Typing Patterns for Authentication 259
Kelson writes "NPR's Marketplace is reporting on a new authentication scheme. BioPassword tracks the way you type your password: how long each key is depressed, the time between keystrokes, and overall speed. When someone tries to log into your account, it compares the pattern to what it has on file. It only allows you in if both the password and patterns match. The technique has been around a while. World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor."
Fist (Score:5, Informative)
I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.
Re:Fist (Score:5, Insightful)
Re:Fist (Score:5, Funny)
Man, I don't know about those circumstances, but I would welcome an online financial transaction system that's good enough to recognize whether or not I'm drunkenly typing in my credit card number after a night on the town. The combination of woot.com and a few too many beers has on more than one occasion proved fatal to both my self-respect and my checking account...as if two Roombas isn't enough as it is!
Re:Fist (Score:4, Funny)
Re:Fist (Score:4, Funny)
A few days later, a Palm Tungsten arrived at my place of work; and when my bank statement arrived, that turned out to have been the only purchase I had made during those lost hours. It could have been worse. A lot worse, judging by my the sites in my browser history!
Lesson: Don't order stuff online while pissed and/or stoned.
Re: (Score:3, Insightful)
Re:Fist (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Ontopic, if my bank started using this system it would completely lock me out of my account, as I have a password long enough that I have to slow down until I get it right. There would be bonus points if I could fit the long version of it into the prompt, as that would be somewhere on the order of 50 characters. If they're expecting one speed and I type at another it would tag me as fraud?
Sharing Secrets (Score:5, Funny)
Yeah, not only that, but imagine when you've forgotten something important and you call home to talk to your spouse to get it.
Re:Sharing Secrets (Score:4, Insightful)
Re: (Score:2)
Re: (Score:3, Funny)
* No, I'm not speaking from experience.
Re: (Score:3, Insightful)
I can think of several people that could know the password after that telephone conversation, some of which the people having the conversation won't even know exist. One of many reasons to never share your password with anyone is that in the act of sharing it you expose it to potential (untrusted) snoopers, even if you trust the intended recipient.
Frankly, the whole argument w
Re: (Score:3, Informative)
Why the fuck would you marry someone you don't even trust?
Why the fuck would you divorce someone that agreed to take care of you when you're old?
Anyways, lots and lots of married couples keep things from each other, it's in no way misogynistic or stupid, it's actually natural. From this perspective I find the GP funny, as a man who's been divorced, I think of it more as informative than anything. And please save the big words for when you really need them, people are using the "m" word far too often these days.
Re: (Score:3, Informative)
...lots and lots of married couples keep things from each other, it's in no way misogynistic or stupid, it's actually natural.
It's called privacy, everyone needs it, it is in no way misogynistic.
The last-reported U.S. divorce rate for a calendar year, available as of May, 2005, is 0.38% divorces per capita per year, ...
The National Center for Health Statistics recently released a report which found that 43 percent of first marriages end in separation or divorce within 15 years.
http://www.divorcereform.org/rates.html [divorcereform.org]
Good luck! I don't know how long you've been married, but all things considered, I think I did alright. Anyways, thanks for busting my balls and if you ever need advice for your divorce, you can count me out. ;)
Re: (Score:3, Insightful)
Re: (Score:2, Interesting)
Really, if there's a way to guarantee that keys are being pressed, that'd even be good enough for that. There's not a hacker in the world that's going to run a brute-force attack manually.
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
Re: (Score:2)
+1 Clippy of awareness (Score:5, Funny)
while you were drunk, I intercepted the email you wrote to
[No] [Ignore] [Cancel]
Re:Fist (Score:4, Interesting)
Once trained, it was extremely hard to fool the thing, even by deliberately and extremely altering your typing habits. Of course, this was a multiple choice test and that's easier than the authentication situation, but it shows that the method can be more robust than would first appear.
Re: (Score:2)
Unless, of course, you're signing someone whose signature is intentionally developed to be forgeable.
When you have a situation like "oh, yes, everything is in order, but your supervisor forgot to sign this and this," you can either go back and do things the proper way or phone the supervisor and falsify the signature.
I don't know how you do it in the US, but guess what the accountants do in Croatia.
Do not think such typing patterns will not evolve, either... people - for whatever reason - do have other p
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
--Q
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
So much for Steven Hawkins's access (Score:2)
Re: (Score:2)
It has. Multiple times over the last several decades.
It also doesn't really work very well for a wide variety of reasons. That's why it's not being used.
Re:Fist (Score:5, Funny)
It won't be long before online fraudsters learn to copy users "fists."
Yes, I predict the internet will be awash in "fisting" websites within the fortnight.
-Isaac
Typschrift (Score:3, Interesting)
Well, it has been done before. I graduated from the Academy of Arts in Rottterdam in 1996 with some fonts that changed their shape depending on how you typed. Inspiration fo these fonts was exactly this technique, which I had heard about, on some big IT show, at least 5 years before.
A JAVA version of one of the fonts (Typschrift-B [www.typ.nl], a rather crude version but my JAVA-knowledge is kind of non-existent) is the only thing that i
It has been done before. (Score:3, Interesting)
1977, Rome:
G. Forsen, M. Nelson, and R. Staron, "Personal Attributes Authentication Techniques," Rome Air Development Center Report RADC-TR-77-1033, Air Force Base Griffis (New York, 1977).
1980, Rand:
R. Gaines, W. Lisowski, S. Press, and N. Shapiro, "Authentication by Keystroke Timing: Some Preliminary Results," Technical Report Rand report R-256-NSF, Rand Corpora
Bad Idea (Score:5, Insightful)
Re: (Score:2)
RICHARDS: You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions. (Emphasis mine)
Re: (Score:2, Insightful)
--
*Art
Re: (Score:3, Insightful)
The problem with that is remembering all the different answers.
To be honest, I don't see a good solution to the problem that people are required to remember more and more passwords. I would think that most people either pick the same passwords for most things, or store the p
Re: (Score:2)
Re: (Score:2)
Re:Bad Idea (Score:5, Funny)
One day the letter arrives. It is in Blue ink. it raves about the luxury goods, and the stores of plenty. In fact says the writer, the only thing in short supply seems to be red ink.
The modern version would have the comrade unable to log in because all the keyboards were dvorak.
Re: (Score:2)
There was a russian saying that went something like Net pravdy v Vestyah, net vestej v Pravde (no truth in the Izvestia newspaper, no news in the Pravda newspaper).
Re:Bad Idea (Score:5, Funny)
You could (Score:2)
No Soup For ... me? (Score:4, Insightful)
Re: (Score:2)
Also if you:
- change keyboards
- change your chair
- drink some coffee
- use an unusual posture
- catch the flu
- lose your palmrest
- ADD a palmrest
- get carpal tunnel syndrome or other RSIs
- lose a limb
- (I could go on for a LONG time)
I can definitely see this end
Reminds me of a story... (Score:2)
Any takers?
Re: (Score:2)
Re: (Score:2)
The whole story is pretty funny, how he and others were always arguing about what it could be... Magnetic interference, etc.
Re:Reminds me of a story... (Score:5, Funny)
Long penis.
Re: (Score:2)
Hmmm, you aren't fooling anyone, this is /. after all.
Re: (Score:2)
Interesting you mentioned WW2... (Score:5, Informative)
I immediately thought of WW2 when I read the title. A Morse Code operator's style was called their "fist". German operators became quite adept at mimicing the fist of other operators, and using the fist to identify captured operators didn't work well. This is why they had other signals for identifying that an operator was not captured. Things that would look like a typographical or crypto error to a third party, but which was known to both the sender and receiver, and the absence of them would indicate capture. Of course, under stress, sometimes these were forgotten.
The book Silk and Cyanide has a great discussion of the fist and other identification techniques and how they failed and succeeded (mostly the former). Highly recommended.
Sean
Why not just have two passwords. (Score:2)
I've often thought that they should do something like this for ATMs. You should have another PIN code that you can enter, which will work just like your regular one, but will also trigger an immediate silent alarm and mark the machine's video record that something was amiss.
Or on a computer, you have two passwords, one that's the real login, and another that causes the computer to open to a fake main s
Re: (Score:2)
If they did, there is a pretty good chance of getting caught - slip-ups in their story, other survelence cameras, a police car that just happened to be nearby when the alarm went out... The odds are probably at least as good as catching a real ATM mugger.
No Drunk Internets :( (Score:3, Funny)
The obvious solution (Score:2, Funny)
Re: (Score:2)
Human psyche trumps any clever solution.
Re: (Score:2)
Re: (Score:2)
Might come in handy... (Score:2, Interesting)
Re:Might come in handy... (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
Morse vs. typing (Score:3, Interesting)
Richards has apparently forgotten that morse code uses 1-key as opposed to passwords which use 47 character keys with the ability for a person to hold down the shift key to enter in an alternate version of any of those.
Which means that, when a person starts using a new password, they type it fairly slowly. However, as they get used to typing it, they gradually get faster at it.
What do you do when your own system locks you out because you've gotten better at typing your own password?
Re: (Score:2)
The system would likely use some form of adaptive filter or neural network. It would therefore adapt to changes in the password-entry-quantifiers over time, and this wouldn't be a problem - as long as the entered password followed the _trends_ of previously entered passwords.
Re: (Score:2)
Change your password?
Regards,
--
*Art
Not very accurate for real world use (Score:3, Insightful)
Now, you could possibly argue that it only needs to be able to recognize 1 person or at most 2, you and "not you", as once it determines it is not you the system does not care about the specific identify. Still, until they get that number to 100% it's going to be more hassle than it's worth, especially at a place with a 3 attempt lockout policy or the like.
Re: (Score:2)
Not really. Remember, this is being used to augment a password protection scheme. They can have a fairly low bar to acceptance (resulting in a relatively high false-acceptance* rate) and this doesn't matter, because it's still an extra thing an intruder needs to get right (as well as access to the password) to gain access to the system.
*I'm using "false-acceptance" to mean the system recognising a typed password as acceptable when really it shouldn't have.
Re: (Score:2)
Nothing To See Here, Move Along (Score:5, Insightful)
I'm beginning to think we're going to have to work up a check-off-the-problems sheet for these new authentication schemes like we pass around for anti-spam "solutions".
Here, I see two problems off the cuff:
Color me unimpressed. Is it an incremental improvement over plain passwords? Yes, but not enough to go with a $34,000 plus $1.15/user fee structure, as cited in the article.
Re:Nothing To See Here, Move Along (Score:5, Insightful)
Almost all security is a tradeoff against usability. This one looks like a bad trade - you lose lots of usability for only a small increase in security.
Different typing methods (Score:2, Interesting)
I'd think that this system would have the user type their password multiple times looking for consistent spacing.
Seems like it would not work as I learn my passwd (Score:5, Insightful)
Re: (Score:2)
This is a stupid idea.
Evolving stream? (Score:3, Interesting)
Re: (Score:2)
back then (Score:3, Funny)
It was all netware back then....
Re: (Score:2)
"Smoke puffs too fast, must be those fucking Apaches again trying to steal our women again."
I do this now. Sort of. (Score:2)
Select a Keyboard Please (Score:2)
SSH attack (Score:2)
Some added security, but not much (Score:5, Interesting)
"You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions."
Ahh, so really all they've really done is increased the number of passwords an attacker has to try by a factor of 3 or so. Then you hit the question and you know you have the right password. At that point you can either solve the security questions (probably not as nearly as tough as the password, especially since no one expects it to be used) or they keep making occational tries at logging in with the correct password until you find their cadence (probably not that hard).
Note that I doubt that an attacker getting the password then bailing when they hit the question will raise any red flags, chances are there will be so many false positives that no one will bother to follow up.
Re: (Score:2)
There's nothing inherent in the system that says the security questions should only be presented when the correct password has been supplied. A safer procedure may be to present the security questions after three failed(either because of the password, or because of the typing profile) logins with the same password. If they failed because of the typing profile, answering the security questions correctly grants you access. If they failed because of the password, you will be denied access whether or not you answer the security questions correctly.
That's a good point. The phrasing of the article made me think that the question only came up after correct passwords with a bad cadence. But if it works as you suggest and it always gives a security question after failed attempts, then you still get the security of the passphrase without letting the attacker know they have the correct password.
Of course as you mention there's still the issue of the security of the passphrase, my guess is it won't be very complex since it will almost never be used and peop
New?? (Score:2)
Personal experience with BioPassword (Score:2, Informative)
You can configure a number of options such as # of attempts before activation which allows it to 'learn' your typing style.
You can also set the 'Pass/Fail' percentage. For instance 80% match so you don't have to type it in EXACTLY the same way every time.
Additionally you can disable BP for individual users if you wish (broken hand, etc).
Plenty of ot
Used this on an Apple II (Score:2)
Someone listening to my typing could match my timing well enough to get in if they also knew the password.
very old method (Score:2, Redundant)
I'll never login again! (Score:2)
Will I ever be allowed to login again ?
Has been done before, Psylock (Score:2)
I know in person a guy who is working on it, and I've tried it myself in October 2006 at the Systems expo in Munich. I guess they've had a working version of it long before that.
Open source typing pattern scheme (Score:2)
Ally, impostor... (Score:3, Funny)
"whether a message was sent by an ally or an impostor..."
...or a cat [bitboost.com].
--Rob
not for web apps, I assume (Score:3, Insightful)
How useful is this method going to be when it can't be used with web-based applications?
For one, how's the web browser going to obtain that keystroke timing info and pass it on to the host? A Javascript implementation would be trivial to circumvent. And an ActiveX-like implementation would be a security risk.
For another, what about stored passwords? I may use an identifiable cadence when typing in a new password for the first time, but if I choose to let my browser store that password, it's going to subsequently get pasted in at the speed of . How many false negatives will this cause?
Re: (Score:2)
Re: (Score:2)
I heard this first discussed in the 1980s in computer engineering classes being used on computers to authenticate logins.
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)