Slashdot Mirror

← Back to Stories (view on slashdot.org)

Users Identified Through Typing, Mouse Movements

Posted by Soulskill on from the this-guy-always-whacks-his-space-bar-really-hard dept.

mask.of.sanity writes "Users can be identified with a half percent margin of error based on the way they type. The research work has been spun into an application that could continuously authenticate users (PDF), rather than just relying on passwords, and could lock accounts if another person jumped on the computer. Researchers are now integrating mouse movements and clicks, and mobile touch patterns into the work."

25 of 149 comments (clear)

  1. There goes the neighbourhood. by six025 · · Score: 5, Funny

    So that means no more posting on Slashdot while drunk?

    Not sure If this post is funny or insightful ;-)

    1. Re: There goes the neighbourhood. by Anonymous Coward · · Score: 2, Insightful

      I'm guessing my typing and mouse useage habits change significantly when I get pissed off from being locked out of a system by a security method I can't directly control.

      Using the mouse and keyboard as high velocity projectiles, cords streaming out behind them as they fly across the cube farm and impact the managers face that implemented such an idiotic authentication scheme come to mind. Authenticate this bitches!

    2. Re:There goes the neighbourhood. by king+neckbeard · · Score: 4, Interesting

      This would probably be a far more useful application of it. Say that you have a tendency to drunkenly dial/text a certain subset of people. If your phone detects that you are drunk, it prevents you from dialing those numbers and embarrassing yourself.

      --
      This is my signature. There are many like it, but this one is mine.
    3. Re: There goes the neighbourhood. by TWX · · Score: 2

      Well, being angry is certainly one thing that may matter, but having multiple devices is another.

      I'm typing this on a Sun Type 6 USB keyboard. Next to me is one of those early full-size clear Apple USB keyboards. At home I use a Gateway 2000 "Anykey" keyboard on my desktop, and the integrated keyboard in my laptop when using that machine. I use a Kensington Expert Mouse trackball at home on the desktop, the integrated touchpad on the laptop as well as an external Logitech mouse, a Kensington Orbit Optical trackball on one computer, and a Microsoft Intellimouse on another computer.

      I expect that my mouse movements and typing styles vary from computer to computer. If the point of an authentication scheme using this sort of method is to be global, I'd end up with either lockouts or with multiple profiles, requiring updating every time I use different equipment. Right now we're up to four without even going into other computers I have casual use of, and I can only see that going up over time.

      --
      Do not look into laser with remaining eye.
    4. Re:There goes the neighbourhood. by Hognoxious · · Score: 2

      In WW2 British radio interception staff could recognise individual telegraphists by the rhythm of their dits and dahs - a Morse accent if you like.

      Since some reused their encryption settings this was a help to the codebreakers.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  2. tough luck when... by harvey+the+nerd · · Score: 3, Interesting

    ...your hand gets caught in the car door and your cash/food/alcohol supply shuts down for 3 weeks.

  3. News.. by Nimatek · · Score: 5, Informative

    How exactly is that new? https://www.keytrac.net/ http://www.intensityanalytics.com/ http://www.idcontrol.com/keystrokeid And there is like half a dozen more.

    1. Re:News.. by Registered+Coward+v2 · · Score: 2

      How exactly is that new? https://www.keytrac.net/ http://www.intensityanalytics.com/ http://www.idcontrol.com/keystrokeid And there is like half a dozen more.

      More to the point, telegraph operators and hams have recognized "fists" for quite some time; so at least there is prior art.

      --
      I'm a consultant - I convert gibberish into cash-flow.
  4. Re:What about when there's a gun at my head? by __aaltlg1547 · · Score: 2

    "OK, now what account do you want me to transfer that money to?"

    There's a reason criminals prefer cash.

  5. Re:Well.. by DeathToBill · · Score: 5, Funny

    You shouldn't roll your eyes if you want to remain anonymous. Research shows that eye rolling is highly individual and we can use your webcam to track your eye movements and identify you.

    --
    Slashdot - News for Nerds, Stuff that Matters, in ISO-8859-1 Has just realised that beta makes this signature redundant
  6. Re:Ha! by wonkey_monkey · · Score: 2

    Dave's not here man.

    --
    systemd is Roko's Basilisk.
  7. Re:What about when there's a gun at my head? by DeathToBill · · Score: 2

    I dunno, let's try it! Imagine I'm putting a gun to your head, then transfer all your money to my bank account.

    --
    Slashdot - News for Nerds, Stuff that Matters, in ISO-8859-1 Has just realised that beta makes this signature redundant
  8. I've been using this for years by DeathToBill · · Score: 3, Insightful

    My typing has to match a certain pattern to authenticate me.

    --
    Slashdot - News for Nerds, Stuff that Matters, in ISO-8859-1 Has just realised that beta makes this signature redundant
  9. Re:Ha! by yagu · · Score: 2

    I'm guessing THEY WILL (/\7(|-| YOU ALIVE!

  10. Re:I've heard this before by jones_supa · · Score: 5, Informative

    Ha!

    And some others:

    2000: Identification By Typing
    2007: Typing Patterns for Authentication
    2008: Identify and Verify Users Based on How They Type
    2011: Verifying Passwords By the Way They're Typed
    2013: RSA: An Unusual Approach to User Authentication: Behavorial Biometrics

  11. Re:Not that useful.. by somersault · · Score: 2

    I don't really get the hate for this stuff.. if you experience an unusual situation where it locks you out, I'm assuming there would be a way to type in your password, and possibly disable the system for the rest of the day.

    I think it sounds like a pretty cool feature for very security conscious users/businesses. I tend to lock my machine manually when I leave my desk, but sometimes I forget. I do have a screensaver which locks the screen, but there is an exploitable window there. Since I'm an admin, anyone with access to my machine can access anything they want on our network. Even if I used an unprivileged network account by default, what if I had a privileged remote desktop window open and suddenly got called away from my desk on an urgent matter?

    To be fair if someone has physical access to your office, and really wants access to your machine, they will find a way - but this system stops opportunists at least.

    --
    which is totally what she said
  12. Swedish Company by Frankie70 · · Score: 4, Informative

    This has been done by a Swedish Company - http://www.behaviosec.com/

    They have a continuous monitoring a system and also a product which can be integrated into a Web Page Post Form for a 2nd Factor of Authentication. I have played around with their Web Product - it's very good to be used as a secondary mechanism.

    They are also working with DARPA - http://www.behaviosec.com/darpa-and-behaviosec-go-beyond-passwords/

    So I am wondering if the Iowa University project is an extension on this?

    The original Behaviosec product came out of a research project in a Swedish University and the people running the company include students who did the original project.

  13. not a problem. Tall white guy w long blonde hair by raymorris · · Score: 2

    Different devices really aren't a problem. It's a lot like recognizing your family members while they are wearing different outfits. A twenty-something black lady, pregnant, with medium length braids sitting in my couch is probably my wife. Without my glasses my vision is 20/100 but I could almost always distinguish an intruder vs. my wife. Most likely, an intruder would look nothing at all like my wife.

      That's a good analogy for how we use this type of technology in Strongbox. We start with the fact that they claim to be John or whoever the account holder is. We don't have to identify who they are, just whether or not they look like John. Certain characteristics of his typing style are pretty consistent across different keyboards. We combine that with location, browser choice, etc. to see if the person claiming to be John probably is actually John or not.

  14. No. Been sick, been injured, not been locked out by raymorris · · Score: 3, Informative

    If you hadn't tried it, you'd think that might be a problem. In fact, it's not.

    I've been sick, I've been injured. My COO has been sick a lot. We log in to systems using Strongbox maybe four times per day.
    Four times per day times about 400 days = 1600 logins for each of us. We haven't been locked out based on keyboard and mouse yet. Looking at millions of user logins, the keyboard and mouse indicators closely track the other indicators we use. By that, I mean if the real user scores 41-52-07 and they are in the US, when see a log in attempt with a score of 24-92-18 that attempt will come from China.

  15. Re:I've heard this before by PPH · · Score: 4, Funny

    Duplicate article detected: Slashdot editor authenticated.

    --
    Have gnu, will travel.
  16. Some consistent, some two profiles, other params by raymorris · · Score: 2

    > Even though one could have similar typing style, I doubt that it is always the same on every keyboard.

    Several numbers can be used to describe "typing style". Some of those numbers are remarkably consistent.
    In other respects, you end up with two profiles, ie John on his iPad" and "John at his desk".
    Those match up with other parameters like OS patch lvel, browser version, plugins, etc. You, on your ipad,
    type in a certain way, on a certain version of the device, using a certain browser with certain plugins, etc.
    Most likely, the identity thief is in a different country, using a different browser on a different patch level, and types differently.
    So we can say "John should be either type at about interval 52 iPhone 2 in Idaho on AT&T, or type about 78 on a HP desktop connecting with Comcast, again in Idaho.

    > If this authentication system can detect that, it is great; otherwise, it could be a big failure instead.

    For Strongbox, this aspect is neither perfect nor a failure, but is one parameter that's considered. Very much like considering someone's height and weight when trying to recognize your spouse. You can see someone from far away and if the height and weight don't match, that's not your spourse. If the height matches, the weight matches, the skin tone matches, the clothing style matches, the hair length matches, the hair color matches, the hair style (curly, straight, etc.) matches, and she says "hey baby", that's probably your spouse.

  17. Yes, not identifying, confirming or denying by raymorris · · Score: 2

    > Think of this not as a way of identifying an individual, but of screening out those who are obviously NOT that individual.
    > This problem is _much_ easier to solve.

    Absolutely. What we do with Strongbox, anyway, is start with "this person is claiming to be _____". Then we can start checking various parameters. Rather than list of our exact parameters and algorithm, I'll stick with the analogy:

    Does the height match?
    Does the weight match?
    Does the age range match?
    Does the race match?
    Does the clothing style match (skater vs. biker vs banker)?
    Does the hair length match?
    Does the hair style (curly, straight, etc.) match?
    Does the hair color match?
    etc. or about 12-15 parameters.

    Note that none of the parameters listed above is extremely selective. But let's say each parameter can reject 75% of imposters. Here's the result after each test:

    Test 1: 25.00 % of imposters remain.
    Test 2: 6.25 % of imposters remain.
    Test 3: 1.563% of imposters remain.
    Test 4: 0.391% of imposters remain.
    Test 5: 0.098% of imposters remain.
    Test 6: 0.024% of imposters remain.
    Test 7: 0.006% of imposters remain.
    Test 8: 0.001% of imposters remain.
    Test 9: 0.0004% of imposters remain.
    Test 10: 0.0001 % of imposters remain.
    Test 11: 0.00002% of imposters remain.
    Test 12: 0.00000% of imposters remain.

    After 12 tests, 99.99999% of imposters have been caught by one of the broad tests, none of which are all that specific.

    1. Re:Yes, not identifying, confirming or denying by Em+Adespoton · · Score: 2

      And to apply that test to FPs:

      Test 1: 90.00 % of legit users remain.
      Test 2: 89.00 % of legit users remain.
      Test 3:88.75% of legit users remain. ....

      So if you set your threshold at some reasonable level, like 50% confidence, pretty much all the imposters will be blocked, while for legit use to change, you'd have to be remotely logging in over a laggy connection, dictating your commands to someone else to perform. There's still both FN and FP possibilities, but it's less than you'd get with biometric methods, for example.

  18. How do you figure millions is two? This is our job by raymorris · · Score: 2

    We have data on millions of logins. I gave you two examples, then explained we have data on millions.

    We ran this in "logging only" mode on a major network of web sites for two years before we started including it in the "accept or decline" decision, so we have millions of records in the database. Here's what those millions of records say:

    For attempts that would have tripped this parameter, had it been switched active, those same attempts normally tripped other time-tested parameters. The other parameters have been tested for sixteen years on tens of thousands of sites - we know they work. The newer keyboard and mouse parameters give results that agree with the results from the known-good parameters.

    Since you're asking about sample size, the sample size of our known good parameters is on the order of 2-3% of all web logins.

  19. Evil uses of this tech; tracking by knorthern+knight · · Score: 2

    I'm surprised nobody has commented on this. If a server can confirm your keyboard/mouse activity profile, what's to stop advertisers from doing so via javascript on the the web? This is scary. Even if you log in to site A as John Smith with Firefox, and site B as Jane Doe with Opera, and with Flash supercookies disabled, they might still be able to match your profiles. This would solve the advertising dilemma, of what ads to show on a shared computer used by multiple family members. This would be worse than Facebook.

    Law enforcement would love this too. Let's say you're a "meek mild-mannered reporter" (or whatever) by day and "super-hacktivist" by night. It wouldn't matter if you're using multiple layers of TOR/ONION or working via a compromised machine in China, a LEA would still be able to match your daytime work profile to your nighttime alter-ego.

    This might start start an arms race. Given websites that analyse user keystrokes, would a random delay inserter work? Also, I assume that doing stuff like typing this comment into a separate text editor, then copy-pasting into the posting submission form might help cover your tracks.

    --

    I'm not repeating myself
    I'm an X window user; I'm an ex-Windows user