Identify and Verify Users Based on How They Type

not gonna work by superwiz · 2008-04-04 05:54 · Score: 5, Insightful

Well, it might work if they allow for a rather broad variation in the frequence of mistakes. But personally, I make much more typos depending on how tired I am and how much caffeine I've had lately. I would assume that others do too. So when I am well-rested I might appear to be a completely different person from when I am even slightly tired.

--
Any guest worker system is indistinguishable from indentured servitude.

Re:not gonna work by RobBebop · 2008-04-04 06:13 · Score: 3, Insightful

Given the repletion required to type and retype our names and login IDs over the past 5-10 years, our fingers are conditioned to type these patterns quickly and repeatably.
I can type my typical "lastname/firstinitial" login name in about a third of a second. I can type my "firstname.lastname" in about half a second.
Given 5 minutes of practice with my name, you would probably be able to impersonate me - but as long as this system doesn't lock me out from my own account, this is a successful barrier that will make it harder for you to get into my system.
Then again... having a password that is hard to hack and running an operating system that is not easily hackable are stronger barriers that protect me from your infiltrations...

--
Support the 30 Hour Work Week!!!
Re:not gonna work by moderatorrater · 2008-04-04 06:13 · Score: 5, Interesting

plus for me, this will only work if they test it against another login with the same username and password. The rhythm and speed of my typing in a username depends on which one it is, and the same goes for the password.

However, within the bounds of an identical username/password combination, I would imagine that it would work well for me. The problem is that if there are extenuating circumstances, this would lock me or someone else out of the computer. For instance, what if my wife needed to log in for me while I'm on a business trip? Or I die? Or I break my arm and have to type with one hand? I imagine the usefulness of this technology is in merely logging the "signature" pattern rather than locking someone else based on it. Bruce Schneier has the basic arguments and a much better analysis than I could produce.
Re:not gonna work by OneTweezyStyle · 2008-04-04 06:16 · Score: 1

I feel that the idea has some merit. It has occurred to me on a few separate occasions that the pattern of my keystrokes when entering passwords is highly consistent after a brief period of acclimation to the new password. I could easily see the pattern of keystrokes being used as an additional verification factor. Much as with other forms of verification having a biological basis, I can foresee a few potential issues (e.g. the voice recognition system at my firm doesn't recognize me when I have a "cowde"). For example, what happens when I get a new keyboard, or log in from a terminal with a different keyboard?
Re:not gonna work by TubeSteak · 2008-04-04 06:16 · Score: 3, Interesting

Given the repletion required to type and retype our names and login IDs over the past 5-10 years, our fingers are conditioned to type these patterns quickly and repeatably. Never IM'ed or IRC'ed with a drunk person, have you?

On the upside, no more embarrassing drunken e-mails to come back and bite you!

--
[Fuck Beta]
o0t!
Re:not gonna work by TubeSteak · 2008-04-04 06:22 · Score: 1

The problem is that if there are extenuating circumstances, this would lock me or someone else out of the computer. For instance, what if my wife needed to log in for me while I'm on a business trip? Or I die? Or I break my arm and have to type with one hand? Treat your user account like it has a hidden volume.

Your 'signature' password gives you full access to the account. Your password gives you basic access to the account, with the option of another password to unlock full access to your files and settings..

--
[Fuck Beta]
o0t!
Re:not gonna work by SharpFang · 2008-04-04 06:23 · Score: 2, Interesting

I wouldn't be surprised if it produced less false negatives than standard login/password pair. By false negatives I mean typos in username/password.

I mean, I don't know about you but I make typing mistakes at my login and password about as often as not, though I type them always in a consistent rhythm. The system could very neatly ignore the typos resulting from pressing a neighbor key or even typing with your hand a whole line of keys away, meaning you got half of what you typed wrong. "Timing is right, he pressed 'o' instead of 'p', we can accept it."

It should not replace password-based authentication but it can neatly suplement it - you either type your password 100% correctly (say, with one hand, holding earphone in the other so the "rhythm" is none), or you type it fast, you make a mistake, but the way you type it, and the kind of mistake says it's you and the password gets accepted.

--
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Re:not gonna work by denmarkw00t · 2008-04-04 06:29 · Score: 1

The rhythm and speed of my typing in a username depends on which one it is, and the same goes for the password.

I would think the system had some kind of "learning" ability, where it would authenticate you normally via your user:pass pair, and collect data about your typing habits. Once it had x data or was in a "trained" state, it should be able to recognize your rhythm and know which user you're logging in as based on the letters you start typing.
Re:not gonna work by Jurily · 2008-04-04 06:38 · Score: 2, Interesting

You get that with a well-formed password too. I can't type mine drunk, ever.

BTW, there's really nothing more easy/secure than a password. You even get to choose which end of a spectrum you want.
I never cease to be amazed at the lenghts people go to make something better...

The big question is, would you trust a GNOME developer to distinguish you from your sister if you can't be bothered to make up a password she can't guess? Nevermind more serious issues.
Re:not gonna work by linRicky · 2008-04-04 06:48 · Score: 0

And how would you factor in people improving on their typing skill over time?
Re:not gonna work by WaltBusterkeys · 2008-04-04 06:54 · Score: 2, Insightful

Or first thing in the morning after getting into work on a cold wintery day. Frozen fingers do not type well.
Re:not gonna work by djdbass · 2008-04-04 06:55 · Score: 1

My bank has had this for a few months now.
You're right. It doesn't work.
Ultimately the false negative rate is so high [leads to] so many people get their password revoked [leads to] so they make resetting your password a "self service" feature with "Choose your own questions..." authentication.

Then the users make their questions along the lines of: "What color is blue?"
Re:not gonna work by cheesedog · 2008-04-04 06:59 · Score: 1

It works better than you'd imagine. See, for example, http://alenpeacock.flud.org/2/personal/CourseWork/cs572
Re:not gonna work by Z34107 · 2008-04-04 07:07 · Score: 4, Interesting

There are characteristics in common with everything "normal" you type - for example, Mavis Beacon Teaches Typing(tm) back in the Glory Days of Windows 3.11 could tell me that my 4th finger on my left hand is weak - making a lot of typos on the "w", you see. It was nifty looking at the profiles of every user in that program for little tidbits like that, and logging onto my brother's profile and laughing as it commented how much he had "improved."

But... do those things apply when typing a password? The whole consistent rhythm and speed thing? Or maybe that makes it easier.

Perhaps a better solution would be to emulate voice recognition - train the security software to recognize your typing, and have it watch you as you're logged in. Just as you can train voice recognition to work with multiple speakers, you could train the security software to recognize "sober me", "drunk me", "caffeinated me", etc. (And not let "drunk me" send e-mail, and maybe schedule my development IDE processes at a higher priority for "caffeinated me", etc.)

--
DATABASE WOW WOW
Re:not gonna work by Anonymous Coward · 2008-04-04 07:10 · Score: 0

Judging by the comments, it sounds like most people don't have their passwords set to expire.
So does anyone actually remember what happens after your grace period and you're forced to change a password? Yes - you spend a minute figuring out something you'll remember that complies with your password requisites, then you have to key it in.

The first time you learn any phrase (like a new password), entry is always different than it will be a week down the track once you've had a chance to get the repetition into your system.

That's why I couldn't see this working in a corporate environment - we get enough phone calls as it is saying "I've forgot my password", let alone "I've forgotten the keystroke pattern that was used when I set up my password".
Although - credit where it's worth - it is a pretty cool idea.
Re:not gonna work by SatanicPuppy · 2008-04-04 07:13 · Score: 1

That doesn't even apply to "conscious" differences. If I'm talking on the phone and typing in my password with my left hand (which will take a bit because I'll have to do the pinky-thumb shift dance to do the special characters), it's going to lock me out because I don't type like me?

The only use I see for this is for an amusing/ironic plot twist in a hollywood movie, where someone gets killed because he can't type in the password like he would normally type it in due to some contrived stress situation.

--
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Re:not gonna work by hedwards · 2008-04-04 07:13 · Score: 1

Quite so, and this sort of thing would make it quite difficult for those with arthritis or other joint problems to log in.

And it would require that the key board be placed in a consistent manner, that the box not be under considerable load as well as for the person to touch type their log in information.
Re:not gonna work by hvm2hvm · 2008-04-04 08:20 · Score: 1

i think it's completely useless because the patterns won't match all the time. that's the whole idea of user+pass: to verify your identity based on something that is in your head not on something physical. on the other hand it could be useful to tell you if someone else logged on and didn't have the same writing pattern you do. i would use that but i don't think it's reliable for authentication (except for those that want to brag to others about how linux is so great and all).

--
ics
Re:not gonna work by pcgc1xn · 2008-04-04 08:27 · Score: 4, Insightful

One thing which will kill it for sure is using a different keyboard.

Desktop to laptop - *slightly* different keyboard layout.
Different laptops - possibly different
US keyboard to English keyboard - hope your passphrase doesn't have any special characters or punctuation.
Any other language keyboard - those things are bad enough to type on at all, but trying to get your timing right? Forget it. If you have never had they joy of meeting one, as well as many of the punctuation keys being in different places, a few of the letters are as well. Just a few mind you, just enough so you fall back into touch typing and look back and find that all of your w's are actually z's

Some of these problems are probably not too bad for logging into Gnome, but the idea is basically limited to anything where you are physically in front of the machine you are logging into, and the input device is the same every time. If you are going to limit it to that, then requiring a webcam and doing image recognition is probably easier on both sides.

And all you need is a slightly cleverer key logger to defeat it - instead of recording the keystrokes in order, you need to record the keystrokes and time.

Good to see people thinking about how to improve on passwords though.

--
Zapsavings: Simply calculate how much energy efficient bulb
Re:not gonna work by Anonymous Coward · 2008-04-04 08:53 · Score: 0

I have multiple personality disorder you insensitive clod!
Re:not gonna work by sochdot · 2008-04-04 09:15 · Score: 1

I think this could work if the idea is exaggerated out to recognize deliberate rhythms. So your username or password are not just checked for characters but also for the time gaps between entering them. So even if my password was a weak dictionary string, it would also have to be entered to the rhythm and pace of Für Elise, as played by me.

--
If at first you don't succeed, destroy all evidence that you tried.
Re:not gonna work by Anonymous Coward · 2008-04-04 15:26 · Score: 0

Then you have that many more accounts to try before you are locked out. The rest of us should be so lucky.
Re:not gonna work by dookiesan · 2008-04-04 15:55 · Score: 1

If you type in a password very often for years you might forget what it is. Especially if it's some gibberish "strong" password. Something like this happened to me with an AIM account. One day I just lost it and if I thought about what the password was I must have consistenly gotten the capitalization wrong--I couldn't log in anymore.

I used to type my PIN in very fast at the grocery store. I would click the keys based on their position on the digit pad rather than conciously looking at the numbers. After I got stuck one day I realized that I had nearly forgotten the numbers themselves.
Re:not gonna work by xx_toran_xx · 2008-04-04 16:08 · Score: 1

Send this email, HAL.
I don't think you want to do that, Dave.

--
Arrrrrrr
Re:not gonna work by DKlineburg · 2008-04-04 21:38 · Score: 1

I know what you mean, try typing a pin number in if the keypad is upside down. i.e. a phone keypad versus a computer one. For logging into things online, I'm used to the bomputer version. But for my voicemail, I use the phone. I have a hard time rembering my voicemail on a computer keypad. I can't remember what I was doing that I noticed the difrance (it wasn't voicemail) but it was based on a phone versus a keyboard.

--
Memory is deceptive because it is colored by today's events. - Albert Einstein
Re:not gonna work by DKlineburg · 2008-04-04 21:47 · Score: 1

I'm not sure, I find that I type my password with same "speed up in sections" that you find when you type regularly. Now, that is based that I never look at the keyboard, and I type from touch. My password is also strong IMHO, it is over 6 chars long, has upper lower case, numbers, and symbols. I have been using it close to 3 months, so am about to change. But I find after the first week or so, I will start typing it in rhythm. If you are typing something that requires you to switch back and fourth on the keyboard (s.w..i..t..c..h) you will probably hit the keys on the same side faster. Small words also come out faster for most people who use touch typing. Double letters will be hit fast, and there are numerous other things that happen if you really think about it.

This would be terrible for people like my father. He uses two fingers (refuses to change) and can't spell to save his life. There is no way a hunt and peck person could use this and be ok. I guess the end result, if you're a security freak like me who makes sure his password is longer than 6 chars, numbers, symbols, and letters using touch typing it might be fun. If your like my dad who uses two fingers and (I hate to admit, cause I don't know) probably has his password taped to the bottom of his keyboard it wouldn't work. Just my 2cp.

--
Memory is deceptive because it is colored by today's events. - Albert Einstein
Re:not gonna work by instarx · 2008-04-04 23:49 · Score: 1

Well, it might work if they allow for a rather broad variation in the frequence of mistakes. But personally, I make much more typos depending on how tired I am and how much caffeine I've had lately. I would assume that others do too. So when I am well-rested I might appear to be a completely different person from when I am even slightly tired.
Just as friends can recognize you no matter what clothes you have on, caffeine isn't going to change your basic key-stroke patterns in ways that will lock you out.

This is old stuff. During WWII the keystrokes of operatives sending Morse was often analyzed to determine if the person sending was the right person. It was esesntially impossible to fake it. That is why security agencies on both sides put so much effort into "turning" agents - no one could impersonate the agent's key-touch so the real person had to be coerced into sending false information. Even telegraphers in the 1800's could tell who was on the other end of the line by their style. Even though analyzing computer keystrokes in a short phrase by key-timing alone might increase the difficulty (Morse code has the additional characteristic of force), so too have analytical capabilities increased.
Re:not gonna work by Anonymous Coward · 2008-04-05 01:18 · Score: 0

I can type my "firstname.lastname" in about half a second.

Unless your name is something like Foo Bar, you can't type your entire name in about 500 ms. No way.
Re:not gonna work by crazed+gremlin · 2008-04-05 03:51 · Score: 1

Recently I cut my left index finger with a linoleum cutter. This severely changed my typing patterns; I had to learn how to type without that finger. Now it's all better, but I wouldn't have been able to log in for a month if this was configured on my computer.
Re:not gonna work by Bozzio · 2008-04-05 05:12 · Score: 1

Personally, I'm happy with the 100% accurate or nothing system.
Do you really want somebody to video tape your typing and then easily get in to your account?
I know with a video tape, even though some keys might be hidden, they'll eventually get in... but the system you're suggesting would let them in immediately.

--
I just pooped your party.
Re:not gonna work by SharpFang · 2008-04-06 19:43 · Score: 1

Oh, no, not at all.

With videotape they could write down the key sequence, they might even write down the typing rhythm, but then they'd either need a pretty difficult to make device to plug in instead of the keyboard and replay the sequence (at least quite a bit more difficult than a plain keylogger plug which they could use instead), or hours of training to get the human to replay the keys at exactly the same rhythm as I did.

The idea is not 'ignore typos'. The idea is 'ignore typos if timing is perfect'. The camera may record the timing but replaying it will NOT be easy.

--
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Re:not gonna work by Bozzio · 2008-04-07 03:23 · Score: 1

bogus.

they are already hardware keyloggers that you plug in between the keyboard and computer. Why not a keytyper?
If you have a video tape of a 10 character password, it would take any human less than 10 minutes to get the exact rhythm of the typing (down to the resolution of the camera's frame rate).
After that, it's just a matter of writing a simple script. You could even have fun making it 'accidentally' hit the wrong keys.

yes, these are optimal conditions for the hacker, but not unrealistic. Think of university labs.

--
I just pooped your party.
Re:not gonna work by SharpFang · 2008-04-07 19:26 · Score: 1

The keyloggers would then just log the correct password and be done with it, rhythm be damned. As I said - type the -right- password at the right rhythm and you're in.

If you can't assure physical security of the machine, you don't have -any- security.

As for repeating the rhythm - you can train it, and it might take 10-15 minutes maybe, unless you're locked out for 5 minutes after each 3 wrong attempts. That's a pretty standard feature.

--
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Re:not gonna work by Hoi+Polloi · 2008-04-11 02:55 · Score: 1

Will it lock me out for those times when I mash the keyboard after writing "lust" instead of "list" for the umpteenth time? Don't get me started on Freudian slips either.

--
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning

Really? by Anonymous Coward · 2008-04-04 05:54 · Score: 0

An interesting idea to be sure but I know I certainly am not that consistent when I type, so I'm skeptical of how well this may work.

Something like a password that you've typed hundreds of times probably has a more regular pattern than you think, unless you regularly get interrupted in the half second i takes for you to type it... Muscle memory, etc

Re:Really? by LiquidCoooled · 2008-04-04 06:05 · Score: 1

How do you log into your computer the day after you sprain your wrist or get a new keyboard or are laid back or have a drink in hand or are scratching your chin or .....

--
liqbase :: faster than paper
Re:Really? by ArcherB · 2008-04-04 06:14 · Score: 2, Interesting

Something like a password that you've typed hundreds of times probably has a more regular pattern than you think, unless you regularly get interrupted in the half second i takes for you to type it... Muscle memory, etc That's all find and dandy until you break a finger, or get a hang nail or try to log in while holding a cup of coffee or any of the limitless things that can happen to slow, speed up, or change the rhythm of your typing.

--
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
Re:Really? by farker+haiku · 2008-04-04 06:50 · Score: 1

Or after you change your password like most of us are required to do every few months. Somehow I don't think I'll be as fast at typing in my new password for the first few weeks after I change it.

--
Your sig(k) has been stolen. There is a puff of smoke!
Re:Really? by Anonymous Coward · 2008-04-04 11:07 · Score: 0

Like when you one-hand login while switching from TV porn to Computer porn? Yeah. That would suck. But in that situation I wouldn't like the computer to recognize me through the webcam.
Re:Really? by DKlineburg · 2008-04-04 22:06 · Score: 1

What? You still hold a coffee cup? Get with the future, get your own personal "Coffee IV Bag". Now sold at starbucks with a subscription to there "Coffee in an IV" plan. They gurantee to have a case delivered as needed. Just pop it into the microwave for 30 seconds and strap on your arm. You'll be good to go for up to 4 hours.

[font size=".000000009"]Rate of consumption not guranteed. Overdoes is at the users own risk. Starbucks does not support this ad, or this idea and in no way is liable if you choose to try this at home. Batteries not included, but it does come with the kitchen sink.[/font]

--
Memory is deceptive because it is colored by today's events. - Albert Einstein

Oww I broke a finger... by LighterShadeOfBlack · 2008-04-04 05:54 · Score: 4, Interesting

...And now I can't log in.

Pass.

--
Spelling mistakes, grammatical errors, and stupid comments are intentional.

Re:Oww I broke a finger... by baudilus · 2008-04-04 06:00 · Score: 1

Did they say the same thing about biometric authentication (e.g. fingerprints)? Besides, if you're checking /. right after you break your finger, you might want to get out of the basement more often. :P
Re:Oww I broke a finger... by neumayr · 2008-04-04 06:06 · Score: 1

So you can't imagine that breaking a finger might have some effect on your typing pattern?

--
Truth arises more readily from error than from confusion. -Francis Bacon
Re:Oww I broke a finger... by ShieldW0lf · 2008-04-04 06:26 · Score: 2, Funny

Biometric authentication is a far, far stupider idea than this is. Yes, not being able to log in when you're drunk is bad, but having to exchange your finger and your eyeball for a new one because someone posted a high-resolution photo of them online is much, much worse.

--
-1 Uncomfortable Truth
Re:Oww I broke a finger... by mweather · 2008-04-04 06:33 · Score: 1

Did they say the same thing about biometric authentication (e.g. fingerprints)? Do fingerprint Ids work after I accidentally buff my fingerprints off with a belt sander? No. Do retina ids work after I poke my eye out? No. Are either of these things likely? No. But an injury that would affect your typing? Very likely.
Re:Oww I broke a finger... by Anonymous Coward · 2008-04-04 06:37 · Score: 0

Yes, the security of the world has been put in major peril by all those high resolution photos of irises and fingertip that have been circulating around the Internet. Eye porn will be the death of us all!
Re:Oww I broke a finger... by Haeleth · 2008-04-04 06:37 · Score: 1

Did they say the same thing about biometric authentication (e.g. fingerprints)?
They did indeed. Which is just one of many reasons why hardly anyone actually uses biometric authentication for anything serious...
Re:Oww I broke a finger... by denmarkw00t · 2008-04-04 06:38 · Score: 2, Interesting

To the broken finger crowd and the "few too manys": you should also note that it didn't appear to me that this feature would lock you out, to me it seemed more like it might speed up the login process while making it slightly more secure - no clicking "Login" because it "knows" its you, and if its someone pecking at the keyboard it could send you an alert via /var/log/yourlogofchoice for later review (or mail sms whathaveyou). Of course, I'm sure you could change the level of aggressiveness to not allow someone to login unless the differences is stroke pattern are within a small error tolerance.
Re:Oww I broke a finger... by ArsonSmith · 2008-04-04 06:40 · Score: 1

That'd be really bad if the security mechanism only relied on one of the three main identifiers. Luckily most will use at least 2.

Hint:
3 main security identifiers:
1. something you are (biometric, finger print, retina scan)
2. something you have (id card)
3. something you know (pin or password)

--
Paying taxes to buy civilization is like paying a hooker to buy love.
Re:Oww I broke a finger... by LighterShadeOfBlack · 2008-04-04 06:50 · Score: 1

Well breaking a finger wouldn't stop you getting the fingerprint generally speaking. Even if it did you'd have up to nine others to pick from with any decent system.

If you manage to incapacitate all ten fingers in such a way that you can't get a print scan off any of them maybe that's a good warning to your boss that you need a competency review. Or at least a holiday until something heals.

--
Spelling mistakes, grammatical errors, and stupid comments are intentional.
Re:Oww I broke a finger... by drspliff · 2008-04-04 06:57 · Score: 1

Yeah, anything serious - like the UK national ID scheme their trying to push through which apparently will rely heavily on "biometric data" in future.
Re:Oww I broke a finger... by ShieldW0lf · 2008-04-04 06:57 · Score: 1

Yes, the security of the world has been put in major peril by all those high resolution photos of irises and fingertip that have been circulating around the Internet. Eye porn will be the death of us all!

http://www.theregister.co.uk/2008/03/30/german_interior_minister_fingerprint_appropriated/

He sure seemed to think it was a big deal. Wonder how anxious he will be to create pervasive biometric requirements now.

--
-1 Uncomfortable Truth
Re:Oww I broke a finger... by mweather · 2008-04-04 07:16 · Score: 1

Biometric data /= biometric authentication. If you're horribly disfifgured in an accident, they can still access your data and change it. Not so if the only way to access it was with biometric data.
Re:Oww I broke a finger... by Thuktun · 2008-04-04 07:20 · Score: 1

This is one of those +1 Funny ones that really should be +1 Insightful.
Re:Oww I broke a finger... by Anonymous Coward · 2008-04-04 08:29 · Score: 0

Fortunately, after all the recent data losses by the UK government, they're NEVER going to get biometric IDs past the voters. Even the really stupid ones who have been utterly sucked into the terrorism hype are against them now.
Re:Oww I broke a finger... by zippthorne · 2008-04-04 08:39 · Score: 1

(1) is really a subset of (2)

A subset with one limitation: changing it is very difficult.

Security is very simple in its needs (though it can certainly get complicated in implementation.

All you need is (3) "something you know". period. If it's not secure enough, you can make it longer.

Now, if you're talking about a multi-user environment, you need to segregate peoples areas of access, or at the very least log their activity so if the nutrient rich plant feed hits the fan, you at least know who to blame. That's where (1/2) "Something you are" (user name) comes in handy.

But you don't actually need a separate user name: your password hash could be your user name. It's just convenient to have plaintext names because it's easier grant and remove access to at least vaguely pronounceable, easy-to remember names.

--
Can you be Even More Awesome?!
Re:Oww I broke a finger... by shawn(at)fsu · 2008-04-04 09:07 · Score: 2, Informative

3 alone doesn't protect from shoulder surfing. While someone can look at my eye all day it's going to be difficult for most people do get my retina scan. 1, while it is a subset of 2, is supposed to be something you can't accidentally misplace, or more importantly it's supposed to be something some nefarious person can't take from you. I agree with GP you need all three.

--
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
Re:Oww I broke a finger... by SpydeZ · 2008-04-04 09:07 · Score: 2, Interesting

Same thing would happen to a dvorak-layout typist when confronted by a qwerty keyboard.

The Windows installs at work default to qwerty on start up but will stay in dvorak if all I do is just lock the screen. When I reboot, I usually botch my password a few times before I realize what's wrong and switch to hunt 'n' pecking...

My qwerty-induced typing is way different from my normal touch typing...
Re:Oww I broke a finger... by tech_guru5182 · 2008-04-04 16:26 · Score: 1

I'm in NDMS. When we were going though our latest round of security checks, there was an interesting story from a surgeon on one of the other teams. It seems he had scrubbed in so many times that he didn't have any fingerprints to take that would pass the requirements.

--
BAN BPL! Keep the radio spectrum free fro
Re:Oww I broke a finger... by tech_guru5182 · 2008-04-04 16:29 · Score: 1

I know what you mean. I leave the IME in the wrong mode all the time. (most sites reject full width ascii passwords when the original was half width)

--
BAN BPL! Keep the radio spectrum free fro
Re:Oww I broke a finger... by zippthorne · 2008-04-04 18:29 · Score: 1

If you learn to touch type, you pretty much eliminate the threat of shoulder surfing (except from well-positioned cameras, but your company should be worrying about that, not you)

More importantly, it is absurd to think that someone can't take your biometric bits from you. In fact, there's no bit of you that can't be removed with a sharp enough knife.* If you were in such a situation, wouldn't it be better to be able to just tell them your password, (or your "distress code password), rather than force them to cut things you'd rather not have cut?

*ok, it would probably be difficult to remove dental impressions in a way that would be portable with just a sharp knife. But would you really want to have to bite into an authenticator every time you walked away from your computer for five minutes?

--
Can you be Even More Awesome?!

Obvious issue by Gat0r30y · 2008-04-04 05:56 · Score: 2, Funny

How am I supposed to log in after a few too many? Wait, maybe thats not an issue after all, maybe its a feature.

--
Prediction: The real iPhone killer is going to be sex robots from Japan. Think about it.

Re:Obvious issue by Anonymous Coward · 2008-04-04 05:59 · Score: 0

May I humbly suggest that "Hell hath no fury like the vast robot armIES of a woman scornED?"
Re:Obvious issue by baudilus · 2008-04-04 06:05 · Score: 4, Funny

I'd be much happier if Blackberries had Breathalyzers before they allow people to email me at 2 AM. Good grief!
Re:Obvious issue by healyp · 2008-04-04 06:50 · Score: 1

Perhaps breathalyzer authentication would be a better idea.

That's OK by treeves · 2008-04-04 05:56 · Score: 4, Insightful

My guess is that your inconsistency is part of what distinguishes you from other typists and the software uses that information to its advantage. Other people are more consistent, less consistent, inconsistent in different ways. I know I type with about four fingers: my left index finger, my right index and middle fingers, and my right thumb, and I also know I tend to make certain typos more often than others. I suspect that those things contribute to the distinct pattern in my typing that could be identified. Still, I'm sure I would not want to use to such a scheme for identity verification.

--
...the future crusty old bastards are already drinking the Kool-Aid.

Re:That's OK by Anonymous Coward · 2008-04-04 06:26 · Score: 0

What??? You mean you surf /. and can't touch type! Next you're be telling us you have one of these "girlfriend" things.
Re:That's OK by Hrodvitnir · 2008-04-04 06:38 · Score: 1

The school district I work for uses similar technology to verify all staff members. The software gathers up typing method from 9 entries of username and password, and allows for a percentage match - which we currently have set at the recommended 37%. We have a small percentage of users that have trouble logging in due to inconsistencies. For these users we recommend they slow down and consciously pick a rhythm for typing their username and password. For those with medical issues, we have a system in place to adjust the match percentage or turn it off altogether.

Once in awhile we have an issue with new fingernails, though...

--
"There are more important things than stopping terrorism. Upholding the Constitution is one of them." - Ars Forumer.
Re:That's OK by Anonymous Coward · 2008-04-04 07:13 · Score: 0

This could be useful as a shortcut for password based authentication. If the software detects that it's "you" typing your username, you're automatically logged in, otherwise you have to enter your password as usual to log in.

Of course, if an attacker can determine your unique typing pattern, they could log in without your password. You could this by, for example, secretly making an audio recording as the user types their username and using the inter-keystroke timing information to recreate their typing signature. Or, more cleverly, if you're on a multiuser system you could poll /proc/interrupts, monitoring the keyboard interrupt to determine when someone has pressed a key, and then quite easily reproduce their typing pattern.
Re:That's OK by Friday · 2008-04-04 07:28 · Score: 1

My guess is that your inconsistency is part of what distinguishes you from other typists So in other words, as long as I'm consistent in my inconsistency I'm good to go.
Re:That's OK by Just+Some+Guy · 2008-04-04 07:50 · Score: 1

I know I type with about four fingers: my left index finger, my right index and middle fingers, and my right thumb, and I also know I tend to make certain typos more often than others.
So, Vim. Right?

--
Dewey, what part of this looks like authorities should be involved?

Check more often? by baudilus · 2008-04-04 05:57 · Score: 1

While they're at it, they should have the software periodically verify that whoever is typing on the system is (or could be) the same person that is logged in.

But then again, how would I prank people at work when they leave their systems unlocked?

inconsistent by flynt · 2008-04-04 05:57 · Score: 3, Informative

An interesting idea to be sure but I know I certainly am not that consistent when I type, so I'm skeptical of how well this may work.

That's precisely what some statistical methods are designed to do, find patterns about the inconsistencies. I haven't read this proposal, so can't comment more, but 'leaning' in the presence of variation is basically what modern statistics is all about.

Re:inconsistent by Anonymous Coward · 2008-04-04 06:25 · Score: 1, Interesting

I used to work as a developer at Netnanny Software, who produced Biopassword (Now Biopassword, LLC).

I worked on a port from the windows system, using the MS GINA, to develop a plain input-agnostic library that you could plug X/GNOME/KDE/whatever into using Linux, with the aim of making it portable across all platforms.

Believe me when I say that keystroke dynamics really does work. The first iterations of the BioPassword product were "OK", but really were limited in the sense that when a user enrolled, their typing template was based on a static number of entries (normally 15), so the data set was limited by the fact that those 15 entries can vary quite significantly. It also did not learn over time about how the user entered their username/password combo. (the reason this is important is that after a couple of weeks, you no longer think about your password, it is a physical "memory" that your fingers type for you).

Later iterations created several "buckets" (low/med/high) that an enrollment sample went into, and you kept entering the u/p combo until enough of a particular bucket had been filled enough, compared to the other buckets. This made it much more reliable, and although I was able to "break" the first iteration about 1 out of every 20 times after listening to the person enroll, I never once was able to break it after the new categorization system.

The real beauty of it is that it works for "hunt and peckers", as well as touch/speed typers. Each person has a unique way of typing a particular username and password combination, and the concept is very simple, really, with at its core, is the timing of the "flight time" (time between keypresses) and "landing time" (time that a key is held for), in microseconds.

As with any biometric, there needs to be an "override" or backdoor that can be overridden by an administrator or even yourself. That's why even the fingerprint readers don't completely commit to being biometric only (although some you can set it to only use fingerprints). Actually, the IBM fingerprint software I'm using basically ends up typing in your username/password FOR YOU to the MS GINA.

The override is useful in times when you've broken your hand, fingers, are drunk, or whatnot. For a local user on your own home PC the latter would be nice to override, but at work, it might actually be a useful "mental state" indicator. Speaking of which, we often found that typing rhythms changed throughout the day. Monday mornings were slower than Thursday afternoons, for example, and could trip a false negative.

Which also reminds me that the threshold for accuracy was adjustable as well by the administrator, so there was some measure of control over how mean you wanted to be.

It was really fun and interesting work. I have often thought of developing a FOSS version for the world to use, but I fear repercussions from litigation for the fact that I was so intimately involved with the innards of it.

I would definitely recommend downloading a demo (they used to have one available, don't know if that's still the case now), and trying it out - it's fascinating, since it's one of those things you need to see to believe.

-Matt

This concept is about 3 years old if IIRC by DRAGONWEEZEL · 2008-04-04 05:59 · Score: 2, Insightful

Maybe not w/ gnome, but I remember a Slashdot article about this a few years back. One thing to note, while some people might be irregular, almost anyone who keys in a UID every day will have some sort of "pattern" to the time between keystrokes.

Typematic rate lol....

It's really interesting to see what the differences are between key presses when recording a macro w/ a G15. (if you have this awesome keyboard, and don't know what I am talking about try it out!) I have done this cause I am weird... but you could try too!

If you record a significant count of you typing in a UID and PW on a given site (that you use frequently) you will find a unique structure to the timing of the keystrokes. While the G15 doesn't go to the # of digits needed for secure authorization, it can show you that there is little variance over a large number of true trials.

--
How much is your data worth? Back it up now.

Re:This concept is about 3 years old if IIRC by jellomizer · 2008-04-04 06:19 · Score: 2, Interesting

Older then that...
I thought about it when I was a kid running my own BBS. The old BBS Software had a realtime display of what the person is typeing so I could normally tell if it is someone who is the origional user or someone using someones else account. I though about making a program that checks the time between keystrokes and give them a level of error, as extra security... but I decided not to do it, for the main reasons. Somone may have something in their hands that day or. Bit tired or Hyper, also a lot of pople had the passwords as Key Macros, so it was just kinda not worth the work and any fustration on the users part.

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Re:This concept is about 3 years old if IIRC by Kelson · 2008-04-04 07:33 · Score: 1

Yeah, I submitted a similar story to Slashdot about a year ago, and as others have pointed out it goes back at least as far as WW2 and morse code operators.
Re:This concept is about 3 years old if IIRC by Veinor · 2008-04-04 10:09 · Score: 1

It's about 3 years old if if you recall correctly?
Re:This concept is about 3 years old if IIRC by DKlineburg · 2008-04-04 21:55 · Score: 1

This concept is about 3 years old if IIRC
"If IIRC" am I missing something or did you say "if" twice?

--
Memory is deceptive because it is colored by today's events. - Albert Einstein
Re:This concept is about 3 years old if IIRC by Anonymous Coward · 2008-04-05 01:39 · Score: 0

There's a company called BioPassword that has a similar commercial product, and Slashdot covered it a while ago. Might be what you're thinking of.
Re:This concept is about 3 years old if IIRC by DRAGONWEEZEL · 2008-04-06 15:24 · Score: 1

Your missing that it was supposed to be an exclusive if.

j/k.

ty for the correction, I never preview.

--
How much is your data worth? Back it up now.

Insensitive Clods!!! by explosivejared · 2008-04-04 05:59 · Score: 2, Funny

I don't know HOW to type!!

--
I got a catholic block.

Re:Insensitive Clods!!! by CaptainPatent · 2008-04-04 06:16 · Score: 1

I don't know HOW to type!! But that's the great part, it recognizes that pattern too...

Just stare at your keyboard and BAM! you're logged on!

--
Well, back to rejecting software patent applications.

Whoa! by Anonymous Coward · 2008-04-04 05:59 · Score: 0

I stopped reading at LinucksGirl. Be still my heart!

CTRL-ALT-DEL by c0d3r · 2008-04-04 06:00 · Score: 2, Funny

Dang, I still find it hard to press the C-T-R-L-A-L-T-D-E-L keys hard to press at the same time before entering my password on windows.

Re:CTRL-ALT-DEL by DRAGONWEEZEL · 2008-04-04 06:09 · Score: 0

That's why it's called the 3 finger salute!

My freind has a song sung to the tune of camptown races.

Ctrl-Alt-Delete format reinstall do dah do dah

Throw your data out the door do dah do dah

I don't remember the rest but it's pretty funny.

--
How much is your data worth? Back it up now.
Re:CTRL-ALT-DEL by wattrlz · 2008-04-04 06:25 · Score: 1

Luckily TFA only mentions implementation in gnome, then.
Ever thought about getting one of these?
Re:CTRL-ALT-DEL by wiremind · 2008-04-04 06:26 · Score: 1

hahaha.

For those not getting this joke, its in reference to an article on The Daily WTF:
The Sage - http://thedailywtf.com/Articles/The-Sage.aspx
Re:CTRL-ALT-DEL by pavon · 2008-04-04 07:37 · Score: 1

If you think it's hard now, just imagine what we had to do before USB keyboards. How the heck am I supposed to press three L keys and two T keys with a single PS2 port? Thank Hubbard for network terminals.

Dvorak + Qwerty users?! by Anonymous Coward · 2008-04-04 06:02 · Score: 0

What happens if we don't even type on the same keyboard layout all the time? I'd love to see what that software would do!

Re:Dvorak + Qwerty users?! by Homer's+Donuts · 2008-04-04 06:20 · Score: 1

Dvorak? What happens when I replace this $3.99 Inland keyboard I'm using. You have to hammer the left shift to get caps and the '2' you have to hit twice to make one '2'. Here watch... 11222@@@@@@@22233### @@ asDF Hey this cable is loo

I think this may have been the paper /. discussed by DRAGONWEEZEL · 2008-04-04 06:02 · Score: 1

http://www.springerlink.com/content/tcwlla3ptdd5u2ae/

--
How much is your data worth? Back it up now.

Prevent those mistakes by Beavertank · 2008-04-04 06:09 · Score: 1

If you set it to verify loosely enough that it'll ignore subtle variations it could work, but think of the applications to preventing embarrassment... no more drunk IMs or emails that you really shouldn't send since it won't even let you log in.

sure, this can work... by zappepcs · 2008-04-04 06:09 · Score: 1

Why not add a signature verification pad to the pc as well? If you can type the right way and reasonably falsify a signature you can login and go to /. to read all about it....

--
Support NYCountryLawyer RIAA vs People

already works by Anonymous Coward · 2008-04-04 06:10 · Score: 0

http://www.biopassword.com/

Would be nice as a supplement, however by Thought1 · 2008-04-04 06:11 · Score: 2, Insightful

It wouldn't be good as a primary means of validation (for the reasons listed in prior comments), but it would be good as a supplemental validation, giving a "higher likelihood" that the person is who they say they are.

Re:Would be nice as a supplement, however by wattrlz · 2008-04-04 06:27 · Score: 1

It would certainly be better than answering all those stupid questions when trying to view your checking account balance online.

Privacy implications by megaditto · 2008-04-04 06:12 · Score: 1

What would this program think if it detected you periodically typing with just one hand?

--
Obama likes poor people so much, he wants to make more of them.

Re:Privacy implications by baudilus · 2008-04-04 06:24 · Score: 1

Then Clippy pops up.

Hi! It looks like your finger is broken! Would you like help filling out your insurance claim?

|Yes| |No|
Re:Privacy implications by Anonymous Coward · 2008-04-04 06:42 · Score: 0

/ It looks like you are surfing porn \ | sites. Would you like help getting laid? | \ (Yes) (No) (Maybe later) / \ \ \ ____ \ / __ \ \ O| |O| || | | || | | || | |___/ -- cpu0: Microsoft Clippium ("GenuineClippy" ChromedMetal-Class). Paperbinding, lockpicking, fish-hook-hack support. Template lifted from http://slashdot.org/~ClippySay
Re:Privacy implications by thePowerOfGrayskull · 2008-04-04 06:44 · Score: 1

Then Clippy pops up. Hi! It looks like your finger is broken! Would you like help filling out your insurance claim? |Yes| |No| I think you have it wrong. After a minute or two of such typing:

"Hi! It looks like this is becoming detrimental to your performance. Would you like me to order you some vasoline to help speed up the process next time?"

Don't prank gnome users by megaditto · 2008-04-04 06:14 · Score: 1

Having smelly feet all over their desktop is punishment enough...

--
Obama likes poor people so much, he wants to make more of them.

It'll never work by amplt1337 · 2008-04-04 06:14 · Score: 4, Funny

How on God's green earth am I going to write down my keystroke patterns on a sticky note on my monitor???

--
Freedom isn't free; its price is the well-being of others.

Re:It'll never work by Anonymous Coward · 2008-04-04 06:59 · Score: 0

Ask the researchers in the other story about recording the finger movements of a clarinet player as a method of storing the music. Brilliant!
Re:It'll never work by skybrian · 2008-04-04 07:10 · Score: 1

No, the real question is: how do you propose we keep our keystroke patterns a secret from someone who wants to record them? Do we have to refuse to use keyboards in public terminals now?

Your penalty is to type this fifty times:

Biometrics are unique identifiers, but they are not secrets.

All Cell phones , Not just the BBs by DRAGONWEEZEL · 2008-04-04 06:20 · Score: 3, Funny

Please, drunk dialing should be a civil infraction penalized in this manner

for each # called...

1st offense:
A stern warning.
2nd offense:
$250 restitution to the victim, 1 months probation
3rd offense:
Death.

--
How much is your data worth? Back it up now.

Re:All Cell phones , Not just the BBs by Actually,+I+do+RTFA · 2008-04-04 08:07 · Score: 1

Please, drunk dialing should be a civil infraction penalized in this manner

99% of the time, the drunk call (and its social aftermath) is punishment enough. I want to protect myself, not the people in my speed dial.

--
Your ad here. Ask me how!

I bet someone has this patented by Anonymous Coward · 2008-04-04 06:20 · Score: 0

.. but yeah.. there are so many issues.. What about signing in via a mobile device or a keyboard you're not used to? What about copy/pasting your password? (I do that sometimes..) It's a neat idea but it will fail.

You might think, but... by denmarkw00t · 2008-04-04 06:22 · Score: 1

"An interesting idea to be sure but I know I certainly am not that consistent when I type, so I'm skeptical of how well this may work."

I think this could be along the lines of identifying someone's signature, granted there is more detail in handwriting. However, we all have a very specific expectation of how the keys are going to type, we have our rhythm of how we're going to type it in time with the way we mentally chunk out login information. I would think that any habitual computer user can type their username/password in their sleep exactly the same as they would at a terminal, and all of that timing information should vary from person-to-person. Don't forget about pressure and keypress duration (quick taps versus "deeper" presses on keys).

Flashbacks... by DRAGONWEEZEL · 2008-04-04 06:25 · Score: 1

Ahh you made me remember sweet violet, and BRE, and the Tacoma Area BBS listing (TABBS) that was printed in the paper. I met and ran into a few sysops in my day but never had the resources at that time to start one up. I often think the BBS format may rise again over tcp/ip if P2P gets destroyed. It'd be so easy to hide them on open networks accross the country.

But that is offtopic, and I am probably flagged as a terrorist after that last sentance...
Oh well.

--
How much is your data worth? Back it up now.

Re:Flashbacks... by jellomizer · 2008-04-04 06:35 · Score: 1

ATDT 5551234
[click...buzz...Beep.Beep.Beep.Bop.Bee.Bu.baa...Dedededeeeeee....Kcshrrrrrrrrrrrrrrrr]
Connected 2400 bps
Login: jellomizer
User not found

Login: jelomizer
User not found

Login: +++ath0

No Carrier

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.

What if... by mishan · 2008-04-04 06:25 · Score: 1

What if you happened to have fractured your wrist like I did recently? My typing is much different with my left hand in a short-arm cast now I can say for sure.

There are all sorts of hand injuries that could change your typing style.

Also is it just me or do people make more typos in the morning?

lock out injured users? by drfireman · 2008-04-04 06:27 · Score: 1

A quick skim, and I didn't see any details on the false alarm rate of this method, or any detail on how a user could log in with a broken (or severely papercut!) finger. Or when breaking in a new keyoard. It would certainly be a fatal problem for this method if it would lock out users who for whatever reason have their timings temporarily altered. It would also be a pretty fatal flaw if it turns out there's a substantial false alarm rate.

Accidents? by blueboy31 · 2008-04-04 06:32 · Score: 3, Funny

This works great until you lose a finger, thumb, hand, etc in that freak accident. Talk about adding insult to injury -- your own computer won't even accept you with your newfound handicap!

--
Christmas is the opposite of theft. See?

Re:Accidents? by budgenator · 2008-04-04 09:19 · Score: 1

You have no idea how much, back on 11 May 2006 I caught on fire. If you have seen the Taco Bell commercial where the guys hand bursts into flames from holding the burrito that's what it was like except no one was their with a fire extinguisher. I ended up with second degree burn over the 3% that was the back of my right hand and it was just short of needing skin grafts, things have healed up pretty good and most people don't even notice the scars but the skin is stiffer and it throws off the timing of my typing even on my left hand. If I had that system on my computer, I'd be locked out for sure.

--
Apocalypse Cancelled, Sorry, No Ticket Refunds

Useful after the fact, perhaps by 6Yankee · 2008-04-04 06:32 · Score: 2, Insightful

I don't fancy using this as a replacement for login/password, but if you haul Joe User down to HR for surfing pr0n, he pulls the "Naughty Bob stole my password" trick, and you can demonstrate that the usage pattern looks a hell of a lot more like Joe User's other sessions than Naughty Bob's... ...or vice versa, and have some idea who really did steal Joe's password.

They exist by PlatyPaul · 2008-04-04 06:33 · Score: 1

Actually, such technology exists. Here's C|Net's shorter-nicer writeup. LG doesn't have any info on their US pages yet, but it's coming.

--
Misery loves company. Online misery loves unsuspecting random strangers.

Bank does this by RandoX · 2008-04-04 06:33 · Score: 1

My bank does this with my login info. You can know my username and password, but if you don't type it like I do, you don't get in.

Re:Bank does this by cleatsupkeep · 2008-04-04 09:45 · Score: 1

My bank does this with my login info. You can know my username and password, but if you don't type it like I do, you don't get in. What are they? I'll see if I can break it :-).

Concept is actually much older by Anonymous Coward · 2008-04-04 06:34 · Score: 0

This dates back to the days of Telegraph when individual telegraph operators could be identified by the way they type. They used to use it as a means of identification during WWII to see if they could find impostors. This book talks about it a little bit. I highly recommend it even otherwise - it's a very good read.

Also check out Keystroke Dynamics on Wikipedia.

Might make a good alarm, but poor authorization. by Vellmont · 2008-04-04 06:35 · Score: 2, Insightful

I just have to believe this is going to produce a lot of rejected authorizations that shouldn't have been rejected. Also as someone pointed out, what about the legitimate times when someone else is using your username/password? (your boss needs something while you're away on vacation, etc).

This might work out well for some kind of intrusion detection system though. Look for cases where there's two people consistently typing in the password two different ways. Then set off an alert to the administrator. There's legit cases for that of course (root/admin password comes to mind), but you just exclude those cases.

--
AccountKiller

Pro and con by kaynaan · 2008-04-04 06:35 · Score: 1

This does not seem like a bright idea at all. I was eating lucnh at my desk (yeah i know i know.. ) and i logged into /. by typing with one hand which is not how i usually type ..... there is just too many scenarios that go against this approach

Large enough sample set? by 192939495969798999 · 2008-04-04 06:39 · Score: 3, Interesting

I don't think a username is enough of a sample set to determine a typing pattern. Wouldn't you need to copy down a paragraph of text to have any chance of determining patterns in typing style? I.e. at the very least, "the quick brown fox jumped over the lazy sleeping dog" type stuff to hit all the characters?

--
stuff |

Re:Large enough sample set? by SuseLover · 2008-04-04 07:25 · Score: 1

My credit union (Telco) has a login system like this. I had to type my login/password 10 times for it to learn and let me proceed with registration. I was not able to login on mt first 3-4 tries, but it eventually let me in. I am a veeeerrry inconsistent typer (I am a hunter/pecker), so the fact I got access at all surprised me.
Re:Large enough sample set? by Not_Wiggins · 2008-04-04 08:21 · Score: 1

I don't think a username is enough of a sample set to determine a typing pattern. Wouldn't you need to copy down a paragraph of text to have any chance of determining patterns in typing style?

The answer is: "Yes, you're right. It isn't enough by itself."

But I think the conclusion most are jumping to is that this would be used as a black-n-white type of authentication; if I don't type at the correct cadence I'll get locked out.

More likely, it would have value in terms of being a first step in a stronger authentication scheme. So, if you don't type with the correct cadence, it has to ask for additional authentication even if you get the password correct.

This stronger auth is being done on many banking sites (although, they're using machine signature, IP address, etc. to identify you as coming from the same location as "last time").

In this respect... maybe.

Even with that said, I think that using stronger pieces of information, like you're always logging in from the same IP, would be better for this use than "how you type."

--
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
Re:Large enough sample set? by regular_gonzalez · 2008-04-04 08:47 · Score: 1

Who has time to type all that? Use 'Jackdaws love my big sphinx of quartz' instead.

--
Due to circumstances beyond my control, I am master of my fate and captain of my soul.
Re:Large enough sample set? by JonathanR · 2008-04-04 09:02 · Score: 1

Do you really have to repeat all those vowels?
Re:Large enough sample set? by eimsand · 2008-04-04 09:30 · Score: 1

Actually, most keystroke dynamics products use only your user name and password. Typically you have to go through a learning period where it observes you typing the same phrase (i.e. your username) some statistically significant number of times.

Studies have shown that the latencies between any two random letters that you might type are too variable to use to accurately validate people. That's why they focus on strings that are typed frequently.

Oblig Bash quote by xtracto · 2008-04-04 06:43 · Score: 3, Funny

From bash.org

HOW THE FUCK CAN YOU TELL THAT I'M 13 BY LOOKING AT WHAT I'M WRITEING??????????????????????

stupid lameness filterstupid lameness filterstupid lameness filterstupid lameness filter stupid lameness filter Filter error: Please use fewer 'junk' characters. Filter error: Please use fewer 'junk' characters.

--
Ubuntu is an African word meaning 'I can't configure Debian'

Re:Oblig Bash quote by Anonymous Coward · 2008-04-04 09:25 · Score: 0

from your spelling, perhaps?

small sample size by kaynaan · 2008-04-04 06:44 · Score: 1

Can any of the more experienced developers comment on this approach from a application desing point of view. the whole idea of a username/password is a combination of information that is unique. everybody on /. may have the same password but cannot have the same surname/password combo The sample size we are talking about here (speed of typing)seems very small there has to be X number of users that type with the same speed unless there is another factor involved that is used in combination ?

Re:small sample size by Anonymous Coward · 2008-04-04 18:50 · Score: 0

I know nothing about this system, but have worked on keystroke dynamics before.

Typically, it isn't typing speed exactly that's being measured. It's the pauses between keystrokes and how long you keep each key down for. Another poster complained about a lack of data points for his user name "tom" - actually that give us 5 - time T is pressed, time nothing is pressed, time O is pressed time nothing is pressed, and time M is pressed. The system also used keystroke dynamics as an additional layer on top of regular user name and password, and used standard security rules like the password had to be 6+ characters long. All in all, plenty of data points from the username and password.

If your username and password match, a bunch of math is done on the timings to characterize your typing rhythm. This is compared to previous entries you made of your username and password to determine a match. The system could be set up to adapt slowly as your typing style changes over time.

The thing to remember about this is system is that it doesn't need to be perfect it just needs to raise the bar over username/password alone.

Now I'll need 2 logins... by maciarc · 2008-04-04 06:45 · Score: 1

Great. Now I'll need a second login for typing left handed when my wife is gone.

Works for me by PhilipPeake · 2008-04-04 06:54 · Score: 1

My bank uses this as the biometric factor required to access online services. When they announced this change I expected to be having to respond to my additional ID challenges almost every time I logged in. That hasn't turned out to be the case, I have only tripped up on it once. I suspect that it is not a strong enough test in itself to rely upon, but when combined with having to know the password it probably does add an extra layer of security.

CTRL-ALT-F4 by Anonymous Coward · 2008-04-04 06:56 · Score: 0

Or one of the other virtual TTYs.

As for security, this would be nothing more than a silly, ineffective gimmick.

pointless by BigJClark · 2008-04-04 07:04 · Score: 1

uh yeah, so there is software out there, that logs how you type your password, to be used as a method of user identification.

Oh, I dunno, how about your.. PASSWORD

This must have come from the Department of Redundancy Department.

--

Hi, I Boris. Hear fix bear, yes?

Re:pointless by Mryll · 2008-04-04 09:45 · Score: 1

I'm not quite sure. It is an interesting additional piece of information required. It seems to be a combination of something you know (albeit not on a conscious level in full detail), and something you are. It cannot really be conveyed from one user to another without elaborate workarounds. Nor casually observed. At least it might help avoid account borrowing.

Faster over time? by DeadboltX · 2008-04-04 07:05 · Score: 1

Whenever I select a new password for myself I am always a little bit slower at typing it because I am not used to it. Weeks go by and I find myself getting faster and faster at typing my password until finally I am able to type out a 20 character password in under a second.

To this system I will be two completely different people from the time I changed my password to the time I mastered it and presumably at notable milestones in between.

Obviously this is a problem.

Old as morse code? by grassy_knoll · 2008-04-04 07:10 · Score: 1

From the description, it sounds like identifying a morse code operator by their "fist"

from the all knowing wikipedia:

All telegraphists unconsciously develop personal quirks, or characteristics, which collectively are called one's "fist." While it is easy to send a jerky or "choppy" code with any type of keyer, as well as to make inconsistently longer or shorter dits or dahs overall or in certain characters, the type of key in use may greatly influence one's sending as it sounds to the receiving operator. A common fault with using a semi-automatic key is to make the dits too fast as compared with the dahs. Sideswipers tend to encourage to some very oddly timed characters and inconsistent formations.

--
A Human Right

Re:Old as morse code? by DRAGONWEEZEL · 2008-04-04 07:42 · Score: 1

true... the same concept, a key is a key no matter how you hit it, or what it's attached to.

--
How much is your data worth? Back it up now.

Damaged hand? by Ungrounded+Lightning · 2008-04-04 07:12 · Score: 1

I typed a LOT different when I broke my finger and had the hand in a brace. B-(

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way

Only works sometimes by EmbeddedJanitor · 2008-04-04 07:12 · Score: 1

I'm typing this lying in bed. My typing dynamics are completely different than when I'm sitting at a desk. The keyboard makes a difference too.

--
Engineering is the art of compromise.

OWA has this, it sucks! by RManning · 2008-04-04 07:13 · Score: 0

At my office we have Outlook Web Access. It has a keystroke sensing thing. It's awful! I have a laptop that's connected to an ergonomic keyboard at work. When I'm on the road I use the built-in keyboard. I'm not sure which one I used to "register", but I can't get in now using either.

Tin-Foil Story by chord.wav · 2008-04-04 07:14 · Score: 2, Funny

...and when this hashing algorithm was implemented in Javascript, it meant the end for anonymous cowards...

Re:Tin-Foil Story by IdeaMan · 2008-04-04 07:47 · Score: 1

I don't think that's funny at all, that's downright scary.
This kind of privacy attack would get past even proxies. It would fail to NoScript, however they could just intentionally break enough of their site to require scripting.

--
They ARE out to get you simply because They are in it for themselves and they don't care about you.

That solves the drinking and commenting problem! by instantgames · 2008-04-04 07:15 · Score: 2, Funny

Since presumably this would also be a kind of keyboard sobriety test.

Hardly new or unproven. by uhlume · 2008-04-04 07:20 · Score: 1

I'm responsible for maintenance and development of the online banking software for a mid-sized credit union. I'm currently in the midst of a project to integrate BioPassword's implementation of this technology as a second authentication factor in our online banking product, and while I initially had some skepticism of their claims, I can assure you that the technique is actually surprisingly effective, even for relatively inconsistent typists like myself.

Don't just take my word for it, though — BioPassword has an online demo that offers a good explanation of the technology, and a chance to try it out yourself: http://stage1.biopassword.com/democlient/

--
SIERRA TANGO FOXTROT UNIFORM

Re:Hardly new or unproven. by dat+cwazy+wabbit · 2008-04-04 08:22 · Score: 1

Sorry I don't have a reference, but this idea is (at least) 20 years old. I remember a co-worker talking about it that long ago...

David Gerrold had the idea in 1972 by Anonymous Coward · 2008-04-04 07:21 · Score: 1, Interesting

The concept appears in "When Harlie Was One" by David Gerrold (1972). The main (human) character sits down at a random typewriter, and on a whim types "Harlie". The typewriter immediately responds "Yes, Auberson?" Harlie, an intelligent machine, had infiltrated all of the network devices, and had recognized Auberson by the rhythm of his keystrokes.

Additional unauthorized use monitoring by Anonymous Coward · 2008-04-04 07:21 · Score: 0

This would be actually quite useful for monitoring unauthorized use. Username / password can be easily stolen (yellow stickers...) but the system should quietly inform IT stuff/security for possible misuse. After that it would be trivial to send in the lobby guard to nicely say hi to Liz the secretary and see if she has a broken her arm or is it someone else using her workstation.

Cat-like typing detected? by Lilith's+Heart-shape · 2008-04-04 07:23 · Score: 2, Funny

I'll settle for getting GDM to distinguish between a my typing and my cat's.

--

I write sci-fi for metalheads

Additional Input required by spruce · 2008-04-04 07:33 · Score: 1

Whatabout askingtheuser howmany cupsofcoffee they'vehad aspartof thelogin process,cuz I knowmytyping getsmuch betterafter2pots. Iloveallofyou.

/shoutout totheguy whoposted likethisrecently.

Re:Additional Input required by tech_guru5182 · 2008-04-04 16:19 · Score: 1

I've found my spacebar gets used less if I don't have a high enough BCL.

--
BAN BPL! Keep the radio spectrum free fro

I disagree by IdeaMan · 2008-04-04 07:41 · Score: 1

It should be used for primary validation because it is hardened against keylogging. The trick to this is that you don't have to type in the same phrase every time, in fact repeating the same phrase should be disallowed.
Password login should be secondary and have it be algorithmic or challenge/response based.

--
They ARE out to get you simply because They are in it for themselves and they don't care about you.

Old Idea... by Giant+Electronic+Bra · 2008-04-04 07:44 · Score: 1

I remember someone figured this out 10 or 15 years ago. It does work, and surprisingly well. But it isn't exactly news. Though it is cute that GDM can support it.

--
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson

I did something similar. by SanityInAnarchy · 2008-04-04 07:44 · Score: 1

I agree it's probably not going to work as full-blown analysis, especially as typing patterns change...

But I did have a very simple variant of this: I imposed a timeout. I had a 20-character (roughly) password that I could type in about two seconds, so I set the screensaver password timeout to five seconds. That, and it was in dvorak. So someone had to know my password and be able to type dvorak as fast as I can to login, but there was little chance that a change in typing patterns would lock me out, unless my typing speed suddenly slowed for some reason.

--
Don't thank God, thank a doctor!

Audiable Feedback by transami · 2008-04-04 07:47 · Score: 1

If they added audible cues eg. music tones corresponding to the stroke frequencies that would be a pretty good way to get feedback to help avoid mistakes. They could also provide a text reproduction of those tones if you needed to tell someone your password.

Just a thought.

--
:T:R:A:N:S:

NickDanger3deye by NickDanger3deye · 2008-04-04 07:52 · Score: 1

There was a 1960s sci fi book, Colossus, about a computer that joined with its Soviet counterpart in taking over the world. The book was made into a movie The Forbin Project. In the book, the computer knew who was logging in by measuring the keystroke timing of the person typing. Life imitates obscure art.

Re:NickDanger3deye by macs4all · 2008-04-04 09:50 · Score: 0

What's with the Firesign Theatre reference? I love TFT, but I don't get what that has to do with the topic...

Also, I don't know if Colossus: The Forbin Project (The movie's full name) used that method; but HARLIE, in the David Gerrold Book "When HARLIE was one", most certainly did.

My credit union is already doing this by doktor-hladnjak · 2008-04-04 08:03 · Score: 1

The login / password input is done through a Flash object. If the rhythm is correct, you're logged in just like you used to be with the old system. If the rhythm is not correct, you're presented with some additional security questions before being allowed to proceed.

Miss Wyoming by Anonymous Coward · 2008-04-04 08:03 · Score: 0

There was something like this in the novel "Miss Wyoming" by Douglas Coupland.

Patented? by Ambiguous+Puzuma · 2008-04-04 08:12 · Score: 1

At a glance the patent "Method and apparatus for identifying unique client users from user behavioral data" seems to apply: http://www.patentstorm.us/patents/7092926-description.html

and drincking iss legal but illegal now by Banarak · 2008-04-04 08:20 · Score: 1

Sho wheen I'm tis dwunk, I'm totawlly screweded. Fickig asweome! Signe me up!

User changes by RiotingPacifist · 2008-04-04 08:25 · Score: 1

Wouldn't this be much better for picking up if somebody else is using the computer, e.g tell if another person is using my laptop and hide the porn stash.
Id leave username/pass for login but, if your computer doesnt think its you it could lock the keychain preventing access to anything that youve chosen to lock down.

--
IranAir Flight 655 never forget!

Practicality: prevent people from doing dumb shit by r_jensen11 · 2008-04-04 08:38 · Score: 1

This would be great if it could sense when people are drunk; kind of like a breathalizer, but triggered by lack of muscle control.

Another practical use would be if there were pressure-sensitive keyboards and it could tell when you're pissed off by analyzing how hard you press down on the keys. That might actually postpone a few people's employment termination dates.

Old by sexconker · 2008-04-04 09:37 · Score: 1

This is a very old concept, and it's a dumb one.

People do not type very consistently.
If you are old/injured you're screwed.
If you need to access an account for someone you can't.
If you get a new keyboard, you're screwed.
If someone listens in while you type, you're screwed. (Rhythms are very easy to remember).

What - will people turn their backs AND cover their ears while you log in now?
I know there was research to predict typing based on sounds (saying each key makes a different sound when pressed), but really, that's totally unreliable and hinges on dictionary matching anyway.

The data is not a very useful thing to track, either.
Anyone on the inside could just alter their typing a bit and later say "See? My account was hacked. That's not my typing pattern!"

The HIGs! The HIGs! by nlightnmnt · 2008-04-04 09:56 · Score: 1

Wait a minute! You mean they're actually adding a feature to GNOME? The developer responsible for that is so fired!

It has been done... by mark99 · 2008-04-04 10:07 · Score: 1

Saw this at some German university years ago, forgot the name, they wrote a custom GINA and implemented it for some flavor of Windows.

I don't think they thought it was reliable or secure enough in the end. Was an interesting bit of research and code though.

Re:It has been done... by usrbinperl-w · 2008-04-05 11:28 · Score: 1

This has been done many times. It gets "discovered" and makes a splash every 5 years or so. I did it at Sydney university in 1985. With the university we looked into patenting it, and found prior art even then. There was a CACM article on it in 1994 or so, if I remember right. And there was a company doing the same thing a bit later on. Terry
Re:It has been done... by mark99 · 2008-04-05 20:18 · Score: 1

Your dates don't match.

You mean you did it in 1995? Or you found prior art from 1984?

1985 would be rather early.

A keylogger for security? by Roy+Hobbs · 2008-04-04 10:10 · Score: 1

I don't want this information stored.

a password? by sl33p3r · 2008-04-04 10:30 · Score: 1

"to read current keystroke patterns and permit a user to log in when the characteristics are a match."
You mean, like a password?

Other language keyboards by pjt33 · 2008-04-04 10:30 · Score: 1

You can tell that a few people have never had the joy of meeting a non-English keyboard. For example, the person who made ~~~~ the markup for signing a Wikia edit clearly doesn't have to type Alt-Gr-4 Space to type a single tilde. And I struggled for ages with placing a mark in nano, because Ctrl-^ is a bit hard to type when ^ is Shift-` Space. I only just found out that Alt-A is an alternative.

Size matters! by Anonymous Coward · 2008-04-04 11:11 · Score: 0

My username is a single character....where the fsck is the pattern in that?

oh, not again by nguy · 2008-04-04 11:21 · Score: 1

Like a bad flu, this comes up every few years. It still isn't a good idea for oh-so-many reasons.

Nice technology for once. by Plekto · 2008-04-04 12:05 · Score: 1

Another thing that this does, obviously, is nerf all hackers and automated programs.

In my case, I'd go one step further and enter my password with a one second pause between characters. Anything automated or even if it has built-in random delays is instant failure.

Short usernames? by ThinkingInBinary · 2008-04-04 12:16 · Score: 1

What about those of us with horribly short usernames? I'm "tom" on my personal box, so I can't imagine two samples (time between T and O, and between O and M) is enough to tell if it's me or not. Plus, like many posters said, that doesn't work if I'm logging in one-handed. (But that could be recorded as a separate pattern, as I always do it the same way.)

--
ttuttle is a rankmaniac

keyboard hand by chloroquine · 2008-04-04 12:27 · Score: 1

I wonder how much your typing differs from keyboard to keyboard. I'd love to figure out which differences are due solely to the muscles and remain static whatever you use to input and which are variable based on using the laptop keyboard/desktop keyboard or the work computer/home computer.

We tried this in 1996 by wizardofodd · 2008-04-04 13:43 · Score: 1

I used to work for Zenith back in '96 and we tried to recognize logins by the way people typed. It successfully recognized when I logged in with just my left, right or both hands. There was a problem though. Good typists type fast. Because of that, good typist filled the keyboard buffer and the software saw them all good typists as typing at the same speed. Looks like keyboard buffers are faster now. We were using a lightning fast 16MHz 386 at the time. Ah, the memories of starting a compile overnight and it not being finished when you come in the next morning.
--
Some times I sit and think and sometimes I just sit.

GPG keys! by Anonymous Coward · 2008-04-04 14:17 · Score: 0

GPG keys rather than passwords, finger/penis print, etc.

Why the fuck not? Encrypted logins for everyone!

already in commerical use by Anonymous Coward · 2008-04-04 14:32 · Score: 0

My online banking account has used keystroke rhythm for about 8 months as the second factor (besides user-chosen account name and password which meets minimum standards [length, variation, etc.]) for login authentication.

It was implemented in or before 1997.. by Organic+Brain+Damage · 2008-04-04 15:45 · Score: 1

I saw this in practice in 1997. I don't know how old it was at the time.

Re:It was implemented in or before 1997.. by tech_guru5182 · 2008-04-04 16:38 · Score: 1

I HEAR this in practice at Field day, and every CW contest I listen to. I mostly use a computerized decoder though when working code.

--
BAN BPL! Keep the radio spectrum free fro

Already a pain in the ass by anjrober · 2008-04-04 16:14 · Score: 1

So my brothers bank is using this already. He needed me (don't ask why) to login to his acct the other day. He gave me his username/password and the damn system wouldn't let me in as my cadence/speed of entry was wrong. This should be a second level of authentication, not the primary. I had the right u/p.

Re:Already a pain in the ass by Actually,+I+do+RTFA · 2008-04-07 04:26 · Score: 1

This should be a second level of authentication, not the primary. I had the right u/p.

It is the second level of authentication. You have to pass both. See two-factor authentication.

--
Your ad here. Ask me how!

It will work... by SETIGuy · 2008-04-04 18:30 · Score: 1

If you make a mistake you just start over. It's just your username and password. I used keystroke timing measurements of password entry on an Apple II+ as additional verification of user identity (ca. 1983).

Given it was an Apple II, there were plenty of other ways in, unless you had padlocks on the floppy drives and you replaced the ROMS.

In other words this isn't a new idea. It's been around for at least 25 years.

--
Support SETI@home

Even more than 3 years old! by wtarreau · 2008-04-04 18:34 · Score: 1

The concept is even older than that. I did something like this on my 8088 about
18 years ago, and since I was a kid, I think that many other people might have
done this earlier.

It was pretty simple under DOS because you could easily read one char at a time and
check the elapsed time between each.

It worked very well for words that I was used to type a lot (eg: password). You
don't imagine how accurate you are when you type common words. Far more reliable
than voice recognition IMHO.

However, one poster reported a risk of not being able to log in after a broken
finger. Maybe a complex passphrase should be used as an alternative for such
situations.

Willy

Switch to Dvorak by Dillon2112 · 2008-04-04 19:27 · Score: 1

This would have sucked when I switched from Qwerty to Dvorak last August.

Re:Might make a good alarm, but poor authorization by DKlineburg · 2008-04-04 21:59 · Score: 1

Do you really give your passwords out? I guess I have never been in a mission critical place, but??? I won't give my password out, EVER! OK, I lied, I used to. Having been burned in the past though, makes me not interested in doing it anymore. If you needed it that bad you should have told me when I was around, and if it is work related, ask the admin to access it.

--
Memory is deceptive because it is colored by today's events. - Albert Einstein

Don't switch keyboards by Edgester · 2008-04-05 02:00 · Score: 1

Maybe each company would ban non-standard keyboards. I mean your typing rhythm is definitely off if you're using a keyboard that is very different from what you're used to. (ergonomic split keyboards vs standard)

IT ALL DEPENDS ON by Rockin'Robert · 2008-04-05 10:38 · Score: 0

A. How much sleep you've not had, and/or

B. Which drug(s) you're on.

RR

Re:Might make a good alarm, but poor authorization by Vellmont · 2008-04-06 05:52 · Score: 1

Do you really give your passwords out?

Generally no, but if there were a good reason to do so, of course. I've also seen over the years it's very common for people to give passwords to trusted colleagues. It's how they get work done, and nobody really thinks much of it.

--
AccountKiller

Old idea... by KlausBreuer · 2008-04-06 20:51 · Score: 1

...positively ancient.

I actually programmed something like this on my Olivetti M24 (8086 CPU, 256K RAM, top of the line for the time) in the late 80s (yes, I'm an Old Fart).
No, no, I'm no genius - I got the code from the grand magazine "Creative Computing". I believe the program (in BASIC, natch) can also be found in their wonderful "101 Basic Computer Games I/II" books.

--
Free PC version of ChipWits at http://www.breueronline.de/klaus/chipwits/

Slashdot Mirror

Identify and Verify Users Based on How They Type

196 comments