Slashdot Mirror
RSA: An Unusual Approach to User Authentication: Behavorial Biometrics (Video)
In the North of Sweden, in Lappland, there is a university spinoff company named BehavioSec that decides you are you (or that a person using your computer is not you) by the way you type. Not the speed, but rhythm and style quirks, are what they detect and use for authentication. BehavioSec CEO/CTO Neil Costigan obviously knows far more about this than we do, which is why Tim Lord met with him at the 2013 RSA Conference and had him tell us exactly how BehavioSec's system works. As usual, we've provided both a video and a transcript (There's a small "Show/Hide Transcript" link immediately below the video) so you can either watch or read, whichever you prefer.
---If you ever get a sprained wrist, you'll be locked out of your computer. Hopefully, there would be alternate authentication methods built in. And what happens if you don't log into your computer for an extended period of time? After I learned to type (taking lots of notes does that to you), my typing ability and methods (and patterns/rhythms) had completely changed. That was in the course of a month. At the end of that time, I would have been locked out of my computer.
Measure a user's reaction to pictures from 4chan.
I have experienced Behavior Biometric Denial of Services. Humans are just too erratic, imagine this.
Your front door is locked using this method. All of a sudden you are outside and a thug walks by making obvious threats and you start running inside to get away or get your gun and the door now locks your ass out.
You are using email services and you start looking for a job and with the sudden increase in email traffic and/or login presence causes your service to block your account temporarily because of behavioral changes. (this actually happened to me for a short time)
I was in the middle of waiting for an actual offer letter when this occurred... very frustrating!
1) SHA1 password
2) Enterprise LDAPS
3) Tourrets
Join the Slashcott! Feb 10 thru Feb 17!
I've encountered lots of projects over the years that sound neat on paper and have enough meat to flesh out a thesis-sized research project, but don't quite have the universal applicability that translates to widespread practical (and financial) success in the real world.
Two problems jump right out at me:
1. Instead of having to remember a sequence of characters, a user now has to remember and replicate a set of obscure behavioral quirks. Or actually they don't, because it's supposed to be innate. But just as a signature isn't identical everytime, the quirky typing won't be either, leading to possible authentication failures, unless the authentication method is forgiving enough to take this into account. ... which leads us to
2. It's open to mimicry, particularly if it's forgiving enough to account for natural variability. Authenticate enough times around an observant person with a knack for forgery and they can pick up on the patterns. A little bit of practices, and those rhythm and style quirks can be copied. Even easier if they can record video and/or audio with a mobile device.
If the mimicry is successful, it's a lot harder to learn a new set of unconscious quirks than to just memorize a new password.
Overall, the method seems academically interesting but not feasible in practice, except perhaps in a limited set of circumstances.
What happens if I am sick? My mental acuity is not the same when my head is pounding with a headache... My reactions are slowed. Even if you can account for the difference in attentiveness between the start of the work day and the end, will you be able to recognize me when someone wakes me at 3am to troubleshoot?
Even without sickness and sleepiness, anything that can affect my mood can bring some minor changes to my typing habits. Even if they use cameras to measure eye movement, mood will be a factor. Think of how well you type (or how you would expect to) during major life changing events such as marriage/divorce/birth of children/death of parents. Can the even account for differences between days that you get promoted (or at least praised) compared to the day when your boss chews you out.
Then there are physical changes... Anything from a paper cut to carpal tunnel syndrome, or breaking a bone and getting a cast will seriously impact your typing.
Finally, what happens when your keyboard (or mouse) breaks and you need to get a new one. Even if it is the same model, a new one will generally have stiffer keys and buttons. You would be screwed if it had a different layout of keys or if it was a model of a different size. As for smart phones and tablets, what happens when you buy a new phone?
I'm sorry, I do not believe that this can be reliable enough. Even though I am somewhat impressed with Analytic software's ability to determine people's behaviour, that works on the masses with a margin of error; there will always be a few fringe cases that do not fit the mold; for authentication you need to be right, all the time, and I do not see that possibility.
Looking for a job?
Want your resume written professionally?
DON'T USE TUNAREZ!!!
Bryan & Harter (1899) noticed telegraph operators could identify one another through rhythm and style, nice to see someone finally apply that! :-)
http://psycnet.apa.org/journals/rev/6/4/345/
Rick Joyce and Gopal Gupta - Identity Authentication Based on Keystroke Latencies, 1990
F Monrose, A Rubin - Authentication via Keystroke Dynamics, 1997
Arkady G. Zilberman - US Patent 6442692: Security method and apparatus employing authentication by keystroke dynamics, 1998 (I think some of the claims in this patent could be invalidated because of previous disclosure in the 1990 and 1997 papers)
Back in the morse code days, people used to ID senders through their keying style. This was fairly routinely used (and abused) in the military - for example, when the Japanese Navy went to attack Pearl Harbor, the normal radio operators were kept behind and sent messages from (IIRC) the Kuril Islands, in case the US was tracking them as belonging to the carriers (which I don't believe we were).
My Laptop: "Yep, that's him..."
I swear to God...I swear to God! That is NOT how you treat your human!
With enough analysis, military intelligence could tell exactly which enemy radio operator was banging out Morse code into their radio, based on things like rhythm, speed, and how hard the key was struck. They call this metric the R/T operator's "fist".
Hail Eris, full of mischief...
E pluribus sanguinem
This method had been on the market at least since 2007: https://de.wikipedia.org/wiki/Psylock (German Wikipedia; there's apparently no English version of that page)
The Tao of math: The numbers you can count are not the real numbers.
In the video, he mentioned his hope to have a centralized authentication service that third parties access. As someone who works in the online ad industry, I really hope that some regulatory body will layout some legal framework to prevent abuse.
As always, Slashdot is a decade behind in technology and still tries to use Flash to display video.
What do I do now?
What if you don't know you are sick and this detects it? An interesting way for Microsoft or Apple to monetize this would be to patent an alzheimer's detection algorithm...quickly.
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
This technique is quite old, but it's not the typing you should be focusing on, but more general computer usage. Think like an Intrusion Detection System, anything that would constitute abnormal behavior. Example:
Mar 1 18:05:57 localhost - User started web browser application
Mar 1 18:06:12 localhost - User opened 17 tabs to various porn sites
Mar 1 18:08:20 localhost - User closed browser
Mar 1 18:08:24 localhost - Microphone picking up sobbing noises
Mar 1 18:08:26 localhost - User identity verified.
Future security awareness advice: "If you type without rhythm, then you won't attract a worm..."
You have a mini stroke. Tada!
Sorry folks, it's in Norbotten.
Also Strongbox, the security system used by sites like GirlsGoneWIld, has had this for years.
In that implementation, at least, the keyboard rhythm is one of SEVERAL factors that are considered. A sprained finger probably wouldn't keep you out, unless you were also a) far from home and b) using a different computer than you normally do. All three factors combined would make it seem likely that it was someone else trying to access your account. Just one factor alone wouldn't trigger anything.
We've been tracking keystroke rhythm on Girls Gone Wild and some other popular sites for several years. Based on analysis of several million login attempts, it does work.
In that implementation, at least, the keyboard rhythm is one of SEVERAL factors that are considered. A sprained finger probably wouldn't keep you out, unless you were also a) far from home and b) using a different computer than you normally do. All three factors combined would make it seem likely that it was someone else trying to access your account. Just one factor alone wouldn't trigger anything.
It's actually a lot like how you recognize people in your offline life everyday. For people you know, there are a dozen or so factors which let you quickly recognize one of your family members even from behind, and from a block away. For people you don't know, you can recognize suspicious people because your brain considers a few dozen factors, such facial expression, body language, dress, anything they have in their hands, etc. You then respond to the combination of all of those factors. Most of the time, you can instantly distinguish between a robber entering a store and a normal customer. That's roughly how these systems can work, how Strongbox works - by considering keying rhythm as one of several factors, just as you can use hair style as one factor in recognizing your boss or your wife from across the room.
Of course a) and b) are strongly correlated. If I'm at home, I usually use my desktop computer; if I'm far away from home, I'll certainly not use that; I'll typically use my laptop. Now if I type differently on my laptop than on my desktop (not unlikely, since the keyboard is noticeably different), that means I would not be able to get into a Strongbox site when abroad.
The Tao of math: The numbers you can count are not the real numbers.
I went through this at Forum credit union when I signed up for and activated my online account there. I had to go through a "training" exercise by entering my password 5 times until the system was satisfied it found my "pattern" of cadence & rhythm of typing.
It has only failed to log me in a couple times over the years and all it does is make you answer your security q's when it fails.
Now if I type differently on my laptop than on my desktop (not unlikely, since the keyboard is noticeably different)
That was one of the very first things I wanted to test, in the proof-of-concept stage. I asked someone who normally uses a laptop to instead use MY desktop keyboard. So they were going from their familiar laptop to an unfamiliar desktop keyboard. I was glad to see that with the elements we were measuring, it still looked like the same person - even on a totally different type of keyboard.
Understand this is similar to using hair (style and color) as factors in recognizing someone you know. If you see someone from the back who SAYS they are your wife, and their hair is the same COLOR as your wife's, and the same LENGTH as your wife's, and the same STYLE as your wife, and they are the same HEIGHT as your wife, and the same BODY TYPE, and have the same pitch VOICE, you can recognize that's probably your wife. A stranger is not likely to fool you.
Going the other way, when your wife gets a hair cut, you still recognize her versus an imposter. You may even still be able to detect an intruder even by the hair still, as their hair is likely a different length and more or less curly, etc. A different keyboard, int he worst case, is like a new haircut - it only changes part of the rhythm, and the keying rhythm is only part of the recognition.
To record the time between keystrokes. Thanks guys!
Exactly. Even if you're not very good at sending or receiving Morse, you will have a distinctive "fist" - just as distinctive as your handwriting or the sound of your voice. As you get better, your speed and accuracy will improve but your fist will sound just the same.
Machine-sent Morse is as weirdly unintelligible as synthesized speech, and for much the same reason - the inflections are missing or wrong.
What about different keyboard layouts (e.g. someone normally using Dvorak using a Qwerty keyboard on another computer)?
The Tao of math: The numbers you can count are not the real numbers.
At work last month, the programmers were forced to get rid of our das keyboards because of complaints from the noise. The company bought us the new Dell model KB212 keyboards. If you type fast, it drops about 20% of the key presses. Our Dell salesrep told use the keyboard was designed to require a "firm and deliberate" key press. Most of the reviews on dell.com of the keyboard mentioned the dropped key presses. The sounds I hear now from my coworkers are much slower typing with pauses to read what is on the screen to check for dropped key presses. With this sort of system, going from a decent keyboard to a Dell one would break authentication.
This is decades old technology, and there's a reason it hasn't caught on: it has potentially high false negatives and high false positives.
Behavioral measures are useful for forensics, but they are not useful for authentication.
Biometrics are good for surveillance but not for authentication. A good authentication method supports revocation of an identification key, such as would be needed in the event of its compromise. It should not be trusted as a factor in authentication either, for the same reason. Great for theater though I suppose. Article about it here growingliberty.com/thumbs-down-for-fingerprint-identification
That's a good question and one I'll have to test. Based on other tests, I'm fairly sure that a Dvorak user who is on a qwerty would be recognized - everyone is familiar enough with qwerty, so their fingers would still tap keys in a similar way. On the other hand, a trained qwerty TYPIST suddenly using dvorak would have that indicator show up as "possible difference". That's because they'd have to switch from typing to hunt-and-peck. Still, that's analogous to your wife getting a totally new hairstyle - you'd notice the difference, but probably not mistake her for an intruder.
I devised a JavaScript kitten doing just this using mouse and key events perturbing a feedback loop just on the cusp of chaos and with at least three attractor patterns. You then sample a fingerprint from the loop state. It's great when reliability isn't required. But non human recognisers are unfortunately prone to making silly errors.
John_Chalisque
I've never heard of Lappland, but I have heard of Lapland.
Fata viam invenient.
People do not behave consistently in all situations, all occasions, all times of the day, and so on and so forth. I've seen works like typing and whatever-biometric+behavior based authentication attempts at conferences before, problem is, the false alarm rate is always unacceptably high. You're sitting in front of the machine, an e-mail arrives that makes you frustrated or angry and boom, most of your typing patterns will change. You're tired, or playing, or IMing different people, or coding or just browsing, your kid comes around for a bit, your cat jumps in your lap, and if you take a bit of care you'll notice almost all these activities come with at least a slightly different typing and/or behavioral style. And there's no way you can reliably learn to associate those very varying styles to the same person, since in the end, if you look long enough, everyone will just look the same. Well, I wish them good luck with this, but I'm fairly sure I'm never going to use such a thing, since I'm simply not into masochism that much.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
A "short" story that sort of takes this is into account. (also, it was only published 23 years ago).
http://books.google.com/books?id=FLNCovxKl7IC&pg=PA160&lpg=PA160&dq=orson+scott+card+dogwalker&source=bl&ots=a2pcvnSmFx&sig=xIKvpnSdJ01xoxMt2SbkG7XKphM&hl=en&sa=X&ei=OB8yUb-bCuLbyQHW24HAAQ&ved=0CDgQ6AEwAQ#v=onepage&q=orson%20scott%20card%20dogwalker&f=false
There are 10 types of people in the world. Those that understand this sig, and those that beat up people who do.
Hook this system into a Raspberry Pi and ... you can wave your arm to authenticate yourself to deactivate the screen saver and keep the automatic lights from turning off at the same time!