Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security IT

Typing Patterns for Authentication 259

Kelson writes "NPR's Marketplace is reporting on a new authentication scheme. BioPassword tracks the way you type your password: how long each key is depressed, the time between keystrokes, and overall speed. When someone tries to log into your account, it compares the pattern to what it has on file. It only allows you in if both the password and patterns match. The technique has been around a while. World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor."
This discussion has been archived. No new comments can be posted.

Typing Patterns for Authentication

Comments Filter:
  • Fist (Score:5, Informative)

    by Nimey ( 114278 ) on Thursday April 19, 2007 @08:17PM (#18807123) Homepage Journal
    A Morse-operator's style was referred to as his "fist". This is referenced in Cryptonomicon.

    I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.
    • Re:Fist (Score:5, Insightful)

      by OECD ( 639690 ) on Thursday April 19, 2007 @08:21PM (#18807165) Journal
      Oy. So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover? Because my typing pattern is going to be different in each case.
      • Re:Fist (Score:5, Funny)

        by justinbach ( 1002761 ) on Thursday April 19, 2007 @08:49PM (#18807397) Homepage

        So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover?


        Man, I don't know about those circumstances, but I would welcome an online financial transaction system that's good enough to recognize whether or not I'm drunkenly typing in my credit card number after a night on the town. The combination of woot.com and a few too many beers has on more than one occasion proved fatal to both my self-respect and my checking account...as if two Roombas isn't enough as it is!
        • Re:Fist (Score:4, Funny)

          by Anonymous Coward on Thursday April 19, 2007 @08:56PM (#18807469)
          man, what an exciting life... getting drunk and buying stuff online! You're giving Keith Richards a run for his money...
          • Re:Fist (Score:4, Funny)

            by ajs318 ( 655362 ) <.sd_resp2. .at. .earthshod.co.uk.> on Friday April 20, 2007 @05:33AM (#18809879)
            One morning I woke up surrounded by empty beer cans, an ashtray full of roaches, my wallet out, my debit card out of my wallet, my laptop out of juice ..... and a blinding headache. I was dimly aware of having ordered something online but couldn't for the life of me think either what it was, or where from. Though my browsing history had apparently survived the enforced fsck, there were still many things it could have been.

            A few days later, a Palm Tungsten arrived at my place of work; and when my bank statement arrived, that turned out to have been the only purchase I had made during those lost hours. It could have been worse. A lot worse, judging by my the sites in my browser history!

            Lesson: Don't order stuff online while pissed and/or stoned.
        • Re:Fist (Score:5, Funny)

          by cyphercell ( 843398 ) on Thursday April 19, 2007 @09:11PM (#18807577) Homepage Journal
          Man if I was you, I would drink more before I stole money from myself. Two Roombas? When you're drunk? What the hell is wrong with renting a hotel room and puking in the pool? Or renting a limo to drive you out, without enough cash to get back? Or, hire a stripper to sneak into bed with your best friend and his wife, so you can buy him a beer the next night, then claim poverty on him. Dude, you need some alcoholism.
      • Don't even ask about what happens when you login while eating a bagel WITH a hangover
        • Huh. I didn't know bagels got hangovers.

          Ontopic, if my bank started using this system it would completely lock me out of my account, as I have a password long enough that I have to slow down until I get it right. There would be bonus points if I could fit the long version of it into the prompt, as that would be somewhere on the order of 50 characters. If they're expecting one speed and I type at another it would tag me as fraud?
      • by NetSettler ( 460623 ) <kent-slashdot@nhplace.com> on Thursday April 19, 2007 @09:02PM (#18807511) Homepage Journal

        So now it makes a difference if...

        Yeah, not only that, but imagine when you've forgotten something important and you call home to talk to your spouse to get it.

        Spouse: What's your password?
        You: It's "My name is my passport."
        Spouse: That whole thing? That's a lot of letters. Ok, I'm typing it.
        You: Are you in?
        Spouse: Nope. It says I'm not typing it right. How do you type it?
        You: Huh? Oh, right. I forgot. Lean heavy on the first n and the two y's. And pause slightly after every other space.
        Spouse: It's still not working.
        You: Did I mention that I'm slow to reach a y and then slow again for whatever character follows? It's quite a reach.
        Spouse: Ok, I'll try. Nope. Not working.
        You: Oh, right. And try to type it at 80 words per minute.
        Spouse: I only type 20.
        You: Never mind. I'll drive home and get the info. It'll be faster.

        • Re:Sharing Secrets (Score:4, Insightful)

          by Anonymous Coward on Thursday April 19, 2007 @09:32PM (#18807753)
          Never, EVER, give your wife your password! What the heck are you smoking?!?!
          • Only on /. would a comment about not sharing a simple piece of information that can be changed at any time with someone you have no good reason to be keeping secrets from be modded insightful.
            • Re: (Score:3, Funny)

              by MrNaz ( 730548 )
              No, it's being on /. the concept of "wife" is not understood. The only time /. has contact with wives is mail order brides, and believe you me, you do not want to give them your banking details*.

              * No, I'm not speaking from experience.
            • Re: (Score:3, Insightful)

              by Kidbro ( 80868 )
              sharing a simple piece of information that can be changed at any time with someone you have no good reason to be keeping secrets from

              I can think of several people that could know the password after that telephone conversation, some of which the people having the conversation won't even know exist. One of many reasons to never share your password with anyone is that in the act of sharing it you expose it to potential (untrusted) snoopers, even if you trust the intended recipient.
              Frankly, the whole argument w
          • Re: (Score:3, Insightful)

            by LordSnooty ( 853791 )
            Agreed. Everything might be hunky-dory now, but what will the future hold? The bank can easily solve this by providing the wife with her own logon account, then attaching the various bank accounts she has authority over. At the very least it will maintain a proper audit trial, if the relationship went bad and the wife used the husband's logon to empty all the accounts, could he prove that it wasn't him who did the deed?
        • Re: (Score:2, Interesting)

          by Torvaun ( 1040898 )
          Wouldn't it be easier just to measure the amount of time it takes to type in your password a few times, and any password entry that takes more than a couple standard deviations from that is nulled? After all, brute-forcing types of programs enter passwords a hell of a lot faster than I do, even with muscle memory.

          Really, if there's a way to guarantee that keys are being pressed, that'd even be good enough for that. There's not a hacker in the world that's going to run a brute-force attack manually.
      • Re: (Score:3, Informative)

        by Chabil Ha' ( 875116 )
        Very astute, but, if you had listened to the report, if such a thing occurred, it would prompt you for other identifying questions to prove your identity.
        • Re: (Score:3, Insightful)

          by Rakishi ( 759894 )
          and after I answer them the 20th time I'd say "fuck you" and either disable the system or use a service that doesn't have it.
      • Not only that, now you'll have to enter a password that's similar in length to an encoded Morse code message. You'll have time to eat your bagel, drink a cup of Joe (a little WWII lingo there) and maybe even smoke a Lucky Strike!
      • by Scrameustache ( 459504 ) on Thursday April 19, 2007 @10:00PM (#18807955) Homepage Journal

        Oy. So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover? Because my typing pattern is going to be different in each case.
        You appear to have a hangover,
        while you were drunk, I intercepted the email you wrote to
        • the girl from the office
        would you like to read it again before it is sent?

        [No] [Ignore] [Cancel]
      • Re:Fist (Score:4, Interesting)

        by Ailicec ( 755495 ) on Thursday April 19, 2007 @10:40PM (#18808263)
        Sometime in the early 90s a company sent me a neural network demo that did typist identification. Users trained it by typing a paragraph, and you could enter several typists into the system. Then an unknown user typed some new text, and the system tried to identify the user.
        Once trained, it was extremely hard to fool the thing, even by deliberately and extremely altering your typing habits. Of course, this was a multiple choice test and that's easier than the authentication situation, but it shows that the method can be more robust than would first appear.
    • Re: (Score:2, Informative)

      by quarrel ( 194077 )
      I think there a certain sub-cultures that still recognise peoples 'fists' ... :)

      --Q
    • by afidel ( 530433 )
      It's not used because it's mostly useless. Of all of the authentications that my users initiate in a given day probably less than 1% are on the local system where they work. The majority are network resource requests, web apps, application authentication, etc. This method also doesn't work for remote access through Citrix/Nfuse, through thinterms, or on any platform where there isn't a native authentication daemon.
      • by jwilloug ( 6402 )
        BioPassword has some kind of Citrix integration, I saw a brief demo a little over a year ago. I believe they wrote a client plugin that collects the biometrics locally and then passes them across the wire with the password.
        • by afidel ( 530433 )
          Ugh it uses Flash. Most thinterms and many internet terminals do not support Flash. Heck management didn't like the requirement for Java for our Web Interface/Secure Gateway setup but the only alternative was to allow direct RDP connectivity to the Presentation Servers which is WAY less secure for both the clients and the server and it only gains you Windows clients with an RDP client and no Java.
      • by Chang ( 2714 )
        I recall this technique being successfully used on AMIS based BBS's over 300/1200/2400 baud modems back in the eighties so it certainly isn't useless when used over a high latency link.
    • Or mine for that matter. (I'm spastic...)
    • I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.

      It has. Multiple times over the last several decades.

      It also doesn't really work very well for a wide variety of reasons. That's why it's not being used.
    • Re:Fist (Score:5, Funny)

      by isaac ( 2852 ) on Friday April 20, 2007 @12:57AM (#18808955)

      A Morse-operator's style was referred to as his "fist". This is referenced in Cryptonomicon.
      I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.

      It won't be long before online fraudsters learn to copy users "fists."

      Yes, I predict the internet will be awash in "fisting" websites within the fortnight.

      -Isaac

    • Typschrift (Score:3, Interesting)

      by Incadenza ( 560402 )

      I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.

      Well, it has been done before. I graduated from the Academy of Arts in Rottterdam in 1996 with some fonts that changed their shape depending on how you typed. Inspiration fo these fonts was exactly this technique, which I had heard about, on some big IT show, at least 5 years before.

      A JAVA version of one of the fonts (Typschrift-B [www.typ.nl], a rather crude version but my JAVA-knowledge is kind of non-existent) is the only thing that i

    • In fact, research and methods have been done for years. There have also been some systems developed as a result. A partial listing of research:

      1977, Rome:
      G. Forsen, M. Nelson, and R. Staron, "Personal Attributes Authentication Techniques," Rome Air Development Center Report RADC-TR-77-1033, Air Force Base Griffis (New York, 1977).

      1980, Rand:
      R. Gaines, W. Lisowski, S. Press, and N. Shapiro, "Authentication by Keystroke Timing: Some Preliminary Results," Technical Report Rand report R-256-NSF, Rand Corpora

  • Bad Idea (Score:5, Insightful)

    by dynamo ( 6127 ) on Thursday April 19, 2007 @08:19PM (#18807131) Journal
    This will make it possible for a change of mood to deny your access to your own accounts. ..which will probably not help with the mood thing.
    • This will make it possible for a change of mood to deny your access to your own accounts.
      THOMAS: So what happens when your typing style varies from your profile, like you're sleepy because you just woke up?

      RICHARDS: You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions. (Emphasis mine)
      • Re: (Score:2, Insightful)

        by arth1 ( 260657 )
        If one more brain dead security system asks me my mother's maiden name and my city of birth, I'm going to scream!

        --
        *Art
      • That's nice, but why don't they just skip the middleman and just ask security questions anyway? What is the point of putting this extra complication in if it doesn't actually add any security beyond what is already gained when the teller asks you for personal information?
        • It gains security over just typing the password, and it gains speed about asking security questions each time you log in.
    • Re:Bad Idea (Score:5, Funny)

      by goombah99 ( 560566 ) on Thursday April 19, 2007 @08:30PM (#18807245)
      This reminds me of the old joke about the two russian comrades that read in pravda how a new city in siberia needs engineers. The story says the city wants for nothing, the store shevles are stocked, the store clerks courteous, and there are no lines. But they know that sometime pravda is not isvestia (the truth) and it might be a trap. SO they agree that one of them will go and write back if the stories are true. but if it's a trap their mail will be searched to they agree on a code. If it is all lies the writer will write in red ink. and if true then in blue.

      One day the letter arrives. It is in Blue ink. it raves about the luxury goods, and the stores of plenty. In fact says the writer, the only thing in short supply seems to be red ink.

      The modern version would have the comrade unable to log in because all the keyboards were dvorak.
      • by andreyw ( 798182 )
        Short Russian lesson - pravda = truth, vesti = news

        There was a russian saying that went something like Net pravdy v Vestyah, net vestej v Pravde (no truth in the Izvestia newspaper, no news in the Pravda newspaper).
    • Re:Bad Idea (Score:5, Funny)

      by bitt3n ( 941736 ) on Thursday April 19, 2007 @10:00PM (#18807951)

      This will make it possible for a change of mood to deny your access to your own accounts. ..which will probably not help with the mood thing.
      That's an easy problem to solve. Simply make sure to type your password the first time when you are in a horrible mood, and thereafter, repeatedly typing in your password will eventually result in a successful login.
    • Set your password for things only when you are incredibly frustrated or bitter. Then after your computer ruins your mood because it won't let you log on, at least you'll be able to finally get in. It might make you hate everything though.
  • by mindlessLemming ( 961508 ) on Thursday April 19, 2007 @08:19PM (#18807133) Homepage
    Great, now every time I fall off my bike or some other stupid accident that involves my hands, I won't be able to log in at all due to not matching the timing/pressure/etc. I can definitely see this ending in smashed keyboards. "It's me!!! Let me in you b@st@rd machine!"
    • Great, now every time I fall off my bike or some other stupid accident that involves my hands, I won't be able to log in at all due to not matching the timing/pressure/etc.

      Also if you:
      - change keyboards
      - change your chair
      - drink some coffee
      - use an unusual posture
      - catch the flu
      - lose your palmrest
      - ADD a palmrest
      - get carpal tunnel syndrome or other RSIs
      - lose a limb
      - (I could go on for a LONG time)

      I can definitely see this end
  • ... of a guy who could only login successfully while sitting down, but not standing up. It took him some time to figure out why.

    Any takers?
  • by jafo ( 11982 ) * on Thursday April 19, 2007 @08:19PM (#18807141) Homepage
    No, I'm no going to say you invoked Godwin's Law right at the top of the article...

    I immediately thought of WW2 when I read the title. A Morse Code operator's style was called their "fist". German operators became quite adept at mimicing the fist of other operators, and using the fist to identify captured operators didn't work well. This is why they had other signals for identifying that an operator was not captured. Things that would look like a typographical or crypto error to a third party, but which was known to both the sender and receiver, and the absence of them would indicate capture. Of course, under stress, sometimes these were forgotten.

    The book Silk and Cyanide has a great discussion of the fist and other identification techniques and how they failed and succeeded (mostly the former). Highly recommended.

    Sean
  • by frup ( 998325 ) on Thursday April 19, 2007 @08:19PM (#18807151)
    So now I won't be able to log in to forums and make a fool of myself when I'm drunk :(
  • Wonder if it can be used to prevent people from editing important documents while you take a quick break (hint: preventing your little brother from posting comments with your account)... "Error: Your Words Per Minute Do Not Match Your Normal Style. Please Try Again."
  • Morse vs. typing (Score:3, Interesting)

    by VGPowerlord ( 621254 ) on Thursday April 19, 2007 @08:24PM (#18807191)
    While I think measuring typing speed as well as the password itself might work, comparing it to morse code speed is ludicrous.

    Richards has apparently forgotten that morse code uses 1-key as opposed to passwords which use 47 character keys with the ability for a person to hold down the shift key to enter in an alternate version of any of those.

    Which means that, when a person starts using a new password, they type it fairly slowly. However, as they get used to typing it, they gradually get faster at it.

    What do you do when your own system locks you out because you've gotten better at typing your own password?

    • The system would likely use some form of adaptive filter or neural network. It would therefore adapt to changes in the password-entry-quantifiers over time, and this wouldn't be a problem - as long as the entered password followed the _trends_ of previously entered passwords.
    • by arth1 ( 260657 )

      What do you do when your own system locks you out because you've gotten better at typing your own password?

      Change your password?

      Regards,
      --
      *Art
  • by Jimmy King ( 828214 ) on Thursday April 19, 2007 @08:29PM (#18807237) Homepage Journal
    I read about this semi-recently (as in within the last year) and at that point the recognition based on the actual keystroke timing was pretty poor. With only 2 or 3 people they could tell who it was something like 90% of the time if I remember right. It got considerably worse as there were more people to recognize.

    Now, you could possibly argue that it only needs to be able to recognize 1 person or at most 2, you and "not you", as once it determines it is not you the system does not care about the specific identify. Still, until they get that number to 100% it's going to be more hassle than it's worth, especially at a place with a 3 attempt lockout policy or the like.

    • Not really. Remember, this is being used to augment a password protection scheme. They can have a fairly low bar to acceptance (resulting in a relatively high false-acceptance* rate) and this doesn't matter, because it's still an extra thing an intruder needs to get right (as well as access to the password) to gain access to the system.

      *I'm using "false-acceptance" to mean the system recognising a typed password as acceptable when really it shouldn't have.
  • by mmurphy000 ( 556983 ) on Thursday April 19, 2007 @08:30PM (#18807249)

    I'm beginning to think we're going to have to work up a check-off-the-problems sheet for these new authentication schemes like we pass around for anti-spam "solutions".

    Here, I see two problems off the cuff:

    1. If it thinks you're not typing the password the same way, "it will ask some additional security questions". Hence, this is not significantly different than the cookie-based or IP-address based solutions used by some banks, where you need only a password if you're coming from a familiar PC and need to answer more questions if you're not. Phishers can just let the password-typing fail and fall back to collecting the answers to the security questions and break in that way.
    2. It'll only be reliable for people who use the same keyboard all the time. I know I type differently when I'm on my home PC (natural keyboard) vs. an office PC (flat keyboard) vs. my PDA (thumbboard). Particularly the way I type with two thumbs bears little resemblance to the way I touch-type. Now, it's possible they'll track different typing profiles, but eventually the profiles will grow to cover just about any typing pattern...

    Color me unimpressed. Is it an incremental improvement over plain passwords? Yes, but not enough to go with a $34,000 plus $1.15/user fee structure, as cited in the article.

  • When holding a book or other items, I type one-handed. (joke as required)

    I'd think that this system would have the user type their password multiple times looking for consistent spacing.
  • by rminsk ( 831757 ) on Thursday April 19, 2007 @08:36PM (#18807309)
    When I first create a new password I typically stumble just a bit when typing it. After a few days/weeks I start building up motion memory for my password. How would the system handle when people impove typing their password?
    • What if you just came in from the cold and your fingers are stiff? What if you're using your laptop on your lap... top... and don't type the same way you do at your desk?

      This is a stupid idea.
  • Evolving stream? (Score:3, Interesting)

    by fineghal ( 989689 ) on Thursday April 19, 2007 @08:37PM (#18807323)
    So I haven't RTFA and am just thinking out loud. Couldn't the problem of your typing speeding up or whatever due to your "comfort" level be solved by using an evolving stream? You've got the algorithm to determine similarity. Let's assume it's tuned to a 99% significance level. This is security right? But instead of comparing to an original, or arbitrary previous time, it compares it to your previous login, or perhaps a composite of the previous 2 logins. This way, your stored "fist" will evolve with you. I like it. It's conceptually easy at least. Any ideas on the CPU hit for this? Proof of concept?
    • This is a great idea as the security system could develop thresholds using data from the last n logins between logins where there's plenty of time and processor power to do so. If you wanted to really get into it, you could have it learn how you type on a Monday (when you may be recovering from the weekend) compared to a Wednesday and develop thresholds more independently. Or even the time of day, 8:00am compared to 10am compared to 1pm is even probably different. Man, if this was open source I would lov
  • back then (Score:3, Funny)

    by Himring ( 646324 ) on Thursday April 19, 2007 @08:37PM (#18807325) Homepage Journal
    World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor.

    It was all netware back then....

    • Didn't the Indians use this method to authenticate smoke signals?

      "Smoke puffs too fast, must be those fucking Apaches again trying to steal our women again."
  • When I choose passwords, I make them such that they are memorable by pattern vs. memorable by content. This accomplishes two important things: 1.) This make my password entry VERY fast as it relies on muscle memory to a greater extent than thinking about the words I need to type and then typing them, and 2.) I am able to 'sense' typos without really thinking about it. Adding a system side authentication scheme that sense my tempo, strike, etc. would be cool in order to defeat impostors. Cool stuff.
  • What happens if I'm on the laptop keyboard, then the desktop keyboard? As I'm more attuned to the laptop atm, the desktop keyboard will have a different usage pattern. If I go from this keyboard to one on another desktop, it will be even more off.
  • Wasn't there an attack for SSH challenge-response authentication that used the timing of packets to make it easier to brute-force your password?
  • by quantaman ( 517394 ) on Thursday April 19, 2007 @09:15PM (#18807603)
    From the article:

    "You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions."

    Ahh, so really all they've really done is increased the number of passwords an attacker has to try by a factor of 3 or so. Then you hit the question and you know you have the right password. At that point you can either solve the security questions (probably not as nearly as tough as the password, especially since no one expects it to be used) or they keep making occational tries at logging in with the correct password until you find their cadence (probably not that hard).

    Note that I doubt that an attacker getting the password then bailing when they hit the question will raise any red flags, chances are there will be so many false positives that no one will bother to follow up.
  • What's new here? This [uni-regensburg.de] was available back in 2005 if I am not wrong.
  • by Anonymous Coward
    We have been offering BioPassword as an additional security feature for our web based application (Doc Mgmt). I have been fairly impressed with its capabilities.

    You can configure a number of options such as # of attempts before activation which allows it to 'learn' your typing style.

    You can also set the 'Pass/Fail' percentage. For instance 80% match so you don't have to type it in EXACTLY the same way every time.

    Additionally you can disable BP for individual users if you wish (broken hand, etc).

    Plenty of ot
  • The code itself came out of Nibble magazine, IIRC.

    Someone listening to my typing could match my timing well enough to get in if they also knew the password.

  • very old method (Score:2, Redundant)

    by kharchenko ( 303729 )
    Keystroke patterns is a well-established method for intrusion detection [wikipedia.org]. In fact it predates computers, as in the old days of Morse code an operator would typically have a recognizable signature.
  • Every Monday, I type slower and make more mistakes, mostly because my hands are still sore / stiff from climbing or packing canopies on the weekend. By Friday I'm back up to my normal speed.

    Will I ever be allowed to login again ?
  • This is not a new technology. Take a look at Psylock [psylock.com], it is a similar mechanism developed by a group in a German university.

    I know in person a guy who is working on it, and I've tried it myself in October 2006 at the Systems expo in Munich. I guess they've had a working version of it long before that.
  • I happen to be doing my Master's thesis on exactly this subject. The problem currently with the technology is that there's not enough data for scientists to work on and extract the best metrics. Plus, it's dominated by corporations. My idea was to gather enough data and make them available for future researchers as well as set up an open-source program implementing the best algorithms I'll come up with. Analysis of the data will be done with R and the actual program written in Python. It'd be nice if you co
  • by autophile ( 640621 ) on Friday April 20, 2007 @07:58AM (#18810547)

    "whether a message was sent by an ally or an impostor..."

    ...or a cat [bitboost.com].

    --Rob

  • by poot_rootbeer ( 188613 ) on Friday April 20, 2007 @10:11AM (#18811943)

    How useful is this method going to be when it can't be used with web-based applications?

    For one, how's the web browser going to obtain that keystroke timing info and pass it on to the host? A Javascript implementation would be trivial to circumvent. And an ActiveX-like implementation would be a security risk.

    For another, what about stored passwords? I may use an identifiable cadence when typing in a new password for the first time, but if I choose to let my browser store that password, it's going to subsequently get pasted in at the speed of

    strcpy()
    . How many false negatives will this cause?

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...