Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA: An Unusual Approach to User Authentication: Behavorial Biometrics (Video)

Posted by Roblimo on from the watching-every-keystroke dept.

In the North of Sweden, in Lappland, there is a university spinoff company named BehavioSec that decides you are you (or that a person using your computer is not you) by the way you type. Not the speed, but rhythm and style quirks, are what they detect and use for authentication. BehavioSec CEO/CTO Neil Costigan obviously knows far more about this than we do, which is why Tim Lord met with him at the 2013 RSA Conference and had him tell us exactly how BehavioSec's system works. As usual, we've provided both a video and a transcript (There's a small "Show/Hide Transcript" link immediately below the video) so you can either watch or read, whichever you prefer.

12 of 69 comments (clear)

  1. Assuming you will always type the same way. by Colan · · Score: 5, Interesting

    ---If you ever get a sprained wrist, you'll be locked out of your computer. Hopefully, there would be alternate authentication methods built in. And what happens if you don't log into your computer for an extended period of time? After I learned to type (taking lots of notes does that to you), my typing ability and methods (and patterns/rhythms) had completely changed. That was in the course of a month. At the end of that time, I would have been locked out of my computer.

    1. Re:Assuming you will always type the same way. by Anonymous Coward · · Score: 5, Funny

      On the plus side, however, this will lock you out if you try to write a drunken facebook wall post to one of your exes...

    2. Re:Assuming you will always type the same way. by K.+S.+Kyosuke · · Score: 3, Funny

      Alternatively, if you create your log-in profile while drunk, you'll have to use your computer in that state forever!

      --
      Ezekiel 23:20
    3. Re:Assuming you will always type the same way. by kangsterizer · · Score: 3, Insightful

      " Hopefully, there would be alternate authentication methods built in"

      And then, I would question the security improvement of behavioral authentication. If I'm going to login and I'm an attacker, I'll just use the alternate authentication then.

      Reminds me of https://wellsoffice.wellsfargo.com/ceoportal/signon/loader.jsp

  2. Fail out the gate! by SirAstral · · Score: 5, Interesting

    I have experienced Behavior Biometric Denial of Services. Humans are just too erratic, imagine this.

    Your front door is locked using this method. All of a sudden you are outside and a thug walks by making obvious threats and you start running inside to get away or get your gun and the door now locks your ass out.

    You are using email services and you start looking for a job and with the sudden increase in email traffic and/or login presence causes your service to block your account temporarily because of behavioral changes. (this actually happened to me for a short time)

    I was in the middle of waiting for an actual offer letter when this occurred... very frustrating!

  3. New authentication options by sl4shd0rk · · Score: 4, Funny

    1) SHA1 password
    2) Enterprise LDAPS
    3) Tourrets

    --
    Join the Slashcott! Feb 10 thru Feb 17!
  4. Smells like an academic spinoff by c0d3g33k · · Score: 4, Insightful

    I've encountered lots of projects over the years that sound neat on paper and have enough meat to flesh out a thesis-sized research project, but don't quite have the universal applicability that translates to widespread practical (and financial) success in the real world.

    Two problems jump right out at me:

    1. Instead of having to remember a sequence of characters, a user now has to remember and replicate a set of obscure behavioral quirks. Or actually they don't, because it's supposed to be innate. But just as a signature isn't identical everytime, the quirky typing won't be either, leading to possible authentication failures, unless the authentication method is forgiving enough to take this into account. ... which leads us to

    2. It's open to mimicry, particularly if it's forgiving enough to account for natural variability. Authenticate enough times around an observant person with a knack for forgery and they can pick up on the patterns. A little bit of practices, and those rhythm and style quirks can be copied. Even easier if they can record video and/or audio with a mobile device.

    If the mimicry is successful, it's a lot harder to learn a new set of unconscious quirks than to just memorize a new password.

    Overall, the method seems academically interesting but not feasible in practice, except perhaps in a limited set of circumstances.

    1. Re:Smells like an academic spinoff by mmelson · · Score: 5, Interesting

      This is not so much an authentication method as a heuristic used to decide whether or not to ask for additional credentials. It's exactly analogous to the way security questions work for online banking. If it recognizes you, there's a good chance you are who you say you are and your password is considered sufficient. But, if it doesn't recognize you, that isn't necessarily indicative of an impostor, just that it needs to ask for more information (in the form of a token, smartcard, security question, etc) before it can be confident you are who you say you are.

      A "yes' from this this is acceptance, but a "no" is not a complete rejection. It just makes you jump through an extra hoop or two.

  5. It will never be reliable enough... by stretch0611 · · Score: 3, Interesting

    What happens if I am sick? My mental acuity is not the same when my head is pounding with a headache... My reactions are slowed. Even if you can account for the difference in attentiveness between the start of the work day and the end, will you be able to recognize me when someone wakes me at 3am to troubleshoot?

    Even without sickness and sleepiness, anything that can affect my mood can bring some minor changes to my typing habits. Even if they use cameras to measure eye movement, mood will be a factor. Think of how well you type (or how you would expect to) during major life changing events such as marriage/divorce/birth of children/death of parents. Can the even account for differences between days that you get promoted (or at least praised) compared to the day when your boss chews you out.

    Then there are physical changes... Anything from a paper cut to carpal tunnel syndrome, or breaking a bone and getting a cast will seriously impact your typing.

    Finally, what happens when your keyboard (or mouse) breaks and you need to get a new one. Even if it is the same model, a new one will generally have stiffer keys and buttons. You would be screwed if it had a different layout of keys or if it was a model of a different size. As for smart phones and tablets, what happens when you buy a new phone?

    I'm sorry, I do not believe that this can be reliable enough. Even though I am somewhat impressed with Analytic software's ability to determine people's behaviour, that works on the masses with a margin of error; there will always be a few fringe cases that do not fit the mold; for authentication you need to be right, all the time, and I do not see that possibility.

    --
    Looking for a job?
    Want your resume written professionally?
    DON'T USE TUNAREZ!!!
    1. Re:It will never be reliable enough... by mmelson · · Score: 4, Insightful

      I posted this before, but I'll summarize here:

      If this matches, it's likely that you are who you say you are. If this doesn't match, it just asks for additional factors of authentication (security questions, smartcards, etc). It is not a replacement for any other form of authentication.

  6. About time by edcheevy · · Score: 4, Informative

    Bryan & Harter (1899) noticed telegraph operators could identify one another through rhythm and style, nice to see someone finally apply that! :-)

    http://psycnet.apa.org/journals/rev/6/4/345/

  7. [Detects one-handed lingerie browsing] by GodfatherofSoul · · Score: 3, Funny

    My Laptop: "Yep, that's him..."

    --
    I swear to God...I swear to God! That is NOT how you treat your human!