Identify and Verify Users Based on How They Type

LinucksGirl writes to share an IBM DeveloperWorks article that shows how to support user verification through keystroke-dynamics processing by modifying the GNOME Display Manager (GDM). You can create and store a one-way encrypted hash of your keystroke patterns when entering your user name. The article shows how to add code to GDM to read current keystroke patterns and permit a user to log in when the characteristics are a match. An interesting idea to be sure but I know I certainly am not that consistent when I type, so I'm skeptical of how well this may work.

not gonna work

[superwiz]

Well, it might work if they allow for a rather broad variation in the frequence of mistakes. But personally, I make much more typos depending on how tired I am and how much caffeine I've had lately. I would assume that others do too. So when I am well-rested I might appear to be a completely different person from when I am even slightly tired.

Re:not gonna work

[RobBebop]

Given the repletion required to type and retype our names and login IDs over the past 5-10 years, our fingers are conditioned to type these patterns quickly and repeatably.

I can type my typical "lastname/firstinitial" login name in about a third of a second. I can type my "firstname.lastname" in about half a second.

Given 5 minutes of practice with my name, you would probably be able to impersonate me - but as long as this system doesn't lock me out from my own account, this is a successful barrier that will make it harder for you to get into my system.

Then again... having a password that is hard to hack and running an operating system that is not easily hackable are stronger barriers that protect me from your infiltrations...

Re:not gonna work

[moderatorrater]

plus for me, this will only work if they test it against another login with the same username and password. The rhythm and speed of my typing in a username depends on which one it is, and the same goes for the password.

However, within the bounds of an identical username/password combination, I would imagine that it would work well for me. The problem is that if there are extenuating circumstances, this would lock me or someone else out of the computer. For instance, what if my wife needed to log in for me while I'm on a business trip? Or I die? Or I break my arm and have to type with one hand? I imagine the usefulness of this technology is in merely logging the "signature" pattern rather than locking someone else based on it. Bruce Schneier has the basic arguments and a much better analysis than I could produce.

Re:not gonna work

[TubeSteak]

Given the repletion required to type and retype our names and login IDs over the past 5-10 years, our fingers are conditioned to type these patterns quickly and repeatably. Never IM'ed or IRC'ed with a drunk person, have you?

On the upside, no more embarrassing drunken e-mails to come back and bite you!

Re:not gonna work

[SharpFang]

I wouldn't be surprised if it produced less false negatives than standard login/password pair. By false negatives I mean typos in username/password.

I mean, I don't know about you but I make typing mistakes at my login and password about as often as not, though I type them always in a consistent rhythm. The system could very neatly ignore the typos resulting from pressing a neighbor key or even typing with your hand a whole line of keys away, meaning you got half of what you typed wrong. "Timing is right, he pressed 'o' instead of 'p', we can accept it."

It should not replace password-based authentication but it can neatly suplement it - you either type your password 100% correctly (say, with one hand, holding earphone in the other so the "rhythm" is none), or you type it fast, you make a mistake, but the way you type it, and the kind of mistake says it's you and the password gets accepted.

Re:not gonna work

[Jurily]

You get that with a well-formed password too. I can't type mine drunk, ever.

BTW, there's really nothing more easy/secure than a password. You even get to choose which end of a spectrum you want.
I never cease to be amazed at the lenghts people go to make something better...

The big question is, would you trust a GNOME developer to distinguish you from your sister if you can't be bothered to make up a password she can't guess? Nevermind more serious issues.

Re:not gonna work

[WaltBusterkeys]

Or first thing in the morning after getting into work on a cold wintery day. Frozen fingers do not type well.

Re:not gonna work

[Z34107]

There are characteristics in common with everything "normal" you type - for example, Mavis Beacon Teaches Typing(tm) back in the Glory Days of Windows 3.11 could tell me that my 4th finger on my left hand is weak - making a lot of typos on the "w", you see. It was nifty looking at the profiles of every user in that program for little tidbits like that, and logging onto my brother's profile and laughing as it commented how much he had "improved."

But... do those things apply when typing a password? The whole consistent rhythm and speed thing? Or maybe that makes it easier.

Perhaps a better solution would be to emulate voice recognition - train the security software to recognize your typing, and have it watch you as you're logged in. Just as you can train voice recognition to work with multiple speakers, you could train the security software to recognize "sober me", "drunk me", "caffeinated me", etc. (And not let "drunk me" send e-mail, and maybe schedule my development IDE processes at a higher priority for "caffeinated me", etc.)

Re:not gonna work

[pcgc1xn]

One thing which will kill it for sure is using a different keyboard.

Desktop to laptop - *slightly* different keyboard layout.
Different laptops - possibly different
US keyboard to English keyboard - hope your passphrase doesn't have any special characters or punctuation.
Any other language keyboard - those things are bad enough to type on at all, but trying to get your timing right? Forget it. If you have never had they joy of meeting one, as well as many of the punctuation keys being in different places, a few of the letters are as well. Just a few mind you, just enough so you fall back into touch typing and look back and find that all of your w's are actually z's

Some of these problems are probably not too bad for logging into Gnome, but the idea is basically limited to anything where you are physically in front of the machine you are logging into, and the input device is the same every time. If you are going to limit it to that, then requiring a webcam and doing image recognition is probably easier on both sides.

And all you need is a slightly cleverer key logger to defeat it - instead of recording the keystrokes in order, you need to record the keystrokes and time.

Good to see people thinking about how to improve on passwords though.

Oww I broke a finger...

[LighterShadeOfBlack]

...And now I can't log in.

Pass.

Re:Oww I broke a finger...

[ShieldW0lf]

Biometric authentication is a far, far stupider idea than this is. Yes, not being able to log in when you're drunk is bad, but having to exchange your finger and your eyeball for a new one because someone posted a high-resolution photo of them online is much, much worse.

Re:Oww I broke a finger...

[denmarkw00t]

To the broken finger crowd and the "few too manys": you should also note that it didn't appear to me that this feature would lock you out, to me it seemed more like it might speed up the login process while making it slightly more secure - no clicking "Login" because it "knows" its you, and if its someone pecking at the keyboard it could send you an alert via /var/log/yourlogofchoice for later review (or mail sms whathaveyou). Of course, I'm sure you could change the level of aggressiveness to not allow someone to login unless the differences is stroke pattern are within a small error tolerance.

Re:Oww I broke a finger...

[shawn(at)fsu]

3 alone doesn't protect from shoulder surfing. While someone can look at my eye all day it's going to be difficult for most people do get my retina scan. 1, while it is a subset of 2, is supposed to be something you can't accidentally misplace, or more importantly it's supposed to be something some nefarious person can't take from you. I agree with GP you need all three.

Re:Oww I broke a finger...

[SpydeZ]

Same thing would happen to a dvorak-layout typist when confronted by a qwerty keyboard.

The Windows installs at work default to qwerty on start up but will stay in dvorak if all I do is just lock the screen. When I reboot, I usually botch my password a few times before I realize what's wrong and switch to hunt 'n' pecking...

My qwerty-induced typing is way different from my normal touch typing...

Obvious issue

[Gat0r30y]

How am I supposed to log in after a few too many? Wait, maybe thats not an issue after all, maybe its a feature.

Re:Obvious issue

[baudilus]

I'd be much happier if Blackberries had Breathalyzers before they allow people to email me at 2 AM. Good grief!

That's OK

[treeves]

My guess is that your inconsistency is part of what distinguishes you from other typists and the software uses that information to its advantage. Other people are more consistent, less consistent, inconsistent in different ways. I know I type with about four fingers: my left index finger, my right index and middle fingers, and my right thumb, and I also know I tend to make certain typos more often than others. I suspect that those things contribute to the distinct pattern in my typing that could be identified. Still, I'm sure I would not want to use to such a scheme for identity verification.

inconsistent

[flynt]

An interesting idea to be sure but I know I certainly am not that consistent when I type, so I'm skeptical of how well this may work.

That's precisely what some statistical methods are designed to do, find patterns about the inconsistencies. I haven't read this proposal, so can't comment more, but 'leaning' in the presence of variation is basically what modern statistics is all about.

This concept is about 3 years old if IIRC

[DRAGONWEEZEL]

Maybe not w/ gnome, but I remember a Slashdot article about this a few years back. One thing to note, while some people might be irregular, almost anyone who keys in a UID every day will have some sort of "pattern" to the time between keystrokes.

Typematic rate lol....

It's really interesting to see what the differences are between key presses when recording a macro w/ a G15. (if you have this awesome keyboard, and don't know what I am talking about try it out!) I have done this cause I am weird... but you could try too!

If you record a significant count of you typing in a UID and PW on a given site (that you use frequently) you will find a unique structure to the timing of the keystrokes. While the G15 doesn't go to the # of digits needed for secure authorization, it can show you that there is little variance over a large number of true trials.

Re:This concept is about 3 years old if IIRC

[jellomizer]

Older then that...
I thought about it when I was a kid running my own BBS. The old BBS Software had a realtime display of what the person is typeing so I could normally tell if it is someone who is the origional user or someone using someones else account. I though about making a program that checks the time between keystrokes and give them a level of error, as extra security... but I decided not to do it, for the main reasons. Somone may have something in their hands that day or. Bit tired or Hyper, also a lot of pople had the passwords as Key Macros, so it was just kinda not worth the work and any fustration on the users part.

Insensitive Clods!!!

[explosivejared]

I don't know HOW to type!!

CTRL-ALT-DEL

[c0d3r]

Dang, I still find it hard to press the C-T-R-L-A-L-T-D-E-L keys hard to press at the same time before entering my password on windows.

Would be nice as a supplement, however

[Thought1]

It wouldn't be good as a primary means of validation (for the reasons listed in prior comments), but it would be good as a supplemental validation, giving a "higher likelihood" that the person is who they say they are.

Re:Really?

[ArcherB]

Something like a password that you've typed hundreds of times probably has a more regular pattern than you think, unless you regularly get interrupted in the half second i takes for you to type it... Muscle memory, etc That's all find and dandy until you break a finger, or get a hang nail or try to log in while holding a cup of coffee or any of the limitless things that can happen to slow, speed up, or change the rhythm of your typing.

It'll never work

[amplt1337]

How on God's green earth am I going to write down my keystroke patterns on a sticky note on my monitor???

All Cell phones , Not just the BBs

[DRAGONWEEZEL]

Please, drunk dialing should be a civil infraction penalized in this manner

for each # called...

1st offense:
        A stern warning.
2nd offense:
        $250 restitution to the victim, 1 months probation
3rd offense:
        Death.

Accidents?

[blueboy31]

This works great until you lose a finger, thumb, hand, etc in that freak accident. Talk about adding insult to injury -- your own computer won't even accept you with your newfound handicap!

Useful after the fact, perhaps

[6Yankee]

I don't fancy using this as a replacement for login/password, but if you haul Joe User down to HR for surfing pr0n, he pulls the "Naughty Bob stole my password" trick, and you can demonstrate that the usage pattern looks a hell of a lot more like Joe User's other sessions than Naughty Bob's... ...or vice versa, and have some idea who really did steal Joe's password.

Might make a good alarm, but poor authorization.

[Vellmont]

I just have to believe this is going to produce a lot of rejected authorizations that shouldn't have been rejected. Also as someone pointed out, what about the legitimate times when someone else is using your username/password? (your boss needs something while you're away on vacation, etc).

This might work out well for some kind of intrusion detection system though. Look for cases where there's two people consistently typing in the password two different ways. Then set off an alert to the administrator. There's legit cases for that of course (root/admin password comes to mind), but you just exclude those cases.

Large enough sample set?

[192939495969798999]

I don't think a username is enough of a sample set to determine a typing pattern. Wouldn't you need to copy down a paragraph of text to have any chance of determining patterns in typing style? I.e. at the very least, "the quick brown fox jumped over the lazy sleeping dog" type stuff to hit all the characters?

Oblig Bash quote

[xtracto]

From bash.org

  HOW THE FUCK CAN YOU TELL THAT I'M 13 BY LOOKING AT WHAT I'M WRITEING??????????????????????

stupid lameness filterstupid lameness filterstupid lameness filterstupid lameness filter stupid lameness filter Filter error: Please use fewer 'junk' characters. Filter error: Please use fewer 'junk' characters.

Tin-Foil Story

[chord.wav]

...and when this hashing algorithm was implemented in Javascript, it meant the end for anonymous cowards...

That solves the drinking and commenting problem!

[instantgames]

Since presumably this would also be a kind of keyboard sobriety test.

Cat-like typing detected?

[Lilith's+Heart-shape]

I'll settle for getting GDM to distinguish between a my typing and my cat's.