Slashdot Mirror
Users Identified Through Typing, Mouse Movements
mask.of.sanity writes "Users can be identified with a half percent margin of error based on the way they type. The research work has been spun into an application that could continuously authenticate users (PDF), rather than just relying on passwords, and could lock accounts if another person jumped on the computer. Researchers are now integrating mouse movements and clicks, and mobile touch patterns into the work."
So that means no more posting on Slashdot while drunk?
Not sure If this post is funny or insightful ;-)
...your hand gets caught in the car door and your cash/food/alcohol supply shuts down for 3 weeks.
I see no possible downside to this technology. *rolls eyes*
Would my typing and mouse movements change when the perp puts a gun to my head and tells me to log into my bank account?
May apply more to the usage of mobile smartphones to prevent being fraped these days.
- This sig deliberately left blank. Nothing to see, move along.
7|-|3Y \/\/||_|_ |\|3\/3|2 (/\7(|-| /\/\3 /\|_|\/3
There. Identify me now, bastards.
That's a pretty large margin of error, considering how often people type.
Our university campus has been using typing patterns as an optional way of user authentication for years. They are currently phasing this out as it seems to be too insecure.
How exactly is that new? https://www.keytrac.net/ http://www.intensityanalytics.com/ http://www.idcontrol.com/keystrokeid And there is like half a dozen more.
This is one of those topics which pops up about once a year in Slashdot.
What does that half-percent mean? It's not like our identity can be expressed as a number. Does it mean that it thinks the user is someone else one time in 200, or that for any person in their 2000 user sample set, they matched with 10 of them (both of which would be useful as long as not the only factor we rely on)? Or something else entirely?
The only thing I'd worry about is different ways of typing. My typing slows when I'm tired, for example. :P
Am I going to get locked out just because I'm tired?
It has limited use, and specially almost no use on the important stuff: bank websites.
You don't time much / mouse move much on those websites. At least not enough to trigger a proper authentication.
And with all kinds of biometrics, you can't change the password if it is tampered.
Glad I'm just using fountain pens...
N/A
Downside... Injure your hand and get locked out.
Upside... No more sending embarrasing emails when you get black-out drunk.
I bet it works even better than fingerprint recognition.
In the end, all of this becomes silly.
My typing has to match a certain pattern to authenticate me.
Slashdot - News for Nerds, Stuff that Matters, in ISO-8859-1 Has just realised that beta makes this signature redundant
That's why I don't type on the internet, I just lurk.
Oh, shit.
Suddenly, you're logged out of every service as soon as you begin browsing with one hand.
My computer gets my password authentication in a couple of seconds. It sounds like these typing tests took 90 minutes and it didn't evaluate whether the person's typing patterns remain stable over longer times. In that time the program learns to identify a person, but how long does it take to recognize a known person?
Do I type the same way when I'm tired? I don't know. Do I type the same way if I'm using a different computer and keyboard? When I'm thinking about what I'm writing carefully, as opposed to when I'm tying stream of consciousness thoughts or when I'm copying from a handwritten original? Maybe not. How will it handle people who are learning to type? Their patterns would not be stable, nor would mouse movements be stable for people who are learning to use an unfamiliar program.
To deal with all these potential problems, I think the period over which it must evaluate and the tolerance of variance would have to be set pretty wide. Otherwise it's going to be continually asking you to verify your identity which would be very disruptive of your work.
I sign on through remote desktop? Then an additional layer of security?
This is an Iowa State University (student?) prototype/proof of concept stage idea. Also note:
Results from a large scale experiment demonstrated that the Cognitive Typing Rhythm had a 0.7% false
rejection rate and a 5.5% false acceptance rate
As everyone has been quick to point out, the concept is so flawed that there is zero chance of successful implementation. This is just a Slashvertisement for a study grant or startup wannabe.
I don't think this will work for me as sometimes I go from two hands to operation my computer with just one hand.
This has been done by a Swedish Company - http://www.behaviosec.com/
They have a continuous monitoring a system and also a product which can be integrated into a Web Page Post Form for a 2nd Factor of Authentication. I have played around with their Web Product - it's very good to be used as a secondary mechanism.
They are also working with DARPA - http://www.behaviosec.com/darpa-and-behaviosec-go-beyond-passwords/
So I am wondering if the Iowa University project is an extension on this?
The original Behaviosec product came out of a research project in a Swedish University and the people running the company include students who did the original project.
Works great. Until you have a little accident, and end up with a broken arm, or sprained wrist. Then you can't use your computer.
Proverbs 21:19
An algorithm that recognizes users based on their masturbation movements. Even those with Parkinson.
No one slams their mouse and spews slightly racist incoherent obscenities in their favorite forums quite like I do.
I'd love to see an authentication method, which could probably be implemented with a kinect, where the computer starts playing some music and demands that you perform a sexy dance. It makes about equally as much sense, but would make work MUCH more funny!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Meow
So your solution to security is to put a key logger on every computer in our building? I don't see that going over well with my security team.
I'd be really worried about getting locked out while tipsy.
Different devices really aren't a problem. It's a lot like recognizing your family members while they are wearing different outfits. A twenty-something black lady, pregnant, with medium length braids sitting in my couch is probably my wife. Without my glasses my vision is 20/100 but I could almost always distinguish an intruder vs. my wife. Most likely, an intruder would look nothing at all like my wife.
That's a good analogy for how we use this type of technology in Strongbox. We start with the fact that they claim to be John or whoever the account holder is. We don't have to identify who they are, just whether or not they look like John. Certain characteristics of his typing style are pretty consistent across different keyboards. We combine that with location, browser choice, etc. to see if the person claiming to be John probably is actually John or not.
Is this person 'John Doe'.
[ X ] Yes
[ ] No
See what you did there.
Until John is sick or injured, and then you compound his woes by locking him out.
But my typing pattern is surely very different if I am typing on an IBM Model M keyboard, or on the on-screen keyboard on my iPad, just like your wife's walking pattern is probably very different if she is walking in 6" stilletos, or in a pair of trainers.
You're confusing him with Glenn Beck.
I got here through a series of tubes
The point being that there will still be identifying characteristics that will span all walking styles of regardless of shoe type. Meaning someone that always types hte instead of the will do it no matter which keyboard they are tying on. A person that uses the hunt and peck will do it no matter which keyboard they are using.
I got here through a series of tubes
If you hadn't tried it, you'd think that might be a problem. In fact, it's not.
I've been sick, I've been injured. My COO has been sick a lot. We log in to systems using Strongbox maybe four times per day.
Four times per day times about 400 days = 1600 logins for each of us. We haven't been locked out based on keyboard and mouse yet. Looking at millions of user logins, the keyboard and mouse indicators closely track the other indicators we use. By that, I mean if the real user scores 41-52-07 and they are in the US, when see a log in attempt with a score of 24-92-18 that attempt will come from China.
From the site tech support guy, or a colleague who needs to show me someting at my terminal - it locks up as soon as it fails to see me typing?
The big missed point is that it's not always a bad thing for someone else to be typing on my computer/phone/etc
I am not so sure about consistency of typing style across every keyboard. Some keyboards buttons are bounced nicely and that made me feel like typing faster. Some aren't that great and frustrated me which in turn slows me down or causes stop-and-go effect on my typing style. Also, different keyboard layout affects the way I type because I need to adjust my fingers (especially my right pinky) to reach certain button/character. I also like to use num-pad to enter numbers rather than the number button on the top row (and most laptops don't have the num-pad). Recently, I bought a new keyboard and the 'Enter' button shape is different from the old one plus the backslash button is moved 1 row down (right in front of the 'Enter' button). As a result, I kept hitting backslash button instead of the 'Enter' even though I am trying to be more careful.
Even though one could have similar typing style, I doubt that it is always the same on every keyboard. If this authentication system can detect that, it is great; otherwise, it could be a big failure instead.
What if I'm eating my lunch and only typing with one hand?
We may type very differently throughout the day, especially at night, or close to a deadline. There would appear that you would need to do a significant amount of characterization to have any meaningful results. There are times when we can be really tired, but need to finish something. The last thing anyone needs is to fight your computer in addition to fighting a clock. I would refuse to work or quit any place that would consider using this kind of authentication. This kind of model can never be perfect.
What if I'm eating my lunch and only typing with one hand?
Then this is probably something you do regularly.
The thing that gets me though is, how does this deal with network lag? If you're doing remote login, it'll add all sorts of interference based on how responsive the connection is. Thus, if I went on a business trip to China and attempted to log in, would the system still recognize me as me?
Mouse use really is a very personal thing though; people tend to do very different things with their mice while typing.
Think of this not as a way of identifying an individual, but of screening out those who are obviously NOT that individual. This problem is _much_ easier to solve.
I don't want any applications with this implemented because I don't want to be locked out of the document repeatedly while typing.
Most of the stuff I've read about this suggest that the typing recognition is based on timing ratios (How long it takes to get from key a to key b compared to how long it takes to get from key b to key c and how long key a is held down compared to key c). Using the information to determine length of fingers seems possible. Also seems likely that models could be used to determine the users position in relation to the keyboard. The keyboard seems easier to beat than the mouse (I have about four ways to beat the keyboard) I'm not sure how I would beat the mouse.
I am not so sure about consistency of typing style across every keyboard.
Perhaps we could perform experiments and gather data on the subject.
Nah, that's way too science-y for Slashdot. Better to just proclaim that it will never work and earn some karma.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
> Even though one could have similar typing style, I doubt that it is always the same on every keyboard.
Several numbers can be used to describe "typing style". Some of those numbers are remarkably consistent.
In other respects, you end up with two profiles, ie John on his iPad" and "John at his desk".
Those match up with other parameters like OS patch lvel, browser version, plugins, etc. You, on your ipad,
type in a certain way, on a certain version of the device, using a certain browser with certain plugins, etc.
Most likely, the identity thief is in a different country, using a different browser on a different patch level, and types differently.
So we can say "John should be either type at about interval 52 iPhone 2 in Idaho on AT&T, or type about 78 on a HP desktop connecting with Comcast, again in Idaho.
> If this authentication system can detect that, it is great; otherwise, it could be a big failure instead.
For Strongbox, this aspect is neither perfect nor a failure, but is one parameter that's considered. Very much like considering someone's height and weight when trying to recognize your spouse. You can see someone from far away and if the height and weight don't match, that's not your spourse. If the height matches, the weight matches, the skin tone matches, the clothing style matches, the hair length matches, the hair color matches, the hair style (curly, straight, etc.) matches, and she says "hey baby", that's probably your spouse.
I've been sick, I've been injured. My COO has been sick a lot. We log in to systems using Strongbox maybe four times per day. Four times per day times about 400 days = 1600 logins for each of us.
Your sample size is only two people. Just because two people login to a system for 400 days straight, 4 times a day, does not give you a larger sample size; It gives you a larger sample count.
Looking at millions of user logins, the keyboard and mouse indicators closely track the other indicators we use.
By your own admission, you only know two people; About 3,200 logins total. Assuming "millions" equals the minimum of "2 million" to make this second statement true, you've only sampled 2 people out of 1,250 (minimum).
Does "not a problem" seem like a statistically valid conclusion for you to be drawing here, given the exceptionally limited data set you're basing this on?
#fuckbeta #iamslashdot #dicemustdie
> Think of this not as a way of identifying an individual, but of screening out those who are obviously NOT that individual.
> This problem is _much_ easier to solve.
Absolutely. What we do with Strongbox, anyway, is start with "this person is claiming to be _____". Then we can start checking various parameters. Rather than list of our exact parameters and algorithm, I'll stick with the analogy:
Does the height match?
Does the weight match?
Does the age range match?
Does the race match?
Does the clothing style match (skater vs. biker vs banker)?
Does the hair length match?
Does the hair style (curly, straight, etc.) match?
Does the hair color match?
etc. or about 12-15 parameters.
Note that none of the parameters listed above is extremely selective. But let's say each parameter can reject 75% of imposters. Here's the result after each test:
Test 1: 25.00 % of imposters remain.
Test 2: 6.25 % of imposters remain.
Test 3: 1.563% of imposters remain.
Test 4: 0.391% of imposters remain.
Test 5: 0.098% of imposters remain.
Test 6: 0.024% of imposters remain.
Test 7: 0.006% of imposters remain.
Test 8: 0.001% of imposters remain.
Test 9: 0.0004% of imposters remain.
Test 10: 0.0001 % of imposters remain.
Test 11: 0.00002% of imposters remain.
Test 12: 0.00000% of imposters remain.
After 12 tests, 99.99999% of imposters have been caught by one of the broad tests, none of which are all that specific.
Nah, that's way too science-y for Slashdot. Better to just proclaim that it will never work and earn some karma.
Yes, the talk is easy but the practice is not. I did not say it will never work, but I implied it unlikely works or is effective due to different style of typing regarding different 'hard ware'. Besides the point, you are sicked if you think that other people posting here are looking to earn karma or whatever. Maybe it is you who reply and look for it instead.
We have data on millions of logins. I gave you two examples, then explained we have data on millions.
We ran this in "logging only" mode on a major network of web sites for two years before we started including it in the "accept or decline" decision, so we have millions of records in the database. Here's what those millions of records say:
For attempts that would have tripped this parameter, had it been switched active, those same attempts normally tripped other time-tested parameters. The other parameters have been tested for sixteen years on tens of thousands of sites - we know they work. The newer keyboard and mouse parameters give results that agree with the results from the known-good parameters.
Since you're asking about sample size, the sample size of our known good parameters is on the order of 2-3% of all web logins.
I understand that you are talking about certain different range of typing style. I accept that thought. The problem for me is not the idea, but it is the threshold of the range they are looking for. I don't know the criteria they used in identifying style. Also, their sample size of 2000 is extremely small compared to a population in a country. I don't believe it effectively works as they claim, but they put this news out just to get attention from public. I guess they want to test the public reaction, and then may go forward with their plan (which could be money making or fund raising).
this aspect is neither perfect nor a failure, but is one parameter that's considered.
Your reply is fair enough for me. Though, your example is not what I would say obvious. I mean when you are talking about someone walking toward you from far way. It is not the appearance you would use to identify the person but rather the way/style of walk you see from afar. :)
> What if I'm eating my lunch and only typing with one hand?
Yeah, right. "eating my lunch"...
If the system detects you are "eating your lunch" and typing with one hand, it will automatically direct you to your favorite porn sites.
- For the complete works of Shakespeare: cat
> Also, their sample size of 2000 is extremely small compared to a population in a country. I don't believe it effectively works as they claim, but they put this news out just to get attention from public.
Oh certainly. This about the fourth Slashdot article on it and we've been doing it for years, so it's in no way new. Three years from now they'll announce their chickcaptcha idea, which we launched on 5,000 production sites 18 months ago.
In Soviet Russia, Keyboard Identify You! ... oh, wait.
when software runs on your computer in javascript
So we'll need a program that scrambles all the monitored characteristics, and perhaps inserts some random phrase translations so that you can't be recognized by your vocabulary. Why I would ever want a system to recognize me by these sorts of biometrics (or any sort) is beyond me. On the other hand, I could see why others would want to do so, Facebook, Google, the NSA, Doubleclick, etc. But that doesn't mean at all that I would want this, quite the contrary. When I'm on the computer, it's nobodies business who I am, who I'm talking with, what I'm buying, etc., except mine. I've even set up my account on Amazon as a group-purchase account where my purchases are intermixed with my friends purchases so they can't tell whose is whose. If you can't keep them from getting your information the solution is to add erroneous information.
I'm surprised nobody has commented on this. If a server can confirm your keyboard/mouse activity profile, what's to stop advertisers from doing so via javascript on the the web? This is scary. Even if you log in to site A as John Smith with Firefox, and site B as Jane Doe with Opera, and with Flash supercookies disabled, they might still be able to match your profiles. This would solve the advertising dilemma, of what ads to show on a shared computer used by multiple family members. This would be worse than Facebook.
Law enforcement would love this too. Let's say you're a "meek mild-mannered reporter" (or whatever) by day and "super-hacktivist" by night. It wouldn't matter if you're using multiple layers of TOR/ONION or working via a compromised machine in China, a LEA would still be able to match your daytime work profile to your nighttime alter-ego.
This might start start an arms race. Given websites that analyse user keystrokes, would a random delay inserter work? Also, I assume that doing stuff like typing this comment into a separate text editor, then copy-pasting into the posting submission form might help cover your tracks.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
If a site does not let you browse with basic HTML then you can't trust it to respect your privacy.
What "remote login" sends data for every character typed in a field instead of sending all at once when the field is completed and the login/whatever it is called button/link is pressed?
50% is low. People nted it would deny access to a drunk user, which may be good. Sleepy user may be denied as well, so could unusually stressed persons. THe later case could be a real problem if stress is because you need to find something in your computer.
why google of course
"If the height matches, the weight matches, the skin tone matches, the clothing style matches, the hair length matches, the hair color matches, the hair style (curly, straight, etc.) matches, and she says "hey baby", that's probably your spouse."
Or one heckuva stunt double or stand-in. Or one of twins, triplets, etc. Once in motion, tho, I can see that as being quite a bit more distinctive, and a clincher, all else being equal. From what I gather, from the article and what you've said, it's the full combination sieved by walking the parameters.
There's a decidedly creepy aspect to this - the capability of being tracked everywhere and everywhen - but I can see the utility when fairly used. Being able to put a severe crimp in identify theft alone would be golden.
"Hello, Flynn"
VNC, RDP, NX and other similar systems.
what about users like myself who switch between mouse and graphic tablet use on particular day depending on workflow. When I have lots of illustration or retouch work that day I tend to do a lot with graphic pen but prefer switching to mouse for other tasks such as mail and web browsing, gaming whatever. Also with graphic pen in hand I type differently too as I don't put the pen down so do more with left hand and single finger stabs on the right unlike mouse use where I use more fingers on the right.
Many around me do similar things, not just graphic tablet/mouse but stuff like switching up pointing stick/touch pad on thinkpad, mouse/trackball, mouse/touchpad and so on and some I know use more than one mouse since they prefer different button actuation force/ergonomics/weight between different stuff such as gaming and other stuff one one machine.
Seems a silly way of locking machines to me. Sure I've seen the code fob in keyboard thing you have to pull when leave terminal fall down as people can't be arsed removing it when leaving it unattended near members of public for under 1min but plenty of other existing ways which are efficient with less room for error and more flexible than this idea yet require just as little input if any when user walks away for a moment to lock it.
Yeah I bet you're "eating" when you only have 1 hand available at your computer.
I got here through a series of tubes