×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Typing Patterns for Authentication

CowboyNeal posted about 7 years ago | from the no-one-touches-like-you dept.

Security 259

Kelson writes "NPR's Marketplace is reporting on a new authentication scheme. BioPassword tracks the way you type your password: how long each key is depressed, the time between keystrokes, and overall speed. When someone tries to log into your account, it compares the pattern to what it has on file. It only allows you in if both the password and patterns match. The technique has been around a while. World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

259 comments

/. FP Recognition System (-1)

just_another_sean (919159) | about 7 years ago | (#18807093)

I see /. has implemented something similar as well to avoid first posters...
Nothing for you to see here. Please move along.

Fist (4, Informative)

Nimey (114278) | about 7 years ago | (#18807123)

A Morse-operator's style was referred to as his "fist". This is referenced in Cryptonomicon.

I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.

Re:Fist (5, Insightful)

OECD (639690) | about 7 years ago | (#18807165)

Oy. So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover? Because my typing pattern is going to be different in each case.

Re:Fist (5, Funny)

justinbach (1002761) | about 7 years ago | (#18807397)

So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover?


Man, I don't know about those circumstances, but I would welcome an online financial transaction system that's good enough to recognize whether or not I'm drunkenly typing in my credit card number after a night on the town. The combination of woot.com and a few too many beers has on more than one occasion proved fatal to both my self-respect and my checking account...as if two Roombas isn't enough as it is!

Re:Fist (4, Funny)

Anonymous Coward | about 7 years ago | (#18807469)

man, what an exciting life... getting drunk and buying stuff online! You're giving Keith Richards a run for his money...

Re:Fist (4, Funny)

cyphercell (843398) | about 7 years ago | (#18807577)

Man if I was you, I would drink more before I stole money from myself. Two Roombas? When you're drunk? What the hell is wrong with renting a hotel room and puking in the pool? Or renting a limo to drive you out, without enough cash to get back? Or, hire a stripper to sneak into bed with your best friend and his wife, so you can buy him a beer the next night, then claim poverty on him. Dude, you need some alcoholism.

Re:Fist (-1, Offtopic)

Anonymous Coward | about 7 years ago | (#18807399)

If I'm eating a Bagel I can't touch type... Oh, yup, I use a blind keyboard and touch type at 3 digits + wpm ;)

And, no, I can't type using only one-hand on my blind keyboard (I tried, and it's really pathetically slow)

Re:Fist (1)

UbuntuDupe (970646) | about 7 years ago | (#18807411)

I don't know about this typing pattern technique, but there are a thousand variables that affect how you will do your hand-written signature, and yet they're still able to identify something that's distinctly "yours" well enough. (Try signing with someone else's script sometime -- I first ran into this when trying to forge consent forms.)

So, maybe they can identify a range of methods as yours without spanning much of the "typepatternspace".

About that. (1)

Anonymous Coward | about 7 years ago | (#18807923)

I first ran into this when trying to forge consent forms.

So ...

yeah, nevermind. I probably don't even want to know.

Re:Fist (0)

Anonymous Coward | about 7 years ago | (#18807499)

On the other hand, it would prevent me logging on and emailing my ex when I'm drunk. Next stop: breathaliser for mobile phones.

Sharing Secrets (4, Funny)

NetSettler (460623) | about 7 years ago | (#18807511)

So now it makes a difference if...

Yeah, not only that, but imagine when you've forgotten something important and you call home to talk to your spouse to get it.

Spouse: What's your password?
You: It's "My name is my passport."
Spouse: That whole thing? That's a lot of letters. Ok, I'm typing it.
You: Are you in?
Spouse: Nope. It says I'm not typing it right. How do you type it?
You: Huh? Oh, right. I forgot. Lean heavy on the first n and the two y's. And pause slightly after every other space.
Spouse: It's still not working.
You: Did I mention that I'm slow to reach a y and then slow again for whatever character follows? It's quite a reach.
Spouse: Ok, I'll try. Nope. Not working.
You: Oh, right. And try to type it at 80 words per minute.
Spouse: I only type 20.
You: Never mind. I'll drive home and get the info. It'll be faster.

Re:Sharing Secrets (4, Insightful)

Anonymous Coward | about 7 years ago | (#18807753)

Never, EVER, give your wife your password! What the heck are you smoking?!?!

Re:Fist (2, Informative)

Chabil Ha' (875116) | about 7 years ago | (#18807581)

Very astute, but, if you had listened to the report, if such a thing occurred, it would prompt you for other identifying questions to prove your identity.

Re:Fist (1)

FredThompson (183335) | about 7 years ago | (#18807741)

Not only that, now you'll have to enter a password that's similar in length to an encoded Morse code message. You'll have time to eat your bagel, drink a cup of Joe (a little WWII lingo there) and maybe even smoke a Lucky Strike!

+1 Clippy of awareness (5, Funny)

Scrameustache (459504) | about 7 years ago | (#18807955)

Oy. So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover? Because my typing pattern is going to be different in each case.
You appear to have a hangover,
while you were drunk, I intercepted the email you wrote to
  • the girl from the office
would you like to read it again before it is sent?

[No] [Ignore] [Cancel]

Re:Fist (1)

Sokak (1090775) | about 7 years ago | (#18807389)

It has, it's just not that effective as per reasons mentioned here. I'd actually written the guts of one that I've used as an optional feature within a product I wrote. It has really good accuracy and effectiveness with touch-typists, but is miserable for "casual"/beginner style users. I'd hate to see it used for something like Windows logins. :D My algorythms included timing, rythm, and optionally detecting rollovers as identifiers to typing style. It condenses it down into a percentage with results that can even be graphed out and determines whether there is a match based on sensitivity preferences. The more consistent you are, the higher the sensitivity you can use, the more secure the password is. Still when it's used properly it has some really nice perks. A) It lets people use 'meaningful' easy to remember passwords. I absolutely HATE network policies that say "password must be 10-16 characters, contain at least 1 capital letter and 1 number, etc. etc. etc. and then say you need to change it every 4 weeks. B) It makes for a much larger block of data when encrypted/transmitted, even for short passwords. It took 3 days to write, test, and tweak. The real work is integrating it as a security measure.

Re:Fist (1)

afidel (530433) | about 7 years ago | (#18807509)

It's not used because it's mostly useless. Of all of the authentications that my users initiate in a given day probably less than 1% are on the local system where they work. The majority are network resource requests, web apps, application authentication, etc. This method also doesn't work for remote access through Citrix/Nfuse, through thinterms, or on any platform where there isn't a native authentication daemon.

Re:Fist (1)

jwilloug (6402) | about 7 years ago | (#18807815)

BioPassword has some kind of Citrix integration, I saw a brief demo a little over a year ago. I believe they wrote a client plugin that collects the biometrics locally and then passes them across the wire with the password.

Re:Fist (1)

afidel (530433) | about 7 years ago | (#18807909)

Ugh it uses Flash. Most thinterms and many internet terminals do not support Flash. Heck management didn't like the requirement for Java for our Web Interface/Secure Gateway setup but the only alternative was to allow direct RDP connectivity to the Presentation Servers which is WAY less secure for both the clients and the server and it only gains you Windows clients with an RDP client and no Java.

Re:Fist (1)

xquercus (801916) | about 7 years ago | (#18807885)

A Morse-operator's style was referred to as his "fist".

A Morse Code operator's style *is* referred to his or her "fist". Morse Code is still used, mostly by amateur radio operators. Save a number of digital modes such as PSK31, there is no match to carrier wave modulated Morse Code to cut through noise and periods of poor radio wave propagation.

As an aside, the FCC recently dropped the Morse Code testing requirements from all classes of US amateur radio licenses. Many other countries have done the same as well.

Re:Fist (1)

TheSlashaway (1032228) | about 7 years ago | (#18807895)

There was a programmer at Boston University's Computer Graphics lab in the late 1980s that protected his commercial graphics application using exactly this system. If this company is not run by him, they can't patent it.

Bad Idea (4, Insightful)

dynamo (6127) | about 7 years ago | (#18807131)

This will make it possible for a change of mood to deny your access to your own accounts. ..which will probably not help with the mood thing.

Re:Bad Idea (1)

TubeSteak (669689) | about 7 years ago | (#18807173)

This will make it possible for a change of mood to deny your access to your own accounts.
THOMAS: So what happens when your typing style varies from your profile, like you're sleepy because you just woke up?

RICHARDS: You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions. (Emphasis mine)

Re:Bad Idea (0)

Anonymous Coward | about 7 years ago | (#18807391)

Really secure security questions, like the time honored
  • What is your mother's maiden name? or
  • What is the name of the city you were born in?

Re:Bad Idea (1, Insightful)

arth1 (260657) | about 7 years ago | (#18807409)

If one more brain dead security system asks me my mother's maiden name and my city of birth, I'm going to scream!

--
*Art

Re:Bad Idea (4, Funny)

goombah99 (560566) | about 7 years ago | (#18807245)

This reminds me of the old joke about the two russian comrades that read in pravda how a new city in siberia needs engineers. The story says the city wants for nothing, the store shevles are stocked, the store clerks courteous, and there are no lines. But they know that sometime pravda is not isvestia (the truth) and it might be a trap. SO they agree that one of them will go and write back if the stories are true. but if it's a trap their mail will be searched to they agree on a code. If it is all lies the writer will write in red ink. and if true then in blue.

One day the letter arrives. It is in Blue ink. it raves about the luxury goods, and the stores of plenty. In fact says the writer, the only thing in short supply seems to be red ink.

The modern version would have the comrade unable to log in because all the keyboards were dvorak.

Re:Bad Idea (0, Troll)

cyphercell (843398) | about 7 years ago | (#18807681)

Good thing he finished the letter. Personally, I cut one of my fingers almost completely off and now there's a missing knuckle (fused) on my right index. I guess that kinda thing could happen to someone, you know that's sitting on launch codes or something, not good.

Re:Bad Idea (4, Funny)

bitt3n (941736) | about 7 years ago | (#18807951)

This will make it possible for a change of mood to deny your access to your own accounts. ..which will probably not help with the mood thing.
That's an easy problem to solve. Simply make sure to type your password the first time when you are in a horrible mood, and thereafter, repeatedly typing in your password will eventually result in a successful login.

No Soup For ... me? (4, Insightful)

mindlessLemming (961508) | about 7 years ago | (#18807133)

Great, now every time I fall off my bike or some other stupid accident that involves my hands, I won't be able to log in at all due to not matching the timing/pressure/etc. I can definitely see this ending in smashed keyboards. "It's me!!! Let me in you b@st@rd machine!"

Re:No Soup For ... me? (1)

Ungrounded Lightning (62228) | about 7 years ago | (#18807213)

Great, now every time I fall off my bike or some other stupid accident that involves my hands, I won't be able to log in at all due to not matching the timing/pressure/etc.

Also if you:
  - change keyboards
  - change your chair
  - drink some coffee
  - use an unusual posture
  - catch the flu
  - lose your palmrest
  - ADD a palmrest
  - get carpal tunnel syndrome or other RSIs
  - lose a limb
  - (I could go on for a LONG time)

I can definitely see this ending in smashed keyboards. "It's me!!! Let me in you b@st@rd machine!"

Better be sure you can get a replacement keyboard with the same layout or you'll NEVER get back in. B-)

Re:No Soup For ... me? (0, Redundant)

Zadaz (950521) | about 7 years ago | (#18807525)

That's pretty much the list that I made before I got to your post.

And what happens when you change your password?

Have a drink with dinner?

Are distracted by [child/tv/phone call/pron/cat/meteor shower]?

Are in a hurry because someone has a gun to your head or a hand down your pants?

I'm absolutely sure that my typing changes based on the time of day.

I'm sure this works in controlled experiments, but not worth paying any attention to outside of a academic paper.

Re:No Soup For ... me? (0)

Anonymous Coward | about 7 years ago | (#18807517)

I type well over 90wpm. I'm also susceptible to tension headaches. I often find that my typing speed and accuracy vary hugely, depending on what's going on that day. I can easily blow past 120wpm, while on other days, like after a massive headache, I couldn't type 60wpm without every word having typos.

I also wonder how this will work given that most users don't even remember their passwords, and probably have a master file or similar, so they just copy and paste their passwords in, particularly on not often used accounts.

I also have to wonder how this is going to fly with people with disabilities too. I haven't kept up re cases involving web or internet access compliance with the ADA (American Disabilities Act), but I'm left wondering if extra software like this will turn into legal and implementation combo disaster than something actually helpful.

Alcohol? (0)

Anonymous Coward | about 7 years ago | (#18807135)

Yeah, and if you're drunk, you're pretty much screwed. That could be a good thing however... I always remember my root password when I've had a few... even though it takes me a few minutes to login.

And then there are my friends who partake in other drugs and use their computers. My friend Ryan would have a hard time getting in when he's hopped up on benzodiazepines, and David, that amphetamine addict would type just too fast.

Reminds me of a story... (1)

rumblin'rabbit (711865) | about 7 years ago | (#18807137)

... of a guy who could only login successfully while sitting down, but not standing up. It took him some time to figure out why.

Any takers?

Re:Reminds me of a story... (0)

Anonymous Coward | about 7 years ago | (#18807181)

Short arms?

Re:Reminds me of a story... (1, Insightful)

Anonymous Coward | about 7 years ago | (#18807347)

Some keys on his keyboard had been switched. When he was sitting down, he wasn't looking at his keyboard and thus would type the correct password whereas he needed to look at it when he was standing up, therefore entering the wrong one.

--
Nicolas, who doesn't know if he spends too much time on /., but this story has been posted already. Oh, and I'm sorry for the bad english of this post, too.

Re:Reminds me of a story... (1)

Ai Olor-Wile (997427) | about 7 years ago | (#18807445)

He touch-typed when he sat down, and pecked when he stood up, and didn't know his password as well as his fingers did. (I.e., his memorisation of touch-typing was flawed, or his keys were offset.)

Re:Reminds me of a story... (1)

corvair2k1 (658439) | about 7 years ago | (#18807915)

He was a touch-typist, but only while sitting down. Someone had switched keys on his keyboard, and he had to look at them while typing standing up.

The whole story is pretty funny, how he and others were always arguing about what it could be... Magnetic interference, etc.

Interesting you mentioned WW2... (5, Informative)

jafo (11982) | about 7 years ago | (#18807141)

No, I'm no going to say you invoked Godwin's Law right at the top of the article...

I immediately thought of WW2 when I read the title. A Morse Code operator's style was called their "fist". German operators became quite adept at mimicing the fist of other operators, and using the fist to identify captured operators didn't work well. This is why they had other signals for identifying that an operator was not captured. Things that would look like a typographical or crypto error to a third party, but which was known to both the sender and receiver, and the absence of them would indicate capture. Of course, under stress, sometimes these were forgotten.

The book Silk and Cyanide has a great discussion of the fist and other identification techniques and how they failed and succeeded (mostly the former). Highly recommended.

Sean

Re:Interesting you mentioned WW2... (1)

qzulla (600807) | about 7 years ago | (#18807639)

But what would work well would be the pre-arranged password?

One would type the first few letters then hesitate.

TYPE THE PASSWORD, OLD MAN!

Then they would type the real password. The hesitation would trigger a warning. The real password would trigger he is still alive.

Boom!

We now have a password that was compromised but the enemy would not know it.

What do I win?

Given this is /. not much.

qz

Why not just have two passwords. (1)

Kadin2048 (468275) | about 7 years ago | (#18807949)

Why would this work any better than just having two distinct passwords, a regular one and a "distress" one?

I've often thought that they should do something like this for ATMs. You should have another PIN code that you can enter, which will work just like your regular one, but will also trigger an immediate silent alarm and mark the machine's video record that something was amiss.

Or on a computer, you have two passwords, one that's the real login, and another that causes the computer to open to a fake main screen, display dummy data, and silently start deleting the real stuff every time it has an opportunity to access the disk. It could also try to transmit some sort of a distress message, although that's harder to do on a computer where you have to assume that it can be disconnected from the outside world pretty trivially.

ssh (0)

Anonymous Coward | about 7 years ago | (#18807147)

So, how do they use it to authenitcate over the wire?

Isn't everything bulk encrypted (i.e. whole password at once, rather than char by char) and then sent? How would this be useful then?

Re:ssh (1)

tepples (727027) | about 7 years ago | (#18807531)

how do they use it to authenitcate over the wire?
Client-side software collects the biometrics, encrypts them, and sends them to the authentication server.

Re:ssh (1)

JasonTik (872158) | about 7 years ago | (#18807645)

Client-side software collects fake the biometrics, encrypts them, and sends them to the authentication server.
There. I fixed that for you.

Never trust the client.

Re:ssh (0)

Anonymous Coward | about 7 years ago | (#18807977)

Please don't encourage them.
We now have several instances (yes, I could google the news and paste the links, but I'm not looking for karma here) where body parts have been severed to authenticate biometrics.

Argl.

Do you know:
In Australian Woolworths supermarkets the clock in/out is your fingerprint?

Come the paranoia.

To answer your next question, Mr Troll, yes.. we did try the gummi bear trick. Worked a treat. I now regularily clock in 15 minutes before I can even get to the store :P (costs a bit in gummis though - but it's worth it. Pays for itself every time, even after the friend tax).

No Drunk Internets :( (3, Funny)

frup (998325) | about 7 years ago | (#18807151)

So now I won't be able to log in to forums and make a fool of myself when I'm drunk :(

Re:No Drunk Internets :( (1)

arth1 (260657) | about 7 years ago | (#18807435)

More likely, people will stay logged on even when they leave their machines and really should log off, because the hassle of logging in again becomes a nuisance.
Human psyche trumps any clever solution.

Might come in handy... (2, Interesting)

Tatisimo (1061320) | about 7 years ago | (#18807171)

Wonder if it can be used to prevent people from editing important documents while you take a quick break (hint: preventing your little brother from posting comments with your account)... "Error: Your Words Per Minute Do Not Match Your Normal Style. Please Try Again."

Re:Might come in handy... (3, Interesting)

mollymoo (202721) | about 7 years ago | (#18807221)

You'd don't need this techniology for that, a regular password will do the job perfectly well. You just need to lock your computer when you're not using it. Every decent OS lets you do this with minimal fuss.

Re:Might come in handy... (1)

afidel (530433) | about 7 years ago | (#18807695)

Winkey+L is your friend on XP or 2k3. On a Mac you can do the same with Keychain Access Lock Screen. There are X applications to do the same.

Morse vs. typing (2, Interesting)

VGPowerlord (621254) | about 7 years ago | (#18807191)

While I think measuring typing speed as well as the password itself might work, comparing it to morse code speed is ludicrous.

Richards has apparently forgotten that morse code uses 1-key as opposed to passwords which use 47 character keys with the ability for a person to hold down the shift key to enter in an alternate version of any of those.

Which means that, when a person starts using a new password, they type it fairly slowly. However, as they get used to typing it, they gradually get faster at it.

What do you do when your own system locks you out because you've gotten better at typing your own password?

Re:Morse vs. typing (1)

Joebert (946227) | about 7 years ago | (#18807255)

What do you do when your own system locks you out because you've gotten better at typing your own password?

Call Microsoft & get the key to the back door.

Re:Morse vs. typing (1)

Alpha830RulZ (939527) | about 7 years ago | (#18807493)

My understanding is that the algorithm looks at the relative pace and intervals between keypresses, which appear to be persistant even as your overall typing speed varies. Or so the company says. I looked into this a bit when they were advertising a job I was interested in.

Re:Morse vs. typing (1)

wall0159 (881759) | about 7 years ago | (#18807771)


The system would likely use some form of adaptive filter or neural network. It would therefore adapt to changes in the password-entry-quantifiers over time, and this wouldn't be a problem - as long as the entered password followed the _trends_ of previously entered passwords.

Re:Morse vs. typing (1)

arth1 (260657) | about 7 years ago | (#18807935)

What do you do when your own system locks you out because you've gotten better at typing your own password?

Change your password?

Regards,
--
*Art

This is very old news (0, Redundant)

BillGatesLoveChild (1046184) | about 7 years ago | (#18807231)

I heard this first discussed in the 1980s.

Re:This is very old news (1)

Al Al Cool J (234559) | about 7 years ago | (#18807473)

No kidding. I implimented a primative version of this in GWBASIC on an 8088 in the early 80s. It could identify me based on the way I typed my name. It worked reasonably well, considering I never actually learned to type. Jeez, that takes me back.

Re:This is very old news (0)

Anonymous Coward | about 7 years ago | (#18807495)

Not to mention "The Moon is a Harsh Mistress", wherein
the character Mike recognizes users by keystroke patterns.

Not very accurate for real world use (2, Insightful)

Jimmy King (828214) | about 7 years ago | (#18807237)

I read about this semi-recently (as in within the last year) and at that point the recognition based on the actual keystroke timing was pretty poor. With only 2 or 3 people they could tell who it was something like 90% of the time if I remember right. It got considerably worse as there were more people to recognize.

Now, you could possibly argue that it only needs to be able to recognize 1 person or at most 2, you and "not you", as once it determines it is not you the system does not care about the specific identify. Still, until they get that number to 100% it's going to be more hassle than it's worth, especially at a place with a 3 attempt lockout policy or the like.

Re:Not very accurate for real world use (1)

fractoid (1076465) | about 7 years ago | (#18807553)

Now, you could possibly argue that it only needs to be able to recognize 1 person or at most 2, you and "not you", as once it determines it is not you the system does not care about the specific identify. Still, until they get that number to 100% it's going to be more hassle than it's worth, especially at a place with a 3 attempt lockout policy or the like.
It's simply the suspenders part of a belt-and-suspenders system. If more than one person knows your password, you have problems regardless. But unless they mimic your typing well enough as well, when you get back from lunch break you get a 'three unauthorized login attempts with correct password' message and you think 'oh shit, I'd better change my password and this time not write it on a post-it note and stick it on my monitor.'

Come to think of it, it's kind of a honeypot for leaked passwords. At worst it tells you your typing's funny and you have to retry a few times. At best it will alert you to social engineering attempts before they cause data leakage/lossage.

Re:Not very accurate for real world use (0)

Anonymous Coward | about 7 years ago | (#18807829)

Can't wait till they start telling us, as well as changing our password every month, we must change our typing style as well...

Re:Not very accurate for real world use (1)

wall0159 (881759) | about 7 years ago | (#18807785)


Not really. Remember, this is being used to augment a password protection scheme. They can have a fairly low bar to acceptance (resulting in a relatively high false-acceptance* rate) and this doesn't matter, because it's still an extra thing an intruder needs to get right (as well as access to the password) to gain access to the system.

*I'm using "false-acceptance" to mean the system recognising a typed password as acceptable when really it shouldn't have.

Nothing To See Here, Move Along (4, Insightful)

mmurphy000 (556983) | about 7 years ago | (#18807249)

I'm beginning to think we're going to have to work up a check-off-the-problems sheet for these new authentication schemes like we pass around for anti-spam "solutions".

Here, I see two problems off the cuff:

  1. If it thinks you're not typing the password the same way, "it will ask some additional security questions". Hence, this is not significantly different than the cookie-based or IP-address based solutions used by some banks, where you need only a password if you're coming from a familiar PC and need to answer more questions if you're not. Phishers can just let the password-typing fail and fall back to collecting the answers to the security questions and break in that way.
  2. It'll only be reliable for people who use the same keyboard all the time. I know I type differently when I'm on my home PC (natural keyboard) vs. an office PC (flat keyboard) vs. my PDA (thumbboard). Particularly the way I type with two thumbs bears little resemblance to the way I touch-type. Now, it's possible they'll track different typing profiles, but eventually the profiles will grow to cover just about any typing pattern...

Color me unimpressed. Is it an incremental improvement over plain passwords? Yes, but not enough to go with a $34,000 plus $1.15/user fee structure, as cited in the article.

Re:Nothing To See Here, Move Along (1)

MojoReisen (218327) | about 7 years ago | (#18807537)

A couple years back, I was part of a project which implemented this product with little success. Your second point is right on, if the user switches keyboards (laptop vs. PC vs. home PC), then the system doesn't recognize their pattern and they need to re-register, which is a time-consuming process. Furthermore, the authentication is highly sensitive to latency, which results in the same failure to authenticate and subsequent need to re-register your typing cadence. Another point to consider is that it is highly sensitive to minor changes, such as if the user has a bandaid on one of their fingers then they experience the same issue.
To be fair, the sensitivty settings are configurable.
Needless to say, the user communtiy revolted, and we pulled it.

Re:Nothing To See Here, Move Along (1)

Garridan (597129) | about 7 years ago | (#18807563)

No! This is frikkin' great! I can implement this in approx. 10 minutes in JavaScript. Post it for free, and his admittedly unpatentable $34000 server + subscription fee is rendered valueless! Think I'll do that now...

password loggers (1)

Takichi (1053302) | about 7 years ago | (#18807259)

The demo that they have for you to try it out shows a person who wrote their password on a piece of paper. I suppose it would help against that sort of password stealing, but it seems trivial to add the key entry timing to a password logger.

DVORAK Security (0)

Anonymous Coward | about 7 years ago | (#18807263)

This method makes sense for analog movement. The WWII morse code example applies, since it's the rate of the dot/dash signal that matters (it's a pressure or sound wave, essentially the telephone). Also, biometric writing signatures have unique speed and direction.

Keyboards, on the other hand, give mostly discrete signals. Each key is an ASCII (eg.) code. The keystroke speed is secondary, based on the keyboard. I type faster on my work keyboard than a tiny laptop; I have practice typing my password here. If I used a DVORAK keypad, then my password might take much longer to hunt-and-peck.

Besides, log-in is an *authorization* (permission) concern. Biometric is used to *authenticate* who the user is. X509 certificates or keycards are good for this, and have lower rejection rates.

Different typing methods (2, Interesting)

mjensen (118105) | about 7 years ago | (#18807303)

When holding a book or other items, I type one-handed. (joke as required)

I'd think that this system would have the user type their password multiple times looking for consistent spacing.

Seems like it would not work as I learn my passwd (5, Insightful)

rminsk (831757) | about 7 years ago | (#18807309)

When I first create a new password I typically stumble just a bit when typing it. After a few days/weeks I start building up motion memory for my password. How would the system handle when people impove typing their password?

Re:Seems like it would not work as I learn my pass (1)

Blakey Rat (99501) | about 7 years ago | (#18807601)

What if you just came in from the cold and your fingers are stiff? What if you're using your laptop on your lap... top... and don't type the same way you do at your desk?

This is a stupid idea.

Evolving stream? (3, Interesting)

fineghal (989689) | about 7 years ago | (#18807323)

So I haven't RTFA and am just thinking out loud. Couldn't the problem of your typing speeding up or whatever due to your "comfort" level be solved by using an evolving stream? You've got the algorithm to determine similarity. Let's assume it's tuned to a 99% significance level. This is security right? But instead of comparing to an original, or arbitrary previous time, it compares it to your previous login, or perhaps a composite of the previous 2 logins. This way, your stored "fist" will evolve with you. I like it. It's conceptually easy at least. Any ideas on the CPU hit for this? Proof of concept?

Re:Evolving stream? (1)

hansamurai (907719) | about 7 years ago | (#18807591)

This is a great idea as the security system could develop thresholds using data from the last n logins between logins where there's plenty of time and processor power to do so. If you wanted to really get into it, you could have it learn how you type on a Monday (when you may be recovering from the weekend) compared to a Wednesday and develop thresholds more independently. Or even the time of day, 8:00am compared to 10am compared to 1pm is even probably different. Man, if this was open source I would love this.

back then (2, Funny)

Himring (646324) | about 7 years ago | (#18807325)

World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor.

It was all netware back then....

Strong passwords? (0)

Anonymous Coward | about 7 years ago | (#18807345)

Perhaps it is just because I don't think like a marketoid, but it seems to me that it would be much simpler, and more effective (not to mention cause less problems in the long-run) to just use longer passwords.

Rather than recording the timings between keypresses or other such nonsense, just add more keypresses.

Besides, if you are worried about keyloggers on your system, you've already lost.

Re:Strong passwords? (2, Interesting)

thePowerOfGrayskull (905905) | about 7 years ago | (#18807743)

RighT! Because that's an easy thing for the 90% of users who use their pet or spouse or birthday for their password. (Yes, I did pull 90% out of my ass, but it's probably true in spite of that.)

I do this now. Sort of. (1)

rindeee (530084) | about 7 years ago | (#18807377)

When I choose passwords, I make them such that they are memorable by pattern vs. memorable by content. This accomplishes two important things: 1.) This make my password entry VERY fast as it relies on muscle memory to a greater extent than thinking about the words I need to type and then typing them, and 2.) I am able to 'sense' typos without really thinking about it. Adding a system side authentication scheme that sense my tempo, strike, etc. would be cool in order to defeat impostors. Cool stuff.

Select a Keyboard Please (1)

MSTCrow5429 (642744) | about 7 years ago | (#18807403)

What happens if I'm on the laptop keyboard, then the desktop keyboard? As I'm more attuned to the laptop atm, the desktop keyboard will have a different usage pattern. If I go from this keyboard to one on another desktop, it will be even more off.

SSH attack (1)

Wonko the Sane (25252) | about 7 years ago | (#18807405)

Wasn't there an attack for SSH challenge-response authentication that used the timing of packets to make it easier to brute-force your password?

Backdoor (0)

Anonymous Coward | about 7 years ago | (#18807433)

According to TFA, incorrectly typing the password a number of times will allow one to log in by spelling the password correctly and answering a second security question. Thus there is absolutely no point to this implementation, as it's the exact functional equivalent of simply having a user enter _two_ passwords. It can still be circumvented as easily.

Keyloggers (1)

Gojaroo (987220) | about 7 years ago | (#18807451)

With a more sophisticated password, there will always be a more sophisticated keylogger to capture all your keystroke information.

Some added security, but not much (4, Interesting)

quantaman (517394) | about 7 years ago | (#18807603)

From the article:

"You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions."

Ahh, so really all they've really done is increased the number of passwords an attacker has to try by a factor of 3 or so. Then you hit the question and you know you have the right password. At that point you can either solve the security questions (probably not as nearly as tough as the password, especially since no one expects it to be used) or they keep making occational tries at logging in with the correct password until you find their cadence (probably not that hard).

Note that I doubt that an attacker getting the password then bailing when they hit the question will raise any red flags, chances are there will be so many false positives that no one will bother to follow up.

a.k.a. the Morse operator's "fist" (1)

IronTeardrop (913955) | about 7 years ago | (#18807619)

A Morse Code signaler's distinctive style was referred to as their "fist" [fists.org] . I thought it was also called their "hand" but couldn't find a reference for this.

Cat-like typing not detected.

Personal experience with BioPassword (2, Informative)

Anonymous Coward | about 7 years ago | (#18807683)

We have been offering BioPassword as an additional security feature for our web based application (Doc Mgmt). I have been fairly impressed with its capabilities.

You can configure a number of options such as # of attempts before activation which allows it to 'learn' your typing style.

You can also set the 'Pass/Fail' percentage. For instance 80% match so you don't have to type it in EXACTLY the same way every time.

Additionally you can disable BP for individual users if you wish (broken hand, etc).

Plenty of other configs for it as well. By and large, it has been a fairly hands-free security system once configured.

Used this on an Apple II (1)

SETIGuy (33768) | about 7 years ago | (#18807821)

The code itself came out of Nibble magazine, IIRC.

Someone listening to my typing could match my timing well enough to get in if they also knew the password.

Turing Tests? (1)

Gat0r30y (957941) | about 7 years ago | (#18807823)

Seriously. Does anyone else feel like they are taking a lot more Turing Tests [wikipedia.org] than are really necessary. I feel like i'm trying not to be a computer an awful lot lately. By the way, the neural networks that are capable of cracking the little picture puzzles they give us to get new accounts, they could probably be trained to learn a persons typing habits.

Re:Turing Tests? (1)

Gat0r30y (957941) | about 7 years ago | (#18807939)

Gojaroo brings up a good point. Keyloggers could just as easily capture this sort of info. Actually, for a senior project some classmates of mine made a keylogger, it was pretty wicked. Small enough nobody would notice, well on a PS/2 keyboard.

Servicing (1)

Short Circuit (52384) | about 7 years ago | (#18807853)

Does anybody else get the feeling that biometric features like this are going to make it more difficult to service user's PCs without already having a maintenance account on them?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...