Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA: An Unusual Approach to User Authentication: Behavorial Biometrics (Video)

Posted by Roblimo on from the watching-every-keystroke dept.

In the North of Sweden, in Lappland, there is a university spinoff company named BehavioSec that decides you are you (or that a person using your computer is not you) by the way you type. Not the speed, but rhythm and style quirks, are what they detect and use for authentication. BehavioSec CEO/CTO Neil Costigan obviously knows far more about this than we do, which is why Tim Lord met with him at the 2013 RSA Conference and had him tell us exactly how BehavioSec's system works. As usual, we've provided both a video and a transcript (There's a small "Show/Hide Transcript" link immediately below the video) so you can either watch or read, whichever you prefer.

18 of 69 comments (clear)

  1. Assuming you will always type the same way. by Colan · · Score: 5, Interesting

    ---If you ever get a sprained wrist, you'll be locked out of your computer. Hopefully, there would be alternate authentication methods built in. And what happens if you don't log into your computer for an extended period of time? After I learned to type (taking lots of notes does that to you), my typing ability and methods (and patterns/rhythms) had completely changed. That was in the course of a month. At the end of that time, I would have been locked out of my computer.

    1. Re:Assuming you will always type the same way. by Anonymous Coward · · Score: 5, Funny

      On the plus side, however, this will lock you out if you try to write a drunken facebook wall post to one of your exes...

    2. Re:Assuming you will always type the same way. by K.+S.+Kyosuke · · Score: 3, Funny

      Alternatively, if you create your log-in profile while drunk, you'll have to use your computer in that state forever!

      --
      Ezekiel 23:20
    3. Re:Assuming you will always type the same way. by kangsterizer · · Score: 3, Insightful

      " Hopefully, there would be alternate authentication methods built in"

      And then, I would question the security improvement of behavioral authentication. If I'm going to login and I'm an attacker, I'll just use the alternate authentication then.

      Reminds me of https://wellsoffice.wellsfargo.com/ceoportal/signon/loader.jsp

  2. Fail out the gate! by SirAstral · · Score: 5, Interesting

    I have experienced Behavior Biometric Denial of Services. Humans are just too erratic, imagine this.

    Your front door is locked using this method. All of a sudden you are outside and a thug walks by making obvious threats and you start running inside to get away or get your gun and the door now locks your ass out.

    You are using email services and you start looking for a job and with the sudden increase in email traffic and/or login presence causes your service to block your account temporarily because of behavioral changes. (this actually happened to me for a short time)

    I was in the middle of waiting for an actual offer letter when this occurred... very frustrating!

  3. New authentication options by sl4shd0rk · · Score: 4, Funny

    1) SHA1 password
    2) Enterprise LDAPS
    3) Tourrets

    --
    Join the Slashcott! Feb 10 thru Feb 17!
  4. Smells like an academic spinoff by c0d3g33k · · Score: 4, Insightful

    I've encountered lots of projects over the years that sound neat on paper and have enough meat to flesh out a thesis-sized research project, but don't quite have the universal applicability that translates to widespread practical (and financial) success in the real world.

    Two problems jump right out at me:

    1. Instead of having to remember a sequence of characters, a user now has to remember and replicate a set of obscure behavioral quirks. Or actually they don't, because it's supposed to be innate. But just as a signature isn't identical everytime, the quirky typing won't be either, leading to possible authentication failures, unless the authentication method is forgiving enough to take this into account. ... which leads us to

    2. It's open to mimicry, particularly if it's forgiving enough to account for natural variability. Authenticate enough times around an observant person with a knack for forgery and they can pick up on the patterns. A little bit of practices, and those rhythm and style quirks can be copied. Even easier if they can record video and/or audio with a mobile device.

    If the mimicry is successful, it's a lot harder to learn a new set of unconscious quirks than to just memorize a new password.

    Overall, the method seems academically interesting but not feasible in practice, except perhaps in a limited set of circumstances.

    1. Re:Smells like an academic spinoff by mmelson · · Score: 5, Interesting

      This is not so much an authentication method as a heuristic used to decide whether or not to ask for additional credentials. It's exactly analogous to the way security questions work for online banking. If it recognizes you, there's a good chance you are who you say you are and your password is considered sufficient. But, if it doesn't recognize you, that isn't necessarily indicative of an impostor, just that it needs to ask for more information (in the form of a token, smartcard, security question, etc) before it can be confident you are who you say you are.

      A "yes' from this this is acceptance, but a "no" is not a complete rejection. It just makes you jump through an extra hoop or two.

  5. It will never be reliable enough... by stretch0611 · · Score: 3, Interesting

    What happens if I am sick? My mental acuity is not the same when my head is pounding with a headache... My reactions are slowed. Even if you can account for the difference in attentiveness between the start of the work day and the end, will you be able to recognize me when someone wakes me at 3am to troubleshoot?

    Even without sickness and sleepiness, anything that can affect my mood can bring some minor changes to my typing habits. Even if they use cameras to measure eye movement, mood will be a factor. Think of how well you type (or how you would expect to) during major life changing events such as marriage/divorce/birth of children/death of parents. Can the even account for differences between days that you get promoted (or at least praised) compared to the day when your boss chews you out.

    Then there are physical changes... Anything from a paper cut to carpal tunnel syndrome, or breaking a bone and getting a cast will seriously impact your typing.

    Finally, what happens when your keyboard (or mouse) breaks and you need to get a new one. Even if it is the same model, a new one will generally have stiffer keys and buttons. You would be screwed if it had a different layout of keys or if it was a model of a different size. As for smart phones and tablets, what happens when you buy a new phone?

    I'm sorry, I do not believe that this can be reliable enough. Even though I am somewhat impressed with Analytic software's ability to determine people's behaviour, that works on the masses with a margin of error; there will always be a few fringe cases that do not fit the mold; for authentication you need to be right, all the time, and I do not see that possibility.

    --
    Looking for a job?
    Want your resume written professionally?
    DON'T USE TUNAREZ!!!
    1. Re:It will never be reliable enough... by mmelson · · Score: 4, Insightful

      I posted this before, but I'll summarize here:

      If this matches, it's likely that you are who you say you are. If this doesn't match, it just asks for additional factors of authentication (security questions, smartcards, etc). It is not a replacement for any other form of authentication.

  6. About time by edcheevy · · Score: 4, Informative

    Bryan & Harter (1899) noticed telegraph operators could identify one another through rhythm and style, nice to see someone finally apply that! :-)

    http://psycnet.apa.org/journals/rev/6/4/345/

    1. Re:About time by lurker1997 · · Score: 2

      This is what I came here to see or post. I like to read spy novels from the 60s-80s. Within the last year I read one (no idea now which one now, maybe something by Frederick Forsyth) with this used as a plot device. Something about operators trained to purposefully change from their usual rhythm to indicate duress I think.

  7. Prior art by sanchom · · Score: 2

    Rick Joyce and Gopal Gupta - Identity Authentication Based on Keystroke Latencies, 1990

    F Monrose, A Rubin - Authentication via Keystroke Dynamics, 1997

    Arkady G. Zilberman - US Patent 6442692: Security method and apparatus employing authentication by keystroke dynamics, 1998 (I think some of the claims in this patent could be invalidated because of previous disclosure in the 1990 and 1997 papers)

  8. An old idea by mbone · · Score: 2

    Back in the morse code days, people used to ID senders through their keying style. This was fairly routinely used (and abused) in the military - for example, when the Japanese Navy went to attack Pearl Harbor, the normal radio operators were kept behind and sent messages from (IIRC) the Kuril Islands, in case the US was tracking them as belonging to the carriers (which I don't believe we were).

    1. Re:An old idea by DutchUncle · · Score: 2

      The idea of ID by keyboard style was used in science fiction in the '60s and '70s by multiple authors. Heinlein, "The Moon is a Harsh Mistress"? When I tried googling, though, I found descriptions from 2012, 2010, 2009, 2003, and 1989.

      See also the important pause between spoken words in Rudyard Kipling's "The Great Game".

  9. [Detects one-handed lingerie browsing] by GodfatherofSoul · · Score: 3, Funny

    My Laptop: "Yep, that's him..."

    --
    I swear to God...I swear to God! That is NOT how you treat your human!
  10. Tracking by RenHoek · · Score: 2

    This technique is quite old, but it's not the typing you should be focusing on, but more general computer usage. Think like an Intrusion Detection System, anything that would constitute abnormal behavior. Example:

    Mar 1 18:05:57 localhost - User started web browser application
    Mar 1 18:06:12 localhost - User opened 17 tabs to various porn sites
    Mar 1 18:08:20 localhost - User closed browser
    Mar 1 18:08:24 localhost - Microphone picking up sobbing noises
    Mar 1 18:08:26 localhost - User identity verified.

  11. Worked for us for millions of logins already by raymorris · · Score: 2

    We've been tracking keystroke rhythm on Girls Gone Wild and some other popular sites for several years. Based on analysis of several million login attempts, it does work.

    In that implementation, at least, the keyboard rhythm is one of SEVERAL factors that are considered. A sprained finger probably wouldn't keep you out, unless you were also a) far from home and b) using a different computer than you normally do. All three factors combined would make it seem likely that it was someone else trying to access your account. Just one factor alone wouldn't trigger anything.

    It's actually a lot like how you recognize people in your offline life everyday. For people you know, there are a dozen or so factors which let you quickly recognize one of your family members even from behind, and from a block away. For people you don't know, you can recognize suspicious people because your brain considers a few dozen factors, such facial expression, body language, dress, anything they have in their hands, etc. You then respond to the combination of all of those factors. Most of the time, you can instantly distinguish between a robber entering a store and a normal customer. That's roughly how these systems can work, how Strongbox works - by considering keying rhythm as one of several factors, just as you can use hair style as one factor in recognizing your boss or your wife from across the room.