operator's style was referred to as his "fist". This is referenced in Cryptonomicon.
I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.

It won't be long before online fraudsters learn to copy users "fists."

Yes, I predict the internet will be awash in "fisting" websites within the fortnight.

-Isaac

Re:Fist

[ajs318]

One morning I woke up surrounded by empty beer cans, an ashtray full of roaches, my wallet out, my debit card out of my wallet, my laptop out of juice ..... and a blinding headache. I was dimly aware of having ordered something online but couldn't for the life of me think either what it was, or where from. Though my browsing history had apparently survived the enforced fsck, there were still many things it could have been.

A few days later, a Palm Tungsten arrived at my place of work; and when my bank statement arrived, that turned out to have been the only purchase I had made during those lost hours. It could have been worse. A lot worse, judging by my the sites in my browser history!

Lesson: Don't order stuff online while pissed and/or stoned.

Bad Idea

[dynamo]

This will make it possible for a change of mood to deny your access to your own accounts. ..which will probably not help with the mood thing.

Re:Bad Idea

[goombah99]

This reminds me of the old joke about the two russian comrades that read in pravda how a new city in siberia needs engineers. The story says the city wants for nothing, the store shevles are stocked, the store clerks courteous, and there are no lines. But they know that sometime pravda is not isvestia (the truth) and it might be a trap. SO they agree that one of them will go and write back if the stories are true. but if it's a trap their mail will be searched to they agree on a code. If it is all lies the writer will write in red ink. and if true then in blue.

One day the letter arrives. It is in Blue ink. it raves about the luxury goods, and the stores of plenty. In fact says the writer, the only thing in short supply seems to be red ink.

The modern version would have the comrade unable to log in because all the keyboards were dvorak.

Re:Bad Idea

[bitt3n]

This will make it possible for a change of mood to deny your access to your own accounts. ..which will probably not help with the mood thing.

That's an easy problem to solve. Simply make sure to type your password the first time when you are in a horrible mood, and thereafter, repeatedly typing in your password will eventually result in a successful login.

No Soup For ... me?

[mindlessLemming]

Great, now every time I fall off my bike or some other stupid accident that involves my hands, I won't be able to log in at all due to not matching the timing/pressure/etc. I can definitely see this ending in smashed keyboards. "It's me!!! Let me in you b@st@rd machine!"

Interesting you mentioned WW2...

[jafo]

No, I'm no going to say you invoked Godwin's Law right at the top of the article...

I immediately thought of WW2 when I read the title. A Morse Code operator's style was called their "fist". German operators became quite adept at mimicing the fist of other operators, and using the fist to identify captured operators didn't work well. This is why they had other signals for identifying that an operator was not captured. Things that would look like a typographical or crypto error to a third party, but which was known to both the sender and receiver, and the absence of them would indicate capture. Of course, under stress, sometimes these were forgotten.

The book Silk and Cyanide has a great discussion of the fist and other identification techniques and how they failed and succeeded (mostly the former). Highly recommended.

Sean

No Drunk Internets :(

[frup]

So now I won't be able to log in to forums and make a fool of myself when I'm drunk :(

Re:Reminds me of a story...

[ScrewMaster]

Short arms?

Long penis.

Re:Might come in handy...

[mollymoo]

You'd don't need this techniology for that, a regular password will do the job perfectly well. You just need to lock your computer when you're not using it. Every decent OS lets you do this with minimal fuss.

Nothing To See Here, Move Along

[mmurphy000]

I'm beginning to think we're going to have to work up a check-off-the-problems sheet for these new authentication schemes like we pass around for anti-spam "solutions".

Here, I see two problems off the cuff:

1. If it thinks you're not typing the password the same way, "it will ask some additional security questions". Hence, this is not significantly different than the cookie-based or IP-address based solutions used by some banks, where you need only a password if you're coming from a familiar PC and need to answer more questions if you're not. Phishers can just let the password-typing fail and fall back to collecting the answers to the security questions and break in that way.
2. It'll only be reliable for people who use the same keyboard all the time. I know I type differently when I'm on my home PC (natural keyboard) vs. an office PC (flat keyboard) vs. my PDA (thumbboard). Particularly the way I type with two thumbs bears little resemblance to the way I touch-type. Now, it's possible they'll track different typing profiles, but eventually the profiles will grow to cover just about any typing pattern...

Color me unimpressed. Is it an incremental improvement over plain passwords? Yes, but not enough to go with a $34,000 plus $1.15/user fee structure, as cited in the article.

Re:Nothing To See Here, Move Along

[Michael+Woodhams]

Furthermore, if the software can detect the password cadence, so can an appropriately programmed keylogger.

Almost all security is a tradeoff against usability. This one looks like a bad trade - you lose lots of usability for only a small increase in security.

Seems like it would not work as I learn my passwd

[rminsk]

When I first create a new password I typically stumble just a bit when typing it. After a few days/weeks I start building up motion memory for my password. How would the system handle when people impove typing their password?

Evolving stream?

[fineghal]

So I haven't RTFA and am just thinking out loud. Couldn't the problem of your typing speeding up or whatever due to your "comfort" level be solved by using an evolving stream? You've got the algorithm to determine similarity. Let's assume it's tuned to a 99% significance level. This is security right? But instead of comparing to an original, or arbitrary previous time, it compares it to your previous login, or perhaps a composite of the previous 2 logins. This way, your stored "fist" will evolve with you. I like it. It's conceptually easy at least. Any ideas on the CPU hit for this? Proof of concept?

Sharing Secrets

[NetSettler]

So now it makes a difference if...

Yeah, not only that, but imagine when you've forgotten something important and you call home to talk to your spouse to get it.

Spouse: What's your password?
You: It's "My name is my passport."
Spouse: That whole thing? That's a lot of letters. Ok, I'm typing it.
You: Are you in?
Spouse: Nope. It says I'm not typing it right. How do you type it?
You: Huh? Oh, right. I forgot. Lean heavy on the first n and the two y's. And pause slightly after every other space.
Spouse: It's still not working.
You: Did I mention that I'm slow to reach a y and then slow again for whatever character follows? It's quite a reach.
Spouse: Ok, I'll try. Nope. Not working.
You: Oh, right. And try to type it at 80 words per minute.
Spouse: I only type 20.
You: Never mind. I'll drive home and get the info. It'll be faster.

Re:Sharing Secrets

Never, EVER, give your wife your password! What the heck are you smoking?!?!

Re:Sharing Secrets

[MrNaz]

No, it's being on /. the concept of "wife" is not understood. The only time /. has contact with wives is mail order brides, and believe you me, you do not want to give them your banking details*.

* No, I'm not speaking from experience.

Some added security, but not much

[quantaman]

From the article:

"You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions."

Ahh, so really all they've really done is increased the number of passwords an attacker has to try by a factor of 3 or so. Then you hit the question and you know you have the right password. At that point you can either solve the security questions (probably not as nearly as tough as the password, especially since no one expects it to be used) or they keep making occational tries at logging in with the correct password until you find their cadence (probably not that hard).

Note that I doubt that an attacker getting the password then bailing when they hit the question will raise any red flags, chances are there will be so many false positives that no one will bother to follow up.

+1 Clippy of awareness

[Scrameustache]

Oy. So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover? Because my typing pattern is going to be different in each case. You appear to have a hangover,
while you were drunk, I intercepted the email you wrote to

• the girl from the office

would you like to read it again before it is sent?

[No] [Ignore] [Cancel]

It has been done before.

[wireloose]

In fact, research and methods have been done for years. There have also been some systems developed as a result. A partial listing of research:

1977, Rome:
G. Forsen, M. Nelson, and R. Staron, "Personal Attributes Authentication Techniques," Rome Air Development Center Report RADC-TR-77-1033, Air Force Base Griffis (New York, 1977).

1980, Rand:
R. Gaines, W. Lisowski, S. Press, and N. Shapiro, "Authentication by Keystroke Timing: Some Preliminary Results," Technical Report Rand report R-256-NSF, Rand Corporation (1980).

1990, Gupta:
R. Joyce and G. Gupta, "Identity Authentication Based on Keystroke Latencies," Communications of the ACM 33:2 (1990), 168-176.

1995, IBM:
http://ieeexplore.ieee.org/Xplore/login.jsp?url=/i el3/3531/10615/00491588.pdf?tp=&arnumber=491588&is number=10615

1999, ATT:
http://avirubin.com/fgcs.pdf

2005, MIMOS:
http://digital.ni.com/worldwide/singapore.nsf/web/ all/ACCD272C9FEF487D8625703D005562A0