Typing Patterns for Authentication

Kelson writes "NPR's Marketplace is reporting on a new authentication scheme. BioPassword tracks the way you type your password: how long each key is depressed, the time between keystrokes, and overall speed. When someone tries to log into your account, it compares the pattern to what it has on file. It only allows you in if both the password and patterns match. The technique has been around a while. World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor."

Fist

[Nimey]

A Morse-operator's style was referred to as his "fist". This is referenced in Cryptonomicon.

I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.

Re:Fist

[OECD]

Oy. So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover? Because my typing pattern is going to be different in each case.

Re:Fist

[justinbach]

So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover?

Man, I don't know about those circumstances, but I would welcome an online financial transaction system that's good enough to recognize whether or not I'm drunkenly typing in my credit card number after a night on the town. The combination of woot.com and a few too many beers has on more than one occasion proved fatal to both my self-respect and my checking account...as if two Roombas isn't enough as it is!

Re:Fist

[Anonymous Coward]

man, what an exciting life... getting drunk and buying stuff online! You're giving Keith Richards a run for his money...

Re:Fist

[ajs318]

One morning I woke up surrounded by empty beer cans, an ashtray full of roaches, my wallet out, my debit card out of my wallet, my laptop out of juice ..... and a blinding headache. I was dimly aware of having ordered something online but couldn't for the life of me think either what it was, or where from. Though my browsing history had apparently survived the enforced fsck, there were still many things it could have been.

A few days later, a Palm Tungsten arrived at my place of work; and when my bank statement arrived, that turned out to have been the only purchase I had made during those lost hours. It could have been worse. A lot worse, judging by my the sites in my browser history!

Lesson: Don't order stuff online while pissed and/or stoned.

Re:

[ajs318]

And it's kind of cool to have a Christmas every week.

That's as maybe; but it's not so cool having a January statement every month, though .....

Re:Fist

[cyphercell]

Man if I was you, I would drink more before I stole money from myself. Two Roombas? When you're drunk? What the hell is wrong with renting a hotel room and puking in the pool? Or renting a limo to drive you out, without enough cash to get back? Or, hire a stripper to sneak into bed with your best friend and his wife, so you can buy him a beer the next night, then claim poverty on him. Dude, you need some alcoholism.

Re:

[j00r0m4nc3r]

Don't even ask about what happens when you login while eating a bagel WITH a hangover

Re:

[DeadChobi]

Huh. I didn't know bagels got hangovers.

Ontopic, if my bank started using this system it would completely lock me out of my account, as I have a password long enough that I have to slow down until I get it right. There would be bonus points if I could fit the long version of it into the prompt, as that would be somewhere on the order of 50 characters. If they're expecting one speed and I type at another it would tag me as fraud?

Sharing Secrets

[NetSettler]

So now it makes a difference if...

Yeah, not only that, but imagine when you've forgotten something important and you call home to talk to your spouse to get it.

Spouse: What's your password?
You: It's "My name is my passport."
Spouse: That whole thing? That's a lot of letters. Ok, I'm typing it.
You: Are you in?
Spouse: Nope. It says I'm not typing it right. How do you type it?
You: Huh? Oh, right. I forgot. Lean heavy on the first n and the two y's. And pause slightly after every other space.
Spouse: It's still not working.
You: Did I mention that I'm slow to reach a y and then slow again for whatever character follows? It's quite a reach.
Spouse: Ok, I'll try. Nope. Not working.
You: Oh, right. And try to type it at 80 words per minute.
Spouse: I only type 20.
You: Never mind. I'll drive home and get the info. It'll be faster.

Re:Sharing Secrets

[Anonymous Coward]

Never, EVER, give your wife your password! What the heck are you smoking?!?!

Re:

[Jarjarthejedi]

Only on /. would a comment about not sharing a simple piece of information that can be changed at any time with someone you have no good reason to be keeping secrets from be modded insightful.

Re:

[MrNaz]

No, it's being on /. the concept of "wife" is not understood. The only time /. has contact with wives is mail order brides, and believe you me, you do not want to give them your banking details*.

* No, I'm not speaking from experience.

Re:

[Kidbro]

sharing a simple piece of information that can be changed at any time with someone you have no good reason to be keeping secrets from

I can think of several people that could know the password after that telephone conversation, some of which the people having the conversation won't even know exist. One of many reasons to never share your password with anyone is that in the act of sharing it you expose it to potential (untrusted) snoopers, even if you trust the intended recipient.
Frankly, the whole argument w

Re:

[cyphercell]

Why the fuck would you marry someone you don't even trust?

Why the fuck would you divorce someone that agreed to take care of you when you're old?

Anyways, lots and lots of married couples keep things from each other, it's in no way misogynistic or stupid, it's actually natural. From this perspective I find the GP funny, as a man who's been divorced, I think of it more as informative than anything. And please save the big words for when you really need them, people are using the "m" word far too often these days.

Re:

[cyphercell]

...lots and lots of married couples keep things from each other, it's in no way misogynistic or stupid, it's actually natural.

It's called privacy, everyone needs it, it is in no way misogynistic.

The last-reported U.S. divorce rate for a calendar year, available as of May, 2005, is 0.38% divorces per capita per year, ...

The National Center for Health Statistics recently released a report which found that 43 percent of first marriages end in separation or divorce within 15 years.

http://www.divorcereform.org/rates.html [divorcereform.org]

Good luck! I don't know how long you've been married, but all things considered, I think I did alright. Anyways, thanks for busting my balls and if you ever need advice for your divorce, you can count me out. ;)

Re:

[LordSnooty]

Agreed. Everything might be hunky-dory now, but what will the future hold? The bank can easily solve this by providing the wife with her own logon account, then attaching the various bank accounts she has authority over. At the very least it will maintain a proper audit trial, if the relationship went bad and the wife used the husband's logon to empty all the accounts, could he prove that it wasn't him who did the deed?

Re:

[Torvaun]

Wouldn't it be easier just to measure the amount of time it takes to type in your password a few times, and any password entry that takes more than a couple standard deviations from that is nulled? After all, brute-forcing types of programs enter passwords a hell of a lot faster than I do, even with muscle memory.

Really, if there's a way to guarantee that keys are being pressed, that'd even be good enough for that. There's not a hacker in the world that's going to run a brute-force attack manually.

Re:

[Chabil Ha']

Very astute, but, if you had listened to the report, if such a thing occurred, it would prompt you for other identifying questions to prove your identity.

Re:

[Rakishi]

and after I answer them the 20th time I'd say "fuck you" and either disable the system or use a service that doesn't have it.

Re:

[FredThompson]

Not only that, now you'll have to enter a password that's similar in length to an encoded Morse code message. You'll have time to eat your bagel, drink a cup of Joe (a little WWII lingo there) and maybe even smoke a Lucky Strike!

+1 Clippy of awareness

[Scrameustache]

Oy. So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover? Because my typing pattern is going to be different in each case.

You appear to have a hangover,
while you were drunk, I intercepted the email you wrote to

• the girl from the office

would you like to read it again before it is sent?

[No] [Ignore] [Cancel]

Re:Fist

[Ailicec]

Sometime in the early 90s a company sent me a neural network demo that did typist identification. Users trained it by typing a paragraph, and you could enter several typists into the system. Then an unknown user typed some new text, and the system tried to identify the user.
Once trained, it was extremely hard to fool the thing, even by deliberately and extremely altering your typing habits. Of course, this was a multiple choice test and that's easier than the authentication situation, but it shows that the method can be more robust than would first appear.

Re:

[cp.tar]

Unless, of course, you're signing someone whose signature is intentionally developed to be forgeable.

When you have a situation like "oh, yes, everything is in order, but your supervisor forgot to sign this and this," you can either go back and do things the proper way or phone the supervisor and falsify the signature.

I don't know how you do it in the US, but guess what the accountants do in Croatia.

Do not think such typing patterns will not evolve, either... people - for whatever reason - do have other p

Re:

[Nimey]

He really did know that she was only fourteen.

Re:

[mr_mischief]

I'm with you as long as it only blocks certain numbers when you're drunk. Awfully hard to call a taxi after throwing the cell phone on the ground and smashing it underfoot because it won't dial the taxi company when you most need one.

Re:

[quarrel]

I think there a certain sub-cultures that still recognise peoples 'fists' ... :)

--Q

Re:

[afidel]

It's not used because it's mostly useless. Of all of the authentications that my users initiate in a given day probably less than 1% are on the local system where they work. The majority are network resource requests, web apps, application authentication, etc. This method also doesn't work for remote access through Citrix/Nfuse, through thinterms, or on any platform where there isn't a native authentication daemon.

Re:

[jwilloug]

BioPassword has some kind of Citrix integration, I saw a brief demo a little over a year ago. I believe they wrote a client plugin that collects the biometrics locally and then passes them across the wire with the password.

Re:

[afidel]

Ugh it uses Flash. Most thinterms and many internet terminals do not support Flash. Heck management didn't like the requirement for Java for our Web Interface/Secure Gateway setup but the only alternative was to allow direct RDP connectivity to the Presentation Servers which is WAY less secure for both the clients and the server and it only gains you Windows clients with an RDP client and no Java.

Re:

[Chang]

I recall this technique being successfully used on AMIS based BBS's over 300/1200/2400 baud modems back in the eighties so it certainly isn't useless when used over a high latency link.

So much for Steven Hawkins's access

[crovira]

Or mine for that matter. (I'm spastic...)

Re:

[nanosquid]

I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.

It has. Multiple times over the last several decades.

It also doesn't really work very well for a wide variety of reasons. That's why it's not being used.

Re:Fist

[isaac]

A Morse-operator's style was referred to as his "fist". This is referenced in Cryptonomicon.
I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.

It won't be long before online fraudsters learn to copy users "fists."

Yes, I predict the internet will be awash in "fisting" websites within the fortnight.

-Isaac

Typschrift

[Incadenza]

I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.

Well, it has been done before. I graduated from the Academy of Arts in Rottterdam in 1996 with some fonts that changed their shape depending on how you typed. Inspiration fo these fonts was exactly this technique, which I had heard about, on some big IT show, at least 5 years before.

A JAVA version of one of the fonts (Typschrift-B [www.typ.nl], a rather crude version but my JAVA-knowledge is kind of non-existent) is the only thing that i

It has been done before.

[wireloose]

In fact, research and methods have been done for years. There have also been some systems developed as a result. A partial listing of research:

1977, Rome:
G. Forsen, M. Nelson, and R. Staron, "Personal Attributes Authentication Techniques," Rome Air Development Center Report RADC-TR-77-1033, Air Force Base Griffis (New York, 1977).

1980, Rand:
R. Gaines, W. Lisowski, S. Press, and N. Shapiro, "Authentication by Keystroke Timing: Some Preliminary Results," Technical Report Rand report R-256-NSF, Rand Corpora

Bad Idea

[dynamo]

This will make it possible for a change of mood to deny your access to your own accounts. ..which will probably not help with the mood thing.

Re:

[TubeSteak]

This will make it possible for a change of mood to deny your access to your own accounts.

THOMAS: So what happens when your typing style varies from your profile, like you're sleepy because you just woke up?

RICHARDS: You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions. (Emphasis mine)

Re:

[arth1]

If one more brain dead security system asks me my mother's maiden name and my city of birth, I'm going to scream!

--
*Art

Re:

[arth1]

Well, don't be so truthful! Give them made-up information instead. Ideally, you should have a different "Mother's maiden name" and "city of birth" for each service you use; that way, if any one gets compromised, all the others are safe.

The problem with that is remembering all the different answers.
To be honest, I don't see a good solution to the problem that people are required to remember more and more passwords. I would think that most people either pick the same passwords for most things, or store the p

Re:

[DeadChobi]

That's nice, but why don't they just skip the middleman and just ask security questions anyway? What is the point of putting this extra complication in if it doesn't actually add any security beyond what is already gained when the teller asks you for personal information?

Re:

[TuringTest]

It gains security over just typing the password, and it gains speed about asking security questions each time you log in.

Re:Bad Idea

[goombah99]

This reminds me of the old joke about the two russian comrades that read in pravda how a new city in siberia needs engineers. The story says the city wants for nothing, the store shevles are stocked, the store clerks courteous, and there are no lines. But they know that sometime pravda is not isvestia (the truth) and it might be a trap. SO they agree that one of them will go and write back if the stories are true. but if it's a trap their mail will be searched to they agree on a code. If it is all lies the writer will write in red ink. and if true then in blue.

One day the letter arrives. It is in Blue ink. it raves about the luxury goods, and the stores of plenty. In fact says the writer, the only thing in short supply seems to be red ink.

The modern version would have the comrade unable to log in because all the keyboards were dvorak.

Re:

[andreyw]

Short Russian lesson - pravda = truth, vesti = news

There was a russian saying that went something like Net pravdy v Vestyah, net vestej v Pravde (no truth in the Izvestia newspaper, no news in the Pravda newspaper).

Re:Bad Idea

[bitt3n]

This will make it possible for a change of mood to deny your access to your own accounts. ..which will probably not help with the mood thing.

That's an easy problem to solve. Simply make sure to type your password the first time when you are in a horrible mood, and thereafter, repeatedly typing in your password will eventually result in a successful login.

You could

[KKlaus]

Set your password for things only when you are incredibly frustrated or bitter. Then after your computer ruins your mood because it won't let you log on, at least you'll be able to finally get in. It might make you hate everything though.

No Soup For ... me?

[mindlessLemming]

Great, now every time I fall off my bike or some other stupid accident that involves my hands, I won't be able to log in at all due to not matching the timing/pressure/etc. I can definitely see this ending in smashed keyboards. "It's me!!! Let me in you b@st@rd machine!"

Re:

[Ungrounded Lightning]

Great, now every time I fall off my bike or some other stupid accident that involves my hands, I won't be able to log in at all due to not matching the timing/pressure/etc.

Also if you:
- change keyboards
- change your chair
- drink some coffee
- use an unusual posture
- catch the flu
- lose your palmrest
- ADD a palmrest
- get carpal tunnel syndrome or other RSIs
- lose a limb
- (I could go on for a LONG time)

I can definitely see this end

Reminds me of a story...

[rumblin'rabbit]

... of a guy who could only login successfully while sitting down, but not standing up. It took him some time to figure out why.

Any takers?

Re:

[mcpkaaos]

I have the same problem, but that's just because I use the keyboard knee-pads from Thinkgeek [thinkgeek.com].

Re:

[corvair2k1]

He was a touch-typist, but only while sitting down. Someone had switched keys on his keyboard, and he had to look at them while typing standing up.

The whole story is pretty funny, how he and others were always arguing about what it could be... Magnetic interference, etc.

Re:Reminds me of a story...

[ScrewMaster]

Short arms?

Long penis.

Re:

[pin_gween]

Long penis

Hmmm, you aren't fooling anyone, this is /. after all.

Re:

[goombah99]

always, otherwise no fapping.

Interesting you mentioned WW2...

[jafo]

No, I'm no going to say you invoked Godwin's Law right at the top of the article...

I immediately thought of WW2 when I read the title. A Morse Code operator's style was called their "fist". German operators became quite adept at mimicing the fist of other operators, and using the fist to identify captured operators didn't work well. This is why they had other signals for identifying that an operator was not captured. Things that would look like a typographical or crypto error to a third party, but which was known to both the sender and receiver, and the absence of them would indicate capture. Of course, under stress, sometimes these were forgotten.

The book Silk and Cyanide has a great discussion of the fist and other identification techniques and how they failed and succeeded (mostly the former). Highly recommended.

Sean

Why not just have two passwords.

[Kadin2048]

Why would this work any better than just having two distinct passwords, a regular one and a "distress" one?

I've often thought that they should do something like this for ATMs. You should have another PIN code that you can enter, which will work just like your regular one, but will also trigger an immediate silent alarm and mark the machine's video record that something was amiss.

Or on a computer, you have two passwords, one that's the real login, and another that causes the computer to open to a fake main s

Re:

[Michael Woodhams]

Who said they got the "stolen" money refunded?

If they did, there is a pretty good chance of getting caught - slip-ups in their story, other survelence cameras, a police car that just happened to be nearby when the alarm went out... The odds are probably at least as good as catching a real ATM mugger.

No Drunk Internets :(

[frup]

So now I won't be able to log in to forums and make a fool of myself when I'm drunk :(

The obvious solution

[280Z28]

Start drinking before you set your password!

Re:

[arth1]

More likely, people will stay logged on even when they leave their machines and really should log off, because the hassle of logging in again becomes a nuisance.
Human psyche trumps any clever solution.

Re:

[afidel]

You mean you/your admin doesn't enforce a password protected screensaver?

Re:

[glwtta]

Depending on your habits, you might not be able to log in while sober.

Might come in handy...

[Tatisimo]

Wonder if it can be used to prevent people from editing important documents while you take a quick break (hint: preventing your little brother from posting comments with your account)... "Error: Your Words Per Minute Do Not Match Your Normal Style. Please Try Again."

Re:Might come in handy...

[mollymoo]

You'd don't need this techniology for that, a regular password will do the job perfectly well. You just need to lock your computer when you're not using it. Every decent OS lets you do this with minimal fuss.

Re:

[afidel]

Winkey+L is your friend on XP or 2k3. On a Mac you can do the same with Keychain Access Lock Screen. There are X applications to do the same.

Re:

[micromoog]

Meh, your little brother's comments are usually more insightful than yours anyway. Zing!

Morse vs. typing

[VGPowerlord]

While I think measuring typing speed as well as the password itself might work, comparing it to morse code speed is ludicrous.

Richards has apparently forgotten that morse code uses 1-key as opposed to passwords which use 47 character keys with the ability for a person to hold down the shift key to enter in an alternate version of any of those.

Which means that, when a person starts using a new password, they type it fairly slowly. However, as they get used to typing it, they gradually get faster at it.

What do you do when your own system locks you out because you've gotten better at typing your own password?

Re:

[wall0159]

The system would likely use some form of adaptive filter or neural network. It would therefore adapt to changes in the password-entry-quantifiers over time, and this wouldn't be a problem - as long as the entered password followed the _trends_ of previously entered passwords.

Re:

[arth1]

What do you do when your own system locks you out because you've gotten better at typing your own password?

Change your password?

Regards,
--
*Art

Not very accurate for real world use

[Jimmy King]

I read about this semi-recently (as in within the last year) and at that point the recognition based on the actual keystroke timing was pretty poor. With only 2 or 3 people they could tell who it was something like 90% of the time if I remember right. It got considerably worse as there were more people to recognize.

Now, you could possibly argue that it only needs to be able to recognize 1 person or at most 2, you and "not you", as once it determines it is not you the system does not care about the specific identify. Still, until they get that number to 100% it's going to be more hassle than it's worth, especially at a place with a 3 attempt lockout policy or the like.

Re:

[wall0159]

Not really. Remember, this is being used to augment a password protection scheme. They can have a fairly low bar to acceptance (resulting in a relatively high false-acceptance* rate) and this doesn't matter, because it's still an extra thing an intruder needs to get right (as well as access to the password) to gain access to the system.

*I'm using "false-acceptance" to mean the system recognising a typed password as acceptable when really it shouldn't have.

Re:

[Jimmy King]

From a personal standpoing my main concern with a system like this is not that off chance of someone else managing to mimic my typing. It's that 10% (or whatever the real number was, not 100% accurate, though) chance that it's not going to recognize my own typing. If it just does it once, well, annoying but whatever, I'll get in on the next try. That combined with (or to be fair, possibly caused by) all of the factors mentioned in posts before mine that could affect how I type my password and it seems th

Nothing To See Here, Move Along

[mmurphy000]

I'm beginning to think we're going to have to work up a check-off-the-problems sheet for these new authentication schemes like we pass around for anti-spam "solutions".

Here, I see two problems off the cuff:

1. If it thinks you're not typing the password the same way, "it will ask some additional security questions". Hence, this is not significantly different than the cookie-based or IP-address based solutions used by some banks, where you need only a password if you're coming from a familiar PC and need to answer more questions if you're not. Phishers can just let the password-typing fail and fall back to collecting the answers to the security questions and break in that way.
2. It'll only be reliable for people who use the same keyboard all the time. I know I type differently when I'm on my home PC (natural keyboard) vs. an office PC (flat keyboard) vs. my PDA (thumbboard). Particularly the way I type with two thumbs bears little resemblance to the way I touch-type. Now, it's possible they'll track different typing profiles, but eventually the profiles will grow to cover just about any typing pattern...

Color me unimpressed. Is it an incremental improvement over plain passwords? Yes, but not enough to go with a $34,000 plus $1.15/user fee structure, as cited in the article.

Re:Nothing To See Here, Move Along

[Michael Woodhams]

Furthermore, if the software can detect the password cadence, so can an appropriately programmed keylogger.

Almost all security is a tradeoff against usability. This one looks like a bad trade - you lose lots of usability for only a small increase in security.

Different typing methods

[mjensen]

When holding a book or other items, I type one-handed. (joke as required)

I'd think that this system would have the user type their password multiple times looking for consistent spacing.

Seems like it would not work as I learn my passwd

[rminsk]

When I first create a new password I typically stumble just a bit when typing it. After a few days/weeks I start building up motion memory for my password. How would the system handle when people impove typing their password?

Re:

[Blakey Rat]

What if you just came in from the cold and your fingers are stiff? What if you're using your laptop on your lap... top... and don't type the same way you do at your desk?

This is a stupid idea.

Evolving stream?

[fineghal]

So I haven't RTFA and am just thinking out loud. Couldn't the problem of your typing speeding up or whatever due to your "comfort" level be solved by using an evolving stream? You've got the algorithm to determine similarity. Let's assume it's tuned to a 99% significance level. This is security right? But instead of comparing to an original, or arbitrary previous time, it compares it to your previous login, or perhaps a composite of the previous 2 logins. This way, your stored "fist" will evolve with you. I like it. It's conceptually easy at least. Any ideas on the CPU hit for this? Proof of concept?

Re:

[hansamurai]

This is a great idea as the security system could develop thresholds using data from the last n logins between logins where there's plenty of time and processor power to do so. If you wanted to really get into it, you could have it learn how you type on a Monday (when you may be recovering from the weekend) compared to a Wednesday and develop thresholds more independently. Or even the time of day, 8:00am compared to 10am compared to 1pm is even probably different. Man, if this was open source I would lov

back then

[Himring]

World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor.

It was all netware back then....

Re:

[slickwillie]

Didn't the Indians use this method to authenticate smoke signals?

"Smoke puffs too fast, must be those fucking Apaches again trying to steal our women again."

I do this now. Sort of.

[rindeee]

When I choose passwords, I make them such that they are memorable by pattern vs. memorable by content. This accomplishes two important things: 1.) This make my password entry VERY fast as it relies on muscle memory to a greater extent than thinking about the words I need to type and then typing them, and 2.) I am able to 'sense' typos without really thinking about it. Adding a system side authentication scheme that sense my tempo, strike, etc. would be cool in order to defeat impostors. Cool stuff.

Select a Keyboard Please

[MSTCrow5429]

What happens if I'm on the laptop keyboard, then the desktop keyboard? As I'm more attuned to the laptop atm, the desktop keyboard will have a different usage pattern. If I go from this keyboard to one on another desktop, it will be even more off.

SSH attack

[Wonko the Sane]

Wasn't there an attack for SSH challenge-response authentication that used the timing of packets to make it easier to brute-force your password?

Some added security, but not much

[quantaman]

From the article:

"You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions."

Ahh, so really all they've really done is increased the number of passwords an attacker has to try by a factor of 3 or so. Then you hit the question and you know you have the right password. At that point you can either solve the security questions (probably not as nearly as tough as the password, especially since no one expects it to be used) or they keep making occational tries at logging in with the correct password until you find their cadence (probably not that hard).

Note that I doubt that an attacker getting the password then bailing when they hit the question will raise any red flags, chances are there will be so many false positives that no one will bother to follow up.

Re:

[quantaman]

There's nothing inherent in the system that says the security questions should only be presented when the correct password has been supplied. A safer procedure may be to present the security questions after three failed(either because of the password, or because of the typing profile) logins with the same password. If they failed because of the typing profile, answering the security questions correctly grants you access. If they failed because of the password, you will be denied access whether or not you answer the security questions correctly.

That's a good point. The phrasing of the article made me think that the question only came up after correct passwords with a bad cadence. But if it works as you suggest and it always gives a security question after failed attempts, then you still get the security of the passphrase without letting the attacker know they have the correct password.

Of course as you mention there's still the issue of the security of the passphrase, my guess is it won't be very complex since it will almost never be used and peop

New??

[E IS mC(Square)]

What's new here? This [uni-regensburg.de] was available back in 2005 if I am not wrong.

Personal experience with BioPassword

[Anonymous Coward]

We have been offering BioPassword as an additional security feature for our web based application (Doc Mgmt). I have been fairly impressed with its capabilities.

You can configure a number of options such as # of attempts before activation which allows it to 'learn' your typing style.

You can also set the 'Pass/Fail' percentage. For instance 80% match so you don't have to type it in EXACTLY the same way every time.

Additionally you can disable BP for individual users if you wish (broken hand, etc).

Plenty of ot

Used this on an Apple II

[SETIGuy]

The code itself came out of Nibble magazine, IIRC.

Someone listening to my typing could match my timing well enough to get in if they also knew the password.

very old method

[kharchenko]

Keystroke patterns is a well-established method for intrusion detection [wikipedia.org]. In fact it predates computers, as in the old days of Morse code an operator would typically have a recognizable signature.

I'll never login again!

[Builder]

Every Monday, I type slower and make more mistakes, mostly because my hands are still sore / stiff from climbing or packing canopies on the weekend. By Friday I'm back up to my normal speed.

Will I ever be allowed to login again ?

Has been done before, Psylock

[gr8dude]

This is not a new technology. Take a look at Psylock [psylock.com], it is a similar mechanism developed by a group in a German university.

I know in person a guy who is working on it, and I've tried it myself in October 2006 at the Systems expo in Munich. I guess they've had a working version of it long before that.

Open source typing pattern scheme

[lixee]

I happen to be doing my Master's thesis on exactly this subject. The problem currently with the technology is that there's not enough data for scientists to work on and extract the best metrics. Plus, it's dominated by corporations. My idea was to gather enough data and make them available for future researchers as well as set up an open-source program implementing the best algorithms I'll come up with. Analysis of the data will be done with R and the actual program written in Python. It'd be nice if you co

Ally, impostor...

[autophile]

"whether a message was sent by an ally or an impostor..."

...or a cat [bitboost.com].

--Rob

not for web apps, I assume

[poot_rootbeer]

How useful is this method going to be when it can't be used with web-based applications?

For one, how's the web browser going to obtain that keystroke timing info and pass it on to the host? A Javascript implementation would be trivial to circumvent. And an ActiveX-like implementation would be a security risk.

For another, what about stored passwords? I may use an identifiable cadence when typing in a new password for the first time, but if I choose to let my browser store that password, it's going to subsequently get pasted in at the speed of

strcpy()

. How many false negatives will this cause?

Re:

[Al Al Cool J]

No kidding. I implimented a primative version of this in GWBASIC on an 8088 in the early 80s. It could identify me based on the way I typed my name. It worked reasonably well, considering I never actually learned to type. Jeez, that takes me back.

Re:

[BillGatesLoveChild]

I'll qualify this for the mod lords:

I heard this first discussed in the 1980s in computer engineering classes being used on computers to authenticate logins.

Re:

[thePowerOfGrayskull]

RighT! Because that's an easy thing for the 90% of users who use their pet or spouse or birthday for their password. (Yes, I did pull 90% out of my ass, but it's probably true in spite of that.)

Re:

[Craig Davison]

? There's no trust involved here. Whatever the clients sends for biometrics is going to be authenticated server-side. Saying the client could fake the biometrics makes as much sense as saying the client could fake the password.

Re:

[fumblebruschi]

The guy who taught me Morse code (my scout leader, in the early 80s) called it a "hand." He couldn't have been alone, either, because I was always a sloppy operator and more than one guy called me a "hand of mud."