Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Identify and Verify Users Based on How They Type

ScuttleMonkey posted about 6 years ago | from the is-anyone-that-consistant dept.


LinucksGirl writes to share an IBM DeveloperWorks article that shows how to support user verification through keystroke-dynamics processing by modifying the GNOME Display Manager (GDM). You can create and store a one-way encrypted hash of your keystroke patterns when entering your user name. The article shows how to add code to GDM to read current keystroke patterns and permit a user to log in when the characteristics are a match. An interesting idea to be sure but I know I certainly am not that consistent when I type, so I'm skeptical of how well this may work.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


not gonna work (5, Insightful)

superwiz (655733) | about 6 years ago | (#22965754)

Well, it might work if they allow for a rather broad variation in the frequence of mistakes. But personally, I make much more typos depending on how tired I am and how much caffeine I've had lately. I would assume that others do too. So when I am well-rested I might appear to be a completely different person from when I am even slightly tired.

Re:not gonna work (3, Insightful)

RobBebop (947356) | about 6 years ago | (#22966010)

Given the repletion required to type and retype our names and login IDs over the past 5-10 years, our fingers are conditioned to type these patterns quickly and repeatably.

I can type my typical "lastname/firstinitial" login name in about a third of a second. I can type my "firstname.lastname" in about half a second.

Given 5 minutes of practice with my name, you would probably be able to impersonate me - but as long as this system doesn't lock me out from my own account, this is a successful barrier that will make it harder for you to get into my system.

Then again... having a password that is hard to hack and running an operating system that is not easily hackable are stronger barriers that protect me from your infiltrations...

Re:not gonna work (3, Interesting)

TubeSteak (669689) | about 6 years ago | (#22966058)

Given the repletion required to type and retype our names and login IDs over the past 5-10 years, our fingers are conditioned to type these patterns quickly and repeatably.
Never IM'ed or IRC'ed with a drunk person, have you?

On the upside, no more embarrassing drunken e-mails to come back and bite you!

Re:not gonna work (2, Interesting)

Jurily (900488) | about 6 years ago | (#22966332)

You get that with a well-formed password too. I can't type mine drunk, ever.

BTW, there's really nothing more easy/secure than a password. You even get to choose which end of a spectrum you want.
I never cease to be amazed at the lenghts people go to make something better...

The big question is, would you trust a GNOME developer to distinguish you from your sister if you can't be bothered to make up a password she can't guess? Nevermind more serious issues.

Re:not gonna work (2, Insightful)

WaltBusterkeys (1156557) | about 6 years ago | (#22966552)

Or first thing in the morning after getting into work on a cold wintery day. Frozen fingers do not type well.

Re:not gonna work (1)

hedwards (940851) | about 6 years ago | (#22966764)

Quite so, and this sort of thing would make it quite difficult for those with arthritis or other joint problems to log in.

And it would require that the key board be placed in a consistent manner, that the box not be under considerable load as well as for the person to touch type their log in information.

Re:not gonna work (5, Interesting)

moderatorrater (1095745) | about 6 years ago | (#22966014)

plus for me, this will only work if they test it against another login with the same username and password. The rhythm and speed of my typing in a username depends on which one it is, and the same goes for the password.

However, within the bounds of an identical username/password combination, I would imagine that it would work well for me. The problem is that if there are extenuating circumstances, this would lock me or someone else out of the computer. For instance, what if my wife needed to log in for me while I'm on a business trip? Or I die? Or I break my arm and have to type with one hand? I imagine the usefulness of this technology is in merely logging the "signature" pattern rather than locking someone else based on it. Bruce Schneier [schneier.com] has the basic arguments and a much better analysis than I could produce.

Re:not gonna work (1)

TubeSteak (669689) | about 6 years ago | (#22966126)

The problem is that if there are extenuating circumstances, this would lock me or someone else out of the computer. For instance, what if my wife needed to log in for me while I'm on a business trip? Or I die? Or I break my arm and have to type with one hand?
Treat your user account like it has a hidden volume.

Your 'signature' password gives you full access to the account. Your password gives you basic access to the account, with the option of another password to unlock full access to your files and settings..

Re:not gonna work (1)

denmarkw00t (892627) | about 6 years ago | (#22966216)

The rhythm and speed of my typing in a username depends on which one it is, and the same goes for the password.

I would think the system had some kind of "learning" ability, where it would authenticate you normally via your user:pass pair, and collect data about your typing habits. Once it had x data or was in a "trained" state, it should be able to recognize your rhythm and know which user you're logging in as based on the letters you start typing.

Re:not gonna work (4, Interesting)

Z34107 (925136) | about 6 years ago | (#22966696)

There are characteristics in common with everything "normal" you type - for example, Mavis Beacon Teaches Typing(tm) back in the Glory Days of Windows 3.11 could tell me that my 4th finger on my left hand is weak - making a lot of typos on the "w", you see. It was nifty looking at the profiles of every user in that program for little tidbits like that, and logging onto my brother's profile and laughing as it commented how much he had "improved."

But... do those things apply when typing a password? The whole consistent rhythm and speed thing? Or maybe that makes it easier.

Perhaps a better solution would be to emulate voice recognition - train the security software to recognize your typing, and have it watch you as you're logged in. Just as you can train voice recognition to work with multiple speakers, you could train the security software to recognize "sober me", "drunk me", "caffeinated me", etc. (And not let "drunk me" send e-mail, and maybe schedule my development IDE processes at a higher priority for "caffeinated me", etc.)

Re:not gonna work (0)

Anonymous Coward | about 6 years ago | (#22966724)

Judging by the comments, it sounds like most people don't have their passwords set to expire.
So does anyone actually remember what happens after your grace period and you're forced to change a password? Yes - you spend a minute figuring out something you'll remember that complies with your password requisites, then you have to key it in.

The first time you learn any phrase (like a new password), entry is always different than it will be a week down the track once you've had a chance to get the repetition into your system.

That's why I couldn't see this working in a corporate environment - we get enough phone calls as it is saying "I've forgot my password", let alone "I've forgotten the keystroke pattern that was used when I set up my password".
Although - credit where it's worth - it is a pretty cool idea.

Re:not gonna work (1)

OneTweezyStyle (1003537) | about 6 years ago | (#22966042)

I feel that the idea has some merit. It has occurred to me on a few separate occasions that the pattern of my keystrokes when entering passwords is highly consistent after a brief period of acclimation to the new password. I could easily see the pattern of keystrokes being used as an additional verification factor. Much as with other forms of verification having a biological basis, I can foresee a few potential issues (e.g. the voice recognition system at my firm doesn't recognize me when I have a "cowde"). For example, what happens when I get a new keyboard, or log in from a terminal with a different keyboard?

Re:not gonna work (2, Interesting)

SharpFang (651121) | about 6 years ago | (#22966142)

I wouldn't be surprised if it produced less false negatives than standard login/password pair. By false negatives I mean typos in username/password.

I mean, I don't know about you but I make typing mistakes at my login and password about as often as not, though I type them always in a consistent rhythm. The system could very neatly ignore the typos resulting from pressing a neighbor key or even typing with your hand a whole line of keys away, meaning you got half of what you typed wrong. "Timing is right, he pressed 'o' instead of 'p', we can accept it."

It should not replace password-based authentication but it can neatly suplement it - you either type your password 100% correctly (say, with one hand, holding earphone in the other so the "rhythm" is none), or you type it fast, you make a mistake, but the way you type it, and the kind of mistake says it's you and the password gets accepted.

Accidents? (3, Funny)

blueboy31 (822804) | about 6 years ago | (#22966250)

This works great until you lose a finger, thumb, hand, etc in that freak accident. Talk about adding insult to injury -- your own computer won't even accept you with your newfound handicap!

Re:not gonna work (1)

djdbass (1037730) | about 6 years ago | (#22966564)

My bank has had this for a few months now.
You're right. It doesn't work.
Ultimately the false negative rate is so high [leads to] so many people get their password revoked [leads to] so they make resetting your password a "self service" feature with "Choose your own questions..." authentication.

Then the users make their questions along the lines of: "What color is blue?"

Only works sometimes (1)

EmbeddedJanitor (597831) | about 6 years ago | (#22966750)

I'm typing this lying in bed. My typing dynamics are completely different than when I'm sitting at a desk. The keyboard makes a difference too.

Re:not gonna work (1)

SatanicPuppy (611928) | about 6 years ago | (#22966756)

That doesn't even apply to "conscious" differences. If I'm talking on the phone and typing in my password with my left hand (which will take a bit because I'll have to do the pinky-thumb shift dance to do the special characters), it's going to lock me out because I don't type like me?

The only use I see for this is for an amusing/ironic plot twist in a hollywood movie, where someone gets killed because he can't type in the password like he would normally type it in due to some contrived stress situation.

Really? (0)

Anonymous Coward | about 6 years ago | (#22965756)

An interesting idea to be sure but I know I certainly am not that consistent when I type, so I'm skeptical of how well this may work.

Something like a password that you've typed hundreds of times probably has a more regular pattern than you think, unless you regularly get interrupted in the half second i takes for you to type it... Muscle memory, etc

Re:Really? (1)

LiquidCoooled (634315) | about 6 years ago | (#22965904)

How do you log into your computer the day after you sprain your wrist or get a new keyboard or are laid back or have a drink in hand or are scratching your chin or .....

Re:Really? (2, Interesting)

ArcherB (796902) | about 6 years ago | (#22966024)

Something like a password that you've typed hundreds of times probably has a more regular pattern than you think, unless you regularly get interrupted in the half second i takes for you to type it... Muscle memory, etc
That's all find and dandy until you break a finger, or get a hang nail or try to log in while holding a cup of coffee or any of the limitless things that can happen to slow, speed up, or change the rhythm of your typing.

Re:Really? (1)

farker haiku (883529) | about 6 years ago | (#22966486)

Or after you change your password like most of us are required to do every few months. Somehow I don't think I'll be as fast at typing in my new password for the first few weeks after I change it.

Oww I broke a finger... (4, Interesting)

LighterShadeOfBlack (1011407) | about 6 years ago | (#22965758)

...And now I can't log in.


Re:Oww I broke a finger... (1)

baudilus (665036) | about 6 years ago | (#22965856)

Did they say the same thing about biometric authentication (e.g. fingerprints)? Besides, if you're checking /. right after you break your finger, you might want to get out of the basement more often. :P

Re:Oww I broke a finger... (1)

neumayr (819083) | about 6 years ago | (#22965924)

So you can't imagine that breaking a finger might have some effect on your typing pattern?

Re:Oww I broke a finger... (2, Funny)

ShieldW0lf (601553) | about 6 years ago | (#22966182)

Biometric authentication is a far, far stupider idea than this is. Yes, not being able to log in when you're drunk is bad, but having to exchange your finger and your eyeball for a new one because someone posted a high-resolution photo of them online is much, much worse.

Re:Oww I broke a finger... (0)

Anonymous Coward | about 6 years ago | (#22966310)

Yes, the security of the world has been put in major peril by all those high resolution photos of irises and fingertip that have been circulating around the Internet. Eye porn will be the death of us all!

Re:Oww I broke a finger... (1)

ShieldW0lf (601553) | about 6 years ago | (#22966588)

Yes, the security of the world has been put in major peril by all those high resolution photos of irises and fingertip that have been circulating around the Internet. Eye porn will be the death of us all!

http://www.theregister.co.uk/2008/03/30/german_interior_minister_fingerprint_appropriated/ [theregister.co.uk]

He sure seemed to think it was a big deal. Wonder how anxious he will be to create pervasive biometric requirements now.

Re:Oww I broke a finger... (1)

ArsonSmith (13997) | about 6 years ago | (#22966342)

That'd be really bad if the security mechanism only relied on one of the three main identifiers. Luckily most will use at least 2.

3 main security identifiers:
1. something you are (biometric, finger print, retina scan)
2. something you have (id card)
3. something you know (pin or password)

Re:Oww I broke a finger... (1)

mweather (1089505) | about 6 years ago | (#22966266)

Did they say the same thing about biometric authentication (e.g. fingerprints)?
Do fingerprint Ids work after I accidentally buff my fingerprints off with a belt sander? No. Do retina ids work after I poke my eye out? No. Are either of these things likely? No. But an injury that would affect your typing? Very likely.

Re:Oww I broke a finger... (1)

Haeleth (414428) | about 6 years ago | (#22966312)

Did they say the same thing about biometric authentication (e.g. fingerprints)?
They did indeed. Which is just one of many reasons why hardly anyone actually uses biometric authentication for anything serious...

Re:Oww I broke a finger... (1)

drspliff (652992) | about 6 years ago | (#22966582)

Yeah, anything serious - like the UK national ID scheme their trying to push through which apparently will rely heavily on "biometric data" in future.

Re:Oww I broke a finger... (1)

mweather (1089505) | about 6 years ago | (#22966798)

Biometric data /= biometric authentication. If you're horribly disfifgured in an accident, they can still access your data and change it. Not so if the only way to access it was with biometric data.

Re:Oww I broke a finger... (1)

LighterShadeOfBlack (1011407) | about 6 years ago | (#22966482)

Well breaking a finger wouldn't stop you getting the fingerprint generally speaking. Even if it did you'd have up to nine others to pick from with any decent system.

If you manage to incapacitate all ten fingers in such a way that you can't get a print scan off any of them maybe that's a good warning to your boss that you need a competency review. Or at least a holiday until something heals.

Re:Oww I broke a finger... (2, Interesting)

denmarkw00t (892627) | about 6 years ago | (#22966334)

To the broken finger crowd and the "few too manys": you should also note that it didn't appear to me that this feature would lock you out, to me it seemed more like it might speed up the login process while making it slightly more secure - no clicking "Login" because it "knows" its you, and if its someone pecking at the keyboard it could send you an alert via /var/log/yourlogofchoice for later review (or mail sms whathaveyou). Of course, I'm sure you could change the level of aggressiveness to not allow someone to login unless the differences is stroke pattern are within a small error tolerance.

Obvious issue (2, Funny)

Gat0r30y (957941) | about 6 years ago | (#22965782)

How am I supposed to log in after a few too many? Wait, maybe thats not an issue after all, maybe its a feature.

Re:Obvious issue (0)

Anonymous Coward | about 6 years ago | (#22965832)

May I humbly suggest that "Hell hath no fury like the vast robot armIES of a woman scornED?"

Re:Obvious issue (4, Funny)

baudilus (665036) | about 6 years ago | (#22965918)

I'd be much happier if Blackberries had Breathalyzers before they allow people to email me at 2 AM. Good grief!

All Cell phones , Not just the BBs (3, Funny)

DRAGONWEEZEL (125809) | about 6 years ago | (#22966104)

Please, drunk dialing should be a civil infraction penalized in this manner

for each # called...

1st offense:
        A stern warning.
2nd offense:
        $250 restitution to the victim, 1 months probation
3rd offense:

That's OK (4, Insightful)

treeves (963993) | about 6 years ago | (#22965790)

My guess is that your inconsistency is part of what distinguishes you from other typists and the software uses that information to its advantage. Other people are more consistent, less consistent, inconsistent in different ways. I know I type with about four fingers: my left index finger, my right index and middle fingers, and my right thumb, and I also know I tend to make certain typos more often than others. I suspect that those things contribute to the distinct pattern in my typing that could be identified. Still, I'm sure I would not want to use to such a scheme for identity verification.

Privacy implications (1)

megaditto (982598) | about 6 years ago | (#22966000)

What would this program think if it detected you periodically typing with just one hand?

Re:Privacy implications (1)

baudilus (665036) | about 6 years ago | (#22966150)

Then Clippy pops up.

Hi! It looks like your finger is broken! Would you like help filling out your insurance claim?

|Yes| |No|

Re:Privacy implications (0)

Anonymous Coward | about 6 years ago | (#22966370)

/    It looks like you are surfing porn     \
| sites. Would you like help  getting laid? |
\ (Yes) (No)          (Maybe later)         /
       \     ____
        \   / __ \
         \  O|  |O|
            ||  | |
            ||  | |
            ||    |
cpu0: Microsoft Clippium ("GenuineClippy" ChromedMetal-Class). Paperbinding, lockpicking, fish-hook-hack support. Template lifted from http://slashdot.org/~ClippySay

Re:Privacy implications (1)

thePowerOfGrayskull (905905) | about 6 years ago | (#22966402)

Then Clippy pops up. Hi! It looks like your finger is broken! Would you like help filling out your insurance claim? |Yes| |No|
I think you have it wrong. After a minute or two of such typing:

"Hi! It looks like this is becoming detrimental to your performance. Would you like me to order you some vasoline to help speed up the process next time?"

Re:That's OK (0)

Anonymous Coward | about 6 years ago | (#22966192)

What??? You mean you surf /. and can't touch type! Next you're be telling us you have one of these "girlfriend" things.

Re:That's OK (1)

Hrodvitnir (101283) | about 6 years ago | (#22966328)

The school district I work for uses similar technology to verify all staff members. The software gathers up typing method from 9 entries of username and password, and allows for a percentage match - which we currently have set at the recommended 37%. We have a small percentage of users that have trouble logging in due to inconsistencies. For these users we recommend they slow down and consciously pick a rhythm for typing their username and password. For those with medical issues, we have a system in place to adjust the match percentage or turn it off altogether.

Once in awhile we have an issue with new fingernails, though...

Re:That's OK (0)

Anonymous Coward | about 6 years ago | (#22966760)

This could be useful as a shortcut for password based authentication. If the software detects that it's "you" typing your username, you're automatically logged in, otherwise you have to enter your password as usual to log in.

Of course, if an attacker can determine your unique typing pattern, they could log in without your password. You could this by, for example, secretly making an audio recording as the user types their username and using the inter-keystroke timing information to recreate their typing signature. Or, more cleverly, if you're on a multiuser system you could poll /proc/interrupts, monitoring the keyboard interrupt to determine when someone has pressed a key, and then quite easily reproduce their typing pattern.

Check more often? (1)

baudilus (665036) | about 6 years ago | (#22965800)

While they're at it, they should have the software periodically verify that whoever is typing on the system is (or could be) the same person that is logged in.

But then again, how would I prank people at work when they leave their systems unlocked?

inconsistent (3, Informative)

flynt (248848) | about 6 years ago | (#22965802)

An interesting idea to be sure but I know I certainly am not that consistent when I type, so I'm skeptical of how well this may work.

That's precisely what some statistical methods are designed to do, find patterns about the inconsistencies. I haven't read this proposal, so can't comment more, but 'leaning' in the presence of variation is basically what modern statistics is all about.

Re:inconsistent (1, Interesting)

Anonymous Coward | about 6 years ago | (#22966162)

I used to work as a developer at Netnanny Software, who produced Biopassword (Now Biopassword, LLC).

I worked on a port from the windows system, using the MS GINA, to develop a plain input-agnostic library that you could plug X/GNOME/KDE/whatever into using Linux, with the aim of making it portable across all platforms.

Believe me when I say that keystroke dynamics really does work. The first iterations of the BioPassword product were "OK", but really were limited in the sense that when a user enrolled, their typing template was based on a static number of entries (normally 15), so the data set was limited by the fact that those 15 entries can vary quite significantly. It also did not learn over time about how the user entered their username/password combo. (the reason this is important is that after a couple of weeks, you no longer think about your password, it is a physical "memory" that your fingers type for you).

Later iterations created several "buckets" (low/med/high) that an enrollment sample went into, and you kept entering the u/p combo until enough of a particular bucket had been filled enough, compared to the other buckets. This made it much more reliable, and although I was able to "break" the first iteration about 1 out of every 20 times after listening to the person enroll, I never once was able to break it after the new categorization system.

The real beauty of it is that it works for "hunt and peckers", as well as touch/speed typers. Each person has a unique way of typing a particular username and password combination, and the concept is very simple, really, with at its core, is the timing of the "flight time" (time between keypresses) and "landing time" (time that a key is held for), in microseconds.

As with any biometric, there needs to be an "override" or backdoor that can be overridden by an administrator or even yourself. That's why even the fingerprint readers don't completely commit to being biometric only (although some you can set it to only use fingerprints). Actually, the IBM fingerprint software I'm using basically ends up typing in your username/password FOR YOU to the MS GINA.

The override is useful in times when you've broken your hand, fingers, are drunk, or whatnot. For a local user on your own home PC the latter would be nice to override, but at work, it might actually be a useful "mental state" indicator. Speaking of which, we often found that typing rhythms changed throughout the day. Monday mornings were slower than Thursday afternoons, for example, and could trip a false negative.

Which also reminds me that the threshold for accuracy was adjustable as well by the administrator, so there was some measure of control over how mean you wanted to be.

It was really fun and interesting work. I have often thought of developing a FOSS version for the world to use, but I fear repercussions from litigation for the fact that I was so intimately involved with the innards of it.

I would definitely recommend downloading a demo (they used to have one available, don't know if that's still the case now), and trying it out - it's fascinating, since it's one of those things you need to see to believe.


This concept is about 3 years old if IIRC (2, Insightful)

DRAGONWEEZEL (125809) | about 6 years ago | (#22965830)

Maybe not w/ gnome, but I remember a Slashdot article about this a few years back. One thing to note, while some people might be irregular, almost anyone who keys in a UID every day will have some sort of "pattern" to the time between keystrokes.

Typematic rate lol....

It's really interesting to see what the differences are between key presses when recording a macro w/ a G15. (if you have this awesome keyboard, and don't know what I am talking about try it out!) I have done this cause I am weird... but you could try too!

If you record a significant count of you typing in a UID and PW on a given site (that you use frequently) you will find a unique structure to the timing of the keystrokes. While the G15 doesn't go to the # of digits needed for secure authorization, it can show you that there is little variance over a large number of true trials.

Re:This concept is about 3 years old if IIRC (2, Interesting)

jellomizer (103300) | about 6 years ago | (#22966084)

Older then that...
I thought about it when I was a kid running my own BBS. The old BBS Software had a realtime display of what the person is typeing so I could normally tell if it is someone who is the origional user or someone using someones else account. I though about making a program that checks the time between keystrokes and give them a level of error, as extra security... but I decided not to do it, for the main reasons. Somone may have something in their hands that day or. Bit tired or Hyper, also a lot of pople had the passwords as Key Macros, so it was just kinda not worth the work and any fustration on the users part.

Flashbacks... (1)

DRAGONWEEZEL (125809) | about 6 years ago | (#22966164)

Ahh you made me remember sweet violet, and BRE, and the Tacoma Area BBS listing (TABBS) that was printed in the paper. I met and ran into a few sysops in my day but never had the resources at that time to start one up. I often think the BBS format may rise again over tcp/ip if P2P gets destroyed. It'd be so easy to hide them on open networks accross the country.

But that is offtopic, and I am probably flagged as a terrorist after that last sentance...
Oh well.

Re:Flashbacks... (1)

jellomizer (103300) | about 6 years ago | (#22966278)

ATDT 5551234
Connected 2400 bps
Login: jellomizer
User not found

Login: jelomizer
User not found

Login: +++ath0

No Carrier

Concept is actually much older (0)

Anonymous Coward | about 6 years ago | (#22966270)

This dates back to the days of Telegraph when individual telegraph operators could be identified by the way they type. They used to use it as a means of identification during WWII to see if they could find impostors. This book [amazon.com] talks about it a little bit. I highly recommend it even otherwise - it's a very good read.

Also check out Keystroke Dynamics [wikipedia.org] on Wikipedia.


Old as morse code? (1)

grassy_knoll (412409) | about 6 years ago | (#22966720)

From the description, it sounds like identifying a morse code operator by their "fist"

from the all knowing wikipedia [wikipedia.org] :

All telegraphists unconsciously develop personal quirks, or characteristics, which collectively are called one's "fist." While it is easy to send a jerky or "choppy" code with any type of keyer, as well as to make inconsistently longer or shorter dits or dahs overall or in certain characters, the type of key in use may greatly influence one's sending as it sounds to the receiving operator. A common fault with using a semi-automatic key is to make the dits too fast as compared with the dahs. Sideswipers tend to encourage to some very oddly timed characters and inconsistent formations.

Whoa! (0)

Anonymous Coward | about 6 years ago | (#22965842)

I stopped reading at LinucksGirl. Be still my heart!

CTRL-ALT-DEL (2, Funny)

c0d3r (156687) | about 6 years ago | (#22965860)

Dang, I still find it hard to press the C-T-R-L-A-L-T-D-E-L keys hard to press at the same time before entering my password on windows.


DRAGONWEEZEL (125809) | about 6 years ago | (#22965966)

That's why it's called the 3 finger salute!

My freind has a song sung to the tune of camptown races.

Ctrl-Alt-Delete format reinstall do dah do dah

Throw your data out the door do dah do dah

I don't remember the rest but it's pretty funny.

Dvorak + Qwerty users?! (0)

Anonymous Coward | about 6 years ago | (#22965876)

What happens if we don't even type on the same keyboard layout all the time? I'd love to see what that software would do!

Re:Dvorak + Qwerty users?! (1)

Homer's Donuts (838704) | about 6 years ago | (#22966116)

Dvorak? What happens when I replace this $3.99 Inland keyboard I'm using. You have to hammer the left shift to get caps and the '2' you have to hit twice to make one '2'. Here watch... 11222@@@@@@@22233### @@ asDF Hey this cable is loo

Prevent those mistakes (1)

Beavertank (1178717) | about 6 years ago | (#22965970)

If you set it to verify loosely enough that it'll ignore subtle variations it could work, but think of the applications to preventing embarrassment... no more drunk IMs or emails that you really shouldn't send since it won't even let you log in.

sure, this can work... (1)

zappepcs (820751) | about 6 years ago | (#22965974)

Why not add a signature verification pad to the pc as well? If you can type the right way and reasonably falsify a signature you can login and go to /. to read all about it....

Would be nice as a supplement, however (2, Insightful)

Thought1 (1132989) | about 6 years ago | (#22965990)

It wouldn't be good as a primary means of validation (for the reasons listed in prior comments), but it would be good as a supplemental validation, giving a "higher likelihood" that the person is who they say they are.

Re:Would be nice as a supplement, however (1)

wattrlz (1162603) | about 6 years ago | (#22966202)

It would certainly be better than answering all those stupid questions when trying to view your checking account balance online.

It'll never work (4, Funny)

amplt1337 (707922) | about 6 years ago | (#22966032)

How on God's green earth am I going to write down my keystroke patterns on a sticky note on my monitor???

Re:It'll never work (0)

Anonymous Coward | about 6 years ago | (#22966628)

Ask the researchers in the other story about recording the finger movements of a clarinet player as a method of storing the music. Brilliant!

Re:It'll never work (1)

skybrian (8681) | about 6 years ago | (#22966726)

No, the real question is: how do you propose we keep our keystroke patterns a secret from someone who wants to record them? Do we have to refuse to use keyboards in public terminals now?

Your penalty is to type this fifty times:

Biometrics are unique identifiers, but they are not secrets.

I bet someone has this patented (0)

Anonymous Coward | about 6 years ago | (#22966110)

.. but yeah.. there are so many issues.. What about signing in via a mobile device or a keyboard you're not used to? What about copy/pasting your password? (I do that sometimes..) It's a neat idea but it will fail.

You might think, but... (1)

denmarkw00t (892627) | about 6 years ago | (#22966132)

"An interesting idea to be sure but I know I certainly am not that consistent when I type, so I'm skeptical of how well this may work."

I think this could be along the lines of identifying someone's signature, granted there is more detail in handwriting. However, we all have a very specific expectation of how the keys are going to type, we have our rhythm of how we're going to type it in time with the way we mentally chunk out login information. I would think that any habitual computer user can type their username/password in their sleep exactly the same as they would at a terminal, and all of that timing information should vary from person-to-person. Don't forget about pressure and keypress duration (quick taps versus "deeper" presses on keys).

What if... (1)

mishan (146987) | about 6 years ago | (#22966170)

What if you happened to have fractured your wrist like I did recently? My typing is much different with my left hand in a short-arm cast now I can say for sure.

There are all sorts of hand injuries that could change your typing style.

Also is it just me or do people make more typos in the morning?

lock out injured users? (1)

drfireman (101623) | about 6 years ago | (#22966204)

A quick skim, and I didn't see any details on the false alarm rate of this method, or any detail on how a user could log in with a broken (or severely papercut!) finger. Or when breaking in a new keyoard. It would certainly be a fatal problem for this method if it would lock out users who for whatever reason have their timings temporarily altered. It would also be a pretty fatal flaw if it turns out there's a substantial false alarm rate.

Useful after the fact, perhaps (2, Insightful)

6Yankee (597075) | about 6 years ago | (#22966252)

I don't fancy using this as a replacement for login/password, but if you haul Joe User down to HR for surfing pr0n, he pulls the "Naughty Bob stole my password" trick, and you can demonstrate that the usage pattern looks a hell of a lot more like Joe User's other sessions than Naughty Bob's... ...or vice versa, and have some idea who really did steal Joe's password.

Bank does this (1)

RandoX (828285) | about 6 years ago | (#22966264)

My bank does this with my login info. You can know my username and password, but if you don't type it like I do, you don't get in.

Might make a good alarm, but poor authorization. (2, Insightful)

Vellmont (569020) | about 6 years ago | (#22966284)

I just have to believe this is going to produce a lot of rejected authorizations that shouldn't have been rejected. Also as someone pointed out, what about the legitimate times when someone else is using your username/password? (your boss needs something while you're away on vacation, etc).

This might work out well for some kind of intrusion detection system though. Look for cases where there's two people consistently typing in the password two different ways. Then set off an alert to the administrator. There's legit cases for that of course (root/admin password comes to mind), but you just exclude those cases.

Pro and con (1)

kaynaan (1180525) | about 6 years ago | (#22966290)

This does not seem like a bright idea at all. I was eating lucnh at my desk (yeah i know i know.. ) and i logged into /. by typing with one hand which is not how i usually type ..... there is just too many scenarios that go against this approach

Large enough sample set? (3, Interesting)

192939495969798999 (58312) | about 6 years ago | (#22966340)

I don't think a username is enough of a sample set to determine a typing pattern. Wouldn't you need to copy down a paragraph of text to have any chance of determining patterns in typing style? I.e. at the very least, "the quick brown fox jumped over the lazy sleeping dog" type stuff to hit all the characters?

Oblig Bash quote (3, Funny)

xtracto (837672) | about 6 years ago | (#22966390)

From bash.org [bash.org]


stupid lameness filterstupid lameness filterstupid lameness filterstupid lameness filter stupid lameness filter Filter error: Please use fewer 'junk' characters. Filter error: Please use fewer 'junk' characters.

small sample size (1)

kaynaan (1180525) | about 6 years ago | (#22966408)

Can any of the more experienced developers comment on this approach from a application desing point of view. the whole idea of a username/password is a combination of information that is unique. everybody on /. may have the same password but cannot have the same surname/password combo The sample size we are talking about here (speed of typing)seems very small there has to be X number of users that type with the same speed unless there is another factor involved that is used in combination ?

Works for me (1)

PhilipPeake (711883) | about 6 years ago | (#22966550)

My bank uses this as the biometric factor required to access online services. When they announced this change I expected to be having to respond to my additional ID challenges almost every time I logged in. That hasn't turned out to be the case, I have only tripped up on it once. I suspect that it is not a strong enough test in itself to rely upon, but when combined with having to know the password it probably does add an extra layer of security.


Anonymous Coward | about 6 years ago | (#22966576)

Or one of the other virtual TTYs.

As for security, this would be nothing more than a silly, ineffective gimmick.

pointless (1)

BigJClark (1226554) | about 6 years ago | (#22966664)

uh yeah, so there is software out there, that logs how you type your password, to be used as a method of user identification.

Oh, I dunno, how about your.. PASSWORD

This must have come from the Department of Redundancy Department.

Faster over time? (1)

DeadboltX (751907) | about 6 years ago | (#22966668)

Whenever I select a new password for myself I am always a little bit slower at typing it because I am not used to it. Weeks go by and I find myself getting faster and faster at typing my password until finally I am able to type out a 20 character password in under a second.

To this system I will be two completely different people from the time I changed my password to the time I mastered it and presumably at notable milestones in between.

Obviously this is a problem.

OWA has this, it sucks! (1)

RManning (544016) | about 6 years ago | (#22966758)

At my office we have Outlook Web Access. It has a keystroke sensing thing. It's awful! I have a laptop that's connected to an ergonomic keyboard at work. When I'm on the road I use the built-in keyboard. I'm not sure which one I used to "register", but I can't get in now using either.

Tin-Foil Story (2, Funny)

chord.wav (599850) | about 6 years ago | (#22966774)

...and when this hashing algorithm was implemented in Javascript, it meant the end for anonymous cowards...
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account