RSA: An Unusual Approach to User Authentication: Behavorial Biometrics (Video)

← Back to Stories (view on slashdot.org)

RSA: An Unusual Approach to User Authentication: Behavorial Biometrics (Video)

Posted by Roblimo on Friday March 1, 2013 @08:14AM from the watching-every-keystroke dept.

In the North of Sweden, in Lappland, there is a university spinoff company named BehavioSec that decides you are you (or that a person using your computer is not you) by the way you type. Not the speed, but rhythm and style quirks, are what they detect and use for authentication. BehavioSec CEO/CTO Neil Costigan obviously knows far more about this than we do, which is why Tim Lord met with him at the 2013 RSA Conference and had him tell us exactly how BehavioSec's system works. As usual, we've provided both a video and a transcript (There's a small "Show/Hide Transcript" link immediately below the video) so you can either watch or read, whichever you prefer.

4 of 69 comments (clear)

Min score:

Reason:

Sort:

Assuming you will always type the same way. by Colan · 2013-03-01 08:18 · Score: 5, Interesting

---If you ever get a sprained wrist, you'll be locked out of your computer. Hopefully, there would be alternate authentication methods built in. And what happens if you don't log into your computer for an extended period of time? After I learned to type (taking lots of notes does that to you), my typing ability and methods (and patterns/rhythms) had completely changed. That was in the course of a month. At the end of that time, I would have been locked out of my computer.
Fail out the gate! by SirAstral · 2013-03-01 08:26 · Score: 5, Interesting

I have experienced Behavior Biometric Denial of Services. Humans are just too erratic, imagine this.
Your front door is locked using this method. All of a sudden you are outside and a thug walks by making obvious threats and you start running inside to get away or get your gun and the door now locks your ass out.
You are using email services and you start looking for a job and with the sudden increase in email traffic and/or login presence causes your service to block your account temporarily because of behavioral changes. (this actually happened to me for a short time)
I was in the middle of waiting for an actual offer letter when this occurred... very frustrating!
It will never be reliable enough... by stretch0611 · 2013-03-01 08:39 · Score: 3, Interesting

What happens if I am sick? My mental acuity is not the same when my head is pounding with a headache... My reactions are slowed. Even if you can account for the difference in attentiveness between the start of the work day and the end, will you be able to recognize me when someone wakes me at 3am to troubleshoot?
Even without sickness and sleepiness, anything that can affect my mood can bring some minor changes to my typing habits. Even if they use cameras to measure eye movement, mood will be a factor. Think of how well you type (or how you would expect to) during major life changing events such as marriage/divorce/birth of children/death of parents. Can the even account for differences between days that you get promoted (or at least praised) compared to the day when your boss chews you out.
Then there are physical changes... Anything from a paper cut to carpal tunnel syndrome, or breaking a bone and getting a cast will seriously impact your typing.
Finally, what happens when your keyboard (or mouse) breaks and you need to get a new one. Even if it is the same model, a new one will generally have stiffer keys and buttons. You would be screwed if it had a different layout of keys or if it was a model of a different size. As for smart phones and tablets, what happens when you buy a new phone?
I'm sorry, I do not believe that this can be reliable enough. Even though I am somewhat impressed with Analytic software's ability to determine people's behaviour, that works on the masses with a margin of error; there will always be a few fringe cases that do not fit the mold; for authentication you need to be right, all the time, and I do not see that possibility.

--
Looking for a job?
Want your resume written professionally?
DON'T USE TUNAREZ!!!
Re:Smells like an academic spinoff by mmelson · 2013-03-01 08:43 · Score: 5, Interesting

This is not so much an authentication method as a heuristic used to decide whether or not to ask for additional credentials. It's exactly analogous to the way security questions work for online banking. If it recognizes you, there's a good chance you are who you say you are and your password is considered sufficient. But, if it doesn't recognize you, that isn't necessarily indicative of an impostor, just that it needs to ask for more information (in the form of a token, smartcard, security question, etc) before it can be confident you are who you say you are.
A "yes' from this this is acceptance, but a "no" is not a complete rejection. It just makes you jump through an extra hoop or two.