Typing Patterns for Authentication

Kelson writes "NPR's Marketplace is reporting on a new authentication scheme. BioPassword tracks the way you type your password: how long each key is depressed, the time between keystrokes, and overall speed. When someone tries to log into your account, it compares the pattern to what it has on file. It only allows you in if both the password and patterns match. The technique has been around a while. World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor."

Fist

[Nimey (114278)]

A Morse-operator's style was referred to as his "fist". This is referenced in Cryptonomicon.

I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.

Re:Fist

[OECD (639690)]

Oy. So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover? Because my typing pattern is going to be different in each case.

Re:Fist

[justinbach (1002761)]

So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover?

Man, I don't know about those circumstances, but I would welcome an online financial transaction system that's good enough to recognize whether or not I'm drunkenly typing in my credit card number after a night on the town. The combination of woot.com and a few too many beers has on more than one occasion proved fatal to both my self-respect and my checking account...as if two Roombas isn't enough as it is!

Re:Fist

[by Anonymous Coward]

man, what an exciting life... getting drunk and buying stuff online! You're giving Keith Richards a run for his money...

Re:Fist

[ajs318 (655362)]

One morning I woke up surrounded by empty beer cans, an ashtray full of roaches, my wallet out, my debit card out of my wallet, my laptop out of juice ..... and a blinding headache. I was dimly aware of having ordered something online but couldn't for the life of me think either what it was, or where from. Though my browsing history had apparently survived the enforced fsck, there were still many things it could have been.

A few days later, a Palm Tungsten arrived at my place of work; and when my bank statement arrived, that turned out to have been the only purchase I had made during those lost hours. It could have been worse. A lot worse, judging by my the sites in my browser history!

Lesson: Don't order stuff online while pissed and/or stoned.

Re:

[ajs318 (655362)]

And it's kind of cool to have a Christmas every week.

That's as maybe; but it's not so cool having a January statement every month, though .....

Re:Fist

[cyphercell (843398)]

Man if I was you, I would drink more before I stole money from myself. Two Roombas? When you're drunk? What the hell is wrong with renting a hotel room and puking in the pool? Or renting a limo to drive you out, without enough cash to get back? Or, hire a stripper to sneak into bed with your best friend and his wife, so you can buy him a beer the next night, then claim poverty on him. Dude, you need some alcoholism.

Sharing Secrets

[NetSettler (460623)]

So now it makes a difference if...

Yeah, not only that, but imagine when you've forgotten something important and you call home to talk to your spouse to get it.

Spouse: What's your password?
You: It's "My name is my passport."
Spouse: That whole thing? That's a lot of letters. Ok, I'm typing it.
You: Are you in?
Spouse: Nope. It says I'm not typing it right. How do you type it?
You: Huh? Oh, right. I forgot. Lean heavy on the first n and the two y's. And pause slightly after every other space.
Spouse: It's still not working.
You: Did I mention that I'm slow to reach a y and then slow again for whatever character follows? It's quite a reach.
Spouse: Ok, I'll try. Nope. Not working.
You: Oh, right. And try to type it at 80 words per minute.
Spouse: I only type 20.
You: Never mind. I'll drive home and get the info. It'll be faster.

Re:Sharing Secrets

[by Anonymous Coward]

Never, EVER, give your wife your password! What the heck are you smoking?!?!

Re:

[LordSnooty (853791)]

Agreed. Everything might be hunky-dory now, but what will the future hold? The bank can easily solve this by providing the wife with her own logon account, then attaching the various bank accounts she has authority over. At the very least it will maintain a proper audit trial, if the relationship went bad and the wife used the husband's logon to empty all the accounts, could he prove that it wasn't him who did the deed?

Re:

[MrNaz (730548)]

No, it's being on /. the concept of "wife" is not understood. The only time /. has contact with wives is mail order brides, and believe you me, you do not want to give them your banking details*.

* No, I'm not speaking from experience.

Re:

[Kidbro (80868)]

sharing a simple piece of information that can be changed at any time with someone you have no good reason to be keeping secrets from

I can think of several people that could know the password after that telephone conversation, some of which the people having the conversation won't even know exist. One of many reasons to never share your password with anyone is that in the act of sharing it you expose it to potential (untrusted) snoopers, even if you trust the intended recipient.
Frankly, the whole argument w

Re:

[cyphercell (843398)]

Why the fuck would you marry someone you don't even trust?

Why the fuck would you divorce someone that agreed to take care of you when you're old?

Anyways, lots and lots of married couples keep things from each other, it's in no way misogynistic or stupid, it's actually natural. From this perspective I find the GP funny, as a man who's been divorced, I think of it more as informative than anything. And please save the big words for when you really need them, people are using the "m" word far too often these days.

Re:

[cyphercell (843398)]

...lots and lots of married couples keep things from each other, it's in no way misogynistic or stupid, it's actually natural.

It's called privacy, everyone needs it, it is in no way misogynistic.

The last-reported U.S. divorce rate for a calendar year, available as of May, 2005, is 0.38% divorces per capita per year, ...

The National Center for Health Statistics recently released a report which found that 43 percent of first marriages end in separation or divorce within 15 years.

http://www.divorcereform.org/rates.html [divorcereform.org]

Good luck! I don't know how long you've been married, but all things considered, I think I did alright. Anyways, thanks for busting my balls and if you ever need advice for your divorce, you can count me out. ;)

Re:

[Chabil Ha' (875116)]

Very astute, but, if you had listened to the report, if such a thing occurred, it would prompt you for other identifying questions to prove your identity.

Re:

[Rakishi (759894)]

and after I answer them the 20th time I'd say "fuck you" and either disable the system or use a service that doesn't have it.

+1 Clippy of awareness

[Scrameustache (459504)]

Oy. So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover? Because my typing pattern is going to be different in each case.

You appear to have a hangover,
while you were drunk, I intercepted the email you wrote to

• the girl from the office

would you like to read it again before it is sent?

[No] [Ignore] [Cancel]

Re:Fist

[Ailicec (755495)]

Sometime in the early 90s a company sent me a neural network demo that did typist identification. Users trained it by typing a paragraph, and you could enter several typists into the system. Then an unknown user typed some new text, and the system tried to identify the user.
Once trained, it was extremely hard to fool the thing, even by deliberately and extremely altering your typing habits. Of course, this was a multiple choice test and that's easier than the authentication situation, but it shows that the method can be more robust than would first appear.

Re:

[quarrel (194077)]

I think there a certain sub-cultures that still recognise peoples 'fists' ... :)

--Q

Re:Fist

[isaac (2852)]

A Morse-operator's style was referred to as his "fist". This is referenced in Cryptonomicon.
I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.

It won't be long before online fraudsters learn to copy users "fists."

Yes, I predict the internet will be awash in "fisting" websites within the fortnight.

-Isaac

Typschrift

[Incadenza (560402)]

I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.

Well, it has been done before. I graduated from the Academy of Arts in Rottterdam in 1996 with some fonts that changed their shape depending on how you typed. Inspiration fo these fonts was exactly this technique, which I had heard about, on some big IT show, at least 5 years before.

A JAVA version of one of the fonts (Typschrift-B [www.typ.nl], a rather crude version but my JAVA-knowledge is kind of non-existent) is the only thing that i

It has been done before.

[wireloose (759042)]

In fact, research and methods have been done for years. There have also been some systems developed as a result. A partial listing of research:

1977, Rome:
G. Forsen, M. Nelson, and R. Staron, "Personal Attributes Authentication Techniques," Rome Air Development Center Report RADC-TR-77-1033, Air Force Base Griffis (New York, 1977).

1980, Rand:
R. Gaines, W. Lisowski, S. Press, and N. Shapiro, "Authentication by Keystroke Timing: Some Preliminary Results," Technical Report Rand report R-256-NSF, Rand Corpora

Bad Idea

[dynamo (6127)]

This will make it possible for a change of mood to deny your access to your own accounts. ..which will probably not help with the mood thing.

Re:

[TubeSteak (669689)]

This will make it possible for a change of mood to deny your access to your own accounts.

THOMAS: So what happens when your typing style varies from your profile, like you're sleepy because you just woke up?

RICHARDS: You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions. (Emphasis mine)

Re:

[arth1 (260657)]

Well, don't be so truthful! Give them made-up information instead. Ideally, you should have a different "Mother's maiden name" and "city of birth" for each service you use; that way, if any one gets compromised, all the others are safe.

The problem with that is remembering all the different answers.
To be honest, I don't see a good solution to the problem that people are required to remember more and more passwords. I would think that most people either pick the same passwords for most things, or store the p

Re:Bad Idea

[goombah99 (560566)]

This reminds me of the old joke about the two russian comrades that read in pravda how a new city in siberia needs engineers. The story says the city wants for nothing, the store shevles are stocked, the store clerks courteous, and there are no lines. But they know that sometime pravda is not isvestia (the truth) and it might be a trap. SO they agree that one of them will go and write back if the stories are true. but if it's a trap their mail will be searched to they agree on a code. If it is all lies the writer will write in red ink. and if true then in blue.

One day the letter arrives. It is in Blue ink. it raves about the luxury goods, and the stores of plenty. In fact says the writer, the only thing in short supply seems to be red ink.

The modern version would have the comrade unable to log in because all the keyboards were dvorak.

Re:Bad Idea

[bitt3n (941736)]

This will make it possible for a change of mood to deny your access to your own accounts. ..which will probably not help with the mood thing.

That's an easy problem to solve. Simply make sure to type your password the first time when you are in a horrible mood, and thereafter, repeatedly typing in your password will eventually result in a successful login.

No Soup For ... me?

[mindlessLemming (961508)]

Great, now every time I fall off my bike or some other stupid accident that involves my hands, I won't be able to log in at all due to not matching the timing/pressure/etc. I can definitely see this ending in smashed keyboards. "It's me!!! Let me in you b@st@rd machine!"

Re:

[Ungrounded Lightning (62228)]

Great, now every time I fall off my bike or some other stupid accident that involves my hands, I won't be able to log in at all due to not matching the timing/pressure/etc.

Also if you:
- change keyboards
- change your chair
- drink some coffee
- use an unusual posture
- catch the flu
- lose your palmrest
- ADD a palmrest
- get carpal tunnel syndrome or other RSIs
- lose a limb
- (I could go on for a LONG time)

I can definitely see this end

Reminds me of a story...

[rumblin'rabbit (711865)]

... of a guy who could only login successfully while sitting down, but not standing up. It took him some time to figure out why.

Any takers?

Re:Reminds me of a story...

[ScrewMaster (602015)]

Short arms?

Long penis.

Re:

[goombah99 (560566)]

always, otherwise no fapping.

Interesting you mentioned WW2...

[jafo (11982)]

No, I'm no going to say you invoked Godwin's Law right at the top of the article...

I immediately thought of WW2 when I read the title. A Morse Code operator's style was called their "fist". German operators became quite adept at mimicing the fist of other operators, and using the fist to identify captured operators didn't work well. This is why they had other signals for identifying that an operator was not captured. Things that would look like a typographical or crypto error to a third party, but which was known to both the sender and receiver, and the absence of them would indicate capture. Of course, under stress, sometimes these were forgotten.

The book Silk and Cyanide has a great discussion of the fist and other identification techniques and how they failed and succeeded (mostly the former). Highly recommended.

Sean

No Drunk Internets :(

[frup (998325)]

So now I won't be able to log in to forums and make a fool of myself when I'm drunk :(

The obvious solution

[280Z28 (896335)]

Start drinking before you set your password!

Might come in handy...

[Tatisimo (1061320)]

Wonder if it can be used to prevent people from editing important documents while you take a quick break (hint: preventing your little brother from posting comments with your account)... "Error: Your Words Per Minute Do Not Match Your Normal Style. Please Try Again."

Re:Might come in handy...

[mollymoo (202721)]

You'd don't need this techniology for that, a regular password will do the job perfectly well. You just need to lock your computer when you're not using it. Every decent OS lets you do this with minimal fuss.

Morse vs. typing

[VGPowerlord (621254)]

While I think measuring typing speed as well as the password itself might work, comparing it to morse code speed is ludicrous.

Richards has apparently forgotten that morse code uses 1-key as opposed to passwords which use 47 character keys with the ability for a person to hold down the shift key to enter in an alternate version of any of those.

Which means that, when a person starts using a new password, they type it fairly slowly. However, as they get used to typing it, they gradually get faster at it.

What do you do when your own system locks you out because you've gotten better at typing your own password?

Not very accurate for real world use

[Jimmy King (828214)]

I read about this semi-recently (as in within the last year) and at that point the recognition based on the actual keystroke timing was pretty poor. With only 2 or 3 people they could tell who it was something like 90% of the time if I remember right. It got considerably worse as there were more people to recognize.

Now, you could possibly argue that it only needs to be able to recognize 1 person or at most 2, you and "not you", as once it determines it is not you the system does not care about the specific identify. Still, until they get that number to 100% it's going to be more hassle than it's worth, especially at a place with a 3 attempt lockout policy or the like.

Nothing To See Here, Move Along

[mmurphy000 (556983)]

I'm beginning to think we're going to have to work up a check-off-the-problems sheet for these new authentication schemes like we pass around for anti-spam "solutions".

Here, I see two problems off the cuff:

1. If it thinks you're not typing the password the same way, "it will ask some additional security questions". Hence, this is not significantly different than the cookie-based or IP-address based solutions used by some banks, where you need only a password if you're coming from a familiar PC and need to answer more questions if you're not. Phishers can just let the password-typing fail and fall back to collecting the answers to the security questions and break in that way.
2. It'll only be reliable for people who use the same keyboard all the time. I know I type differently when I'm on my home PC (natural keyboard) vs. an office PC (flat keyboard) vs. my PDA (thumbboard). Particularly the way I type with two thumbs bears little resemblance to the way I touch-type. Now, it's possible they'll track different typing profiles, but eventually the profiles will grow to cover just about any typing pattern...

Color me unimpressed. Is it an incremental improvement over plain passwords? Yes, but not enough to go with a $34,000 plus $1.15/user fee structure, as cited in the article.

Re:Nothing To See Here, Move Along

[Michael Woodhams (112247)]

Furthermore, if the software can detect the password cadence, so can an appropriately programmed keylogger.

Almost all security is a tradeoff against usability. This one looks like a bad trade - you lose lots of usability for only a small increase in security.

Different typing methods

[mjensen (118105)]

When holding a book or other items, I type one-handed. (joke as required)

I'd think that this system would have the user type their password multiple times looking for consistent spacing.

Seems like it would not work as I learn my passwd

[rminsk (831757)]

When I first create a new password I typically stumble just a bit when typing it. After a few days/weeks I start building up motion memory for my password. How would the system handle when people impove typing their password?

Evolving stream?

[fineghal (989689)]

So I haven't RTFA and am just thinking out loud. Couldn't the problem of your typing speeding up or whatever due to your "comfort" level be solved by using an evolving stream? You've got the algorithm to determine similarity. Let's assume it's tuned to a 99% significance level. This is security right? But instead of comparing to an original, or arbitrary previous time, it compares it to your previous login, or perhaps a composite of the previous 2 logins. This way, your stored "fist" will evolve with you. I like it. It's conceptually easy at least. Any ideas on the CPU hit for this? Proof of concept?

back then

[Himring (646324)]

World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor.

It was all netware back then....

I do this now. Sort of.

[rindeee (530084)]

When I choose passwords, I make them such that they are memorable by pattern vs. memorable by content. This accomplishes two important things: 1.) This make my password entry VERY fast as it relies on muscle memory to a greater extent than thinking about the words I need to type and then typing them, and 2.) I am able to 'sense' typos without really thinking about it. Adding a system side authentication scheme that sense my tempo, strike, etc. would be cool in order to defeat impostors. Cool stuff.

Some added security, but not much

[quantaman (517394)]

From the article:

"You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions."

Ahh, so really all they've really done is increased the number of passwords an attacker has to try by a factor of 3 or so. Then you hit the question and you know you have the right password. At that point you can either solve the security questions (probably not as nearly as tough as the password, especially since no one expects it to be used) or they keep making occational tries at logging in with the correct password until you find their cadence (probably not that hard).

Note that I doubt that an attacker getting the password then bailing when they hit the question will raise any red flags, chances are there will be so many false positives that no one will bother to follow up.

Ally, impostor...

[autophile (640621)]

"whether a message was sent by an ally or an impostor..."

...or a cat [bitboost.com].

--Rob

not for web apps, I assume

[poot_rootbeer (188613)]

How useful is this method going to be when it can't be used with web-based applications?

For one, how's the web browser going to obtain that keystroke timing info and pass it on to the host? A Javascript implementation would be trivial to circumvent. And an ActiveX-like implementation would be a security risk.

For another, what about stored passwords? I may use an identifiable cadence when typing in a new password for the first time, but if I choose to let my browser store that password, it's going to subsequently get pasted in at the speed of

strcpy()

. How many false negatives will this cause?

Re:

[thePowerOfGrayskull (905905)]

RighT! Because that's an easy thing for the 90% of users who use their pet or spouse or birthday for their password. (Yes, I did pull 90% out of my ass, but it's probably true in spite of that.)