Got news for you: the client being able to "fake" the password is exactly the attack that this measure is purportedly defending against.
I.e. somehow the attacker has already obtained your password, via reading it from your sticky note, shoulder surfing, using a keystroke logger, or phishing. The attacker uses his client to authenticate to the server using your password. This technology jumps in and says "Ha ha! You didn't type the password with the right cadence, no biscuit for you!"
So the attacker now has to capture both password and cadence. With a keystroke logger this will be easy. For shoulder surfing, he could use a tape recorder. Reading the password from a sticky note obviously doesn't give him any way to capture the cadence, so this method protects against that threat scenario... but we don't really care much about that scenario.
The big deal is phishing attacks. A phisher could easily defeat this defense by putting a keystroke logger on the fake site along with a note saying "please click here to download and install our security software, which is required to access your bank account." Since the user has already been told to do something very much like this by the bank, and since the user is stupid enough to fall for a phishing attack in the first place, they'll happily install a keystroke logger that captures both their password and their cadence. The phisher then uses his own client to, as the grandparent mentioned, fake the biometrics, encrypt them, and send them to the authentication server.
With any biometric scheme, you are entrusting the client to only present biometric data to the authentication server that it has collected from an actual person using the client. I.e. you trust the fingerprint reader only to send the fingerprint data of a person that has just now put their finger on the reader. This trust is impossible unless the client can authenticate itself to the server as well, i.e. the fingerprint reader has a crypto key in its hardware. For software this is impossible (except maybe with Trusted Computing, assuming it isn't broken, but TC is really a hardware solution anyway). Without a trusted client, biometric data becomes nothing more than another password, vulnerable to many of the same kinds of issues that text passwords have. They can be stolen from a database, they can be intercepted at entry or in transmission, they can be read directly (your fingerprint data is posted on a sticky note that you carry around with you and leave behind on everything you touch).
Using keystroke cadence doesn't provide much improvement in security over just using a password.
Slashdot Mirror
Got news for you: the client being able to "fake" the password is exactly the attack that this measure is purportedly defending against.
I.e. somehow the attacker has already obtained your password, via reading it from your sticky note, shoulder surfing, using a keystroke logger, or phishing. The attacker uses his client to authenticate to the server using your password. This technology jumps in and says "Ha ha! You didn't type the password with the right cadence, no biscuit for you!"
So the attacker now has to capture both password and cadence. With a keystroke logger this will be easy. For shoulder surfing, he could use a tape recorder. Reading the password from a sticky note obviously doesn't give him any way to capture the cadence, so this method protects against that threat scenario... but we don't really care much about that scenario.
The big deal is phishing attacks. A phisher could easily defeat this defense by putting a keystroke logger on the fake site along with a note saying "please click here to download and install our security software, which is required to access your bank account." Since the user has already been told to do something very much like this by the bank, and since the user is stupid enough to fall for a phishing attack in the first place, they'll happily install a keystroke logger that captures both their password and their cadence. The phisher then uses his own client to, as the grandparent mentioned, fake the biometrics, encrypt them, and send them to the authentication server.
With any biometric scheme, you are entrusting the client to only present biometric data to the authentication server that it has collected from an actual person using the client. I.e. you trust the fingerprint reader only to send the fingerprint data of a person that has just now put their finger on the reader. This trust is impossible unless the client can authenticate itself to the server as well, i.e. the fingerprint reader has a crypto key in its hardware. For software this is impossible (except maybe with Trusted Computing, assuming it isn't broken, but TC is really a hardware solution anyway). Without a trusted client, biometric data becomes nothing more than another password, vulnerable to many of the same kinds of issues that text passwords have. They can be stolen from a database, they can be intercepted at entry or in transmission, they can be read directly (your fingerprint data is posted on a sticky note that you carry around with you and leave behind on everything you touch).
Using keystroke cadence doesn't provide much improvement in security over just using a password.