Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA: An Unusual Approach to User Authentication: Behavorial Biometrics (Video)

Posted by Roblimo on from the watching-every-keystroke dept.

In the North of Sweden, in Lappland, there is a university spinoff company named BehavioSec that decides you are you (or that a person using your computer is not you) by the way you type. Not the speed, but rhythm and style quirks, are what they detect and use for authentication. BehavioSec CEO/CTO Neil Costigan obviously knows far more about this than we do, which is why Tim Lord met with him at the 2013 RSA Conference and had him tell us exactly how BehavioSec's system works. As usual, we've provided both a video and a transcript (There's a small "Show/Hide Transcript" link immediately below the video) so you can either watch or read, whichever you prefer.

8 of 69 comments (clear)

  1. Assuming you will always type the same way. by Colan · · Score: 5, Interesting

    ---If you ever get a sprained wrist, you'll be locked out of your computer. Hopefully, there would be alternate authentication methods built in. And what happens if you don't log into your computer for an extended period of time? After I learned to type (taking lots of notes does that to you), my typing ability and methods (and patterns/rhythms) had completely changed. That was in the course of a month. At the end of that time, I would have been locked out of my computer.

    1. Re:Assuming you will always type the same way. by Anonymous Coward · · Score: 5, Funny

      On the plus side, however, this will lock you out if you try to write a drunken facebook wall post to one of your exes...

  2. Fail out the gate! by SirAstral · · Score: 5, Interesting

    I have experienced Behavior Biometric Denial of Services. Humans are just too erratic, imagine this.

    Your front door is locked using this method. All of a sudden you are outside and a thug walks by making obvious threats and you start running inside to get away or get your gun and the door now locks your ass out.

    You are using email services and you start looking for a job and with the sudden increase in email traffic and/or login presence causes your service to block your account temporarily because of behavioral changes. (this actually happened to me for a short time)

    I was in the middle of waiting for an actual offer letter when this occurred... very frustrating!

  3. New authentication options by sl4shd0rk · · Score: 4, Funny

    1) SHA1 password
    2) Enterprise LDAPS
    3) Tourrets

    --
    Join the Slashcott! Feb 10 thru Feb 17!
  4. Smells like an academic spinoff by c0d3g33k · · Score: 4, Insightful

    I've encountered lots of projects over the years that sound neat on paper and have enough meat to flesh out a thesis-sized research project, but don't quite have the universal applicability that translates to widespread practical (and financial) success in the real world.

    Two problems jump right out at me:

    1. Instead of having to remember a sequence of characters, a user now has to remember and replicate a set of obscure behavioral quirks. Or actually they don't, because it's supposed to be innate. But just as a signature isn't identical everytime, the quirky typing won't be either, leading to possible authentication failures, unless the authentication method is forgiving enough to take this into account. ... which leads us to

    2. It's open to mimicry, particularly if it's forgiving enough to account for natural variability. Authenticate enough times around an observant person with a knack for forgery and they can pick up on the patterns. A little bit of practices, and those rhythm and style quirks can be copied. Even easier if they can record video and/or audio with a mobile device.

    If the mimicry is successful, it's a lot harder to learn a new set of unconscious quirks than to just memorize a new password.

    Overall, the method seems academically interesting but not feasible in practice, except perhaps in a limited set of circumstances.

    1. Re:Smells like an academic spinoff by mmelson · · Score: 5, Interesting

      This is not so much an authentication method as a heuristic used to decide whether or not to ask for additional credentials. It's exactly analogous to the way security questions work for online banking. If it recognizes you, there's a good chance you are who you say you are and your password is considered sufficient. But, if it doesn't recognize you, that isn't necessarily indicative of an impostor, just that it needs to ask for more information (in the form of a token, smartcard, security question, etc) before it can be confident you are who you say you are.

      A "yes' from this this is acceptance, but a "no" is not a complete rejection. It just makes you jump through an extra hoop or two.

  5. About time by edcheevy · · Score: 4, Informative

    Bryan & Harter (1899) noticed telegraph operators could identify one another through rhythm and style, nice to see someone finally apply that! :-)

    http://psycnet.apa.org/journals/rev/6/4/345/

  6. Re:It will never be reliable enough... by mmelson · · Score: 4, Insightful

    I posted this before, but I'll summarize here:

    If this matches, it's likely that you are who you say you are. If this doesn't match, it just asks for additional factors of authentication (security questions, smartcards, etc). It is not a replacement for any other form of authentication.