Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA: An Unusual Approach to User Authentication: Behavorial Biometrics (Video)

Posted by Roblimo on from the watching-every-keystroke dept.

In the North of Sweden, in Lappland, there is a university spinoff company named BehavioSec that decides you are you (or that a person using your computer is not you) by the way you type. Not the speed, but rhythm and style quirks, are what they detect and use for authentication. BehavioSec CEO/CTO Neil Costigan obviously knows far more about this than we do, which is why Tim Lord met with him at the 2013 RSA Conference and had him tell us exactly how BehavioSec's system works. As usual, we've provided both a video and a transcript (There's a small "Show/Hide Transcript" link immediately below the video) so you can either watch or read, whichever you prefer.

3 of 69 comments (clear)

  1. Smells like an academic spinoff by c0d3g33k · · Score: 4, Insightful

    I've encountered lots of projects over the years that sound neat on paper and have enough meat to flesh out a thesis-sized research project, but don't quite have the universal applicability that translates to widespread practical (and financial) success in the real world.

    Two problems jump right out at me:

    1. Instead of having to remember a sequence of characters, a user now has to remember and replicate a set of obscure behavioral quirks. Or actually they don't, because it's supposed to be innate. But just as a signature isn't identical everytime, the quirky typing won't be either, leading to possible authentication failures, unless the authentication method is forgiving enough to take this into account. ... which leads us to

    2. It's open to mimicry, particularly if it's forgiving enough to account for natural variability. Authenticate enough times around an observant person with a knack for forgery and they can pick up on the patterns. A little bit of practices, and those rhythm and style quirks can be copied. Even easier if they can record video and/or audio with a mobile device.

    If the mimicry is successful, it's a lot harder to learn a new set of unconscious quirks than to just memorize a new password.

    Overall, the method seems academically interesting but not feasible in practice, except perhaps in a limited set of circumstances.

  2. Re:It will never be reliable enough... by mmelson · · Score: 4, Insightful

    I posted this before, but I'll summarize here:

    If this matches, it's likely that you are who you say you are. If this doesn't match, it just asks for additional factors of authentication (security questions, smartcards, etc). It is not a replacement for any other form of authentication.

  3. Re:Assuming you will always type the same way. by kangsterizer · · Score: 3, Insightful

    " Hopefully, there would be alternate authentication methods built in"

    And then, I would question the security improvement of behavioral authentication. If I'm going to login and I'm an attacker, I'll just use the alternate authentication then.

    Reminds me of https://wellsoffice.wellsfargo.com/ceoportal/signon/loader.jsp