Typing Patterns for Authentication 259
Kelson writes "NPR's Marketplace is reporting on a new authentication scheme. BioPassword tracks the way you type your password: how long each key is depressed, the time between keystrokes, and overall speed. When someone tries to log into your account, it compares the pattern to what it has on file. It only allows you in if both the password and patterns match. The technique has been around a while. World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor."
Bad Idea (Score:5, Insightful)
No Soup For ... me? (Score:4, Insightful)
Re:Fist (Score:5, Insightful)
Not very accurate for real world use (Score:3, Insightful)
Now, you could possibly argue that it only needs to be able to recognize 1 person or at most 2, you and "not you", as once it determines it is not you the system does not care about the specific identify. Still, until they get that number to 100% it's going to be more hassle than it's worth, especially at a place with a 3 attempt lockout policy or the like.
Nothing To See Here, Move Along (Score:5, Insightful)
I'm beginning to think we're going to have to work up a check-off-the-problems sheet for these new authentication schemes like we pass around for anti-spam "solutions".
Here, I see two problems off the cuff:
Color me unimpressed. Is it an incremental improvement over plain passwords? Yes, but not enough to go with a $34,000 plus $1.15/user fee structure, as cited in the article.
Seems like it would not work as I learn my passwd (Score:5, Insightful)
Re:Reminds me of a story... (Score:1, Insightful)
--
Nicolas, who doesn't know if he spends too much time on
Re:Bad Idea (Score:2, Insightful)
--
*Art
Re:Sharing Secrets (Score:4, Insightful)
Re:Fist (Score:3, Insightful)
Re:Nothing To See Here, Move Along (Score:5, Insightful)
Almost all security is a tradeoff against usability. This one looks like a bad trade - you lose lots of usability for only a small increase in security.
busted, useless and insecure (Score:1, Insightful)
1) it will have too many false errors due to the inconsistent way people type. Things change as we age, as we trim our nails, how rushed we are, etc.
2) a decently sophisticated keylogger can record and play back key strokes as if the original typist was doing the typing. People who want in badly enough WILL have that sort of tool so don't laugh it off.
3) The in thing is computing anywhere. One login from any computer gets you to your particular desktop or set of apps. This is becoming the norm where I work. But not all the computers are the same. Some Dell, some HP, some Mac, some IBM. Most of the keyboards are different so it stands to reason the *exact* timing on keystrokes will differ from one to the next. The margin of error may be enough to cause trouble. We don't know. Nothing has ever looked into keypresses so deeply before.
4) No matter how many key-press passwords and other biometric junk (easily bypassed + woefully oversold) you attach to a computer, it's still easy to steal the entire computer or at least the hard drive and do all sorts of evil to it as much as you want. Sure, encrypt the drive but how many people actually DO that?
PS: for everybody chattering about how morse operators "used to" have a "fist" or style, please note that morse code users STILL exist along with all those terms and techniques and whatever. So maybe it might seem like something from 1935, but it is still in use in amateur radio. So drop the "used to" stuff OK?
PPS: I think morse is long past its date with destiny. Bring on NO CODE baby! But I have to stand up for my fellow CW users. They are out there, tapping away even now. It's very bandwidth efficient and it's rather easy to use for SMS too. Mobile phones should have it as an option instead of T-9 or alpha-numeric.
Re:Sharing Secrets (Score:3, Insightful)
Re:Bad Idea (Score:3, Insightful)
The problem with that is remembering all the different answers.
To be honest, I don't see a good solution to the problem that people are required to remember more and more passwords. I would think that most people either pick the same passwords for most things, or store the passwords on their primary machine. In the first case they're screwed if the password is compromised just one place, and in the latter, they're screwed if they can't access their primary machine.
And, no, I don't think biometrics is the answer either. You can't change your biometric data, and if someone gets ahold of it, you are then compromised for the rest of your life.
A good authentication system should IMO be:
1: Quick and easy to use.
2: Location-independent. With the same authentication being used regardless of location of user or device.
3: Near impossible to break.
4: Maintenance free for the user.
5: Mutable. It should be possible to change the key or invalidate it.
6: High robustness. The user having a fever or a laptop being stolen shouldn't make it impossible or even harder to use.
7: Have possibility for escrow with user's consent.
8: Not require a user to remember one or more passwords for each place he authenticates against. Nor a master password that can compromise all other passwords.
9: Transparent and documented. No black box.
Surgically implanted key ring in your head? We're not there yet...
Re:Sharing Secrets (Score:1, Insightful)
Are you sure you aren't seeing misogyny where there isn't any because that's the way you look at things?
Re:Sharing Secrets (Score:3, Insightful)
I can think of several people that could know the password after that telephone conversation, some of which the people having the conversation won't even know exist. One of many reasons to never share your password with anyone is that in the act of sharing it you expose it to potential (untrusted) snoopers, even if you trust the intended recipient.
Frankly, the whole argument was probably the poorest I've seen against the proposal. "I don't want a security system that ensures I'm me since I want other people to be able to fake being me." That's just plain nonsense.
not for web apps, I assume (Score:3, Insightful)
How useful is this method going to be when it can't be used with web-based applications?
For one, how's the web browser going to obtain that keystroke timing info and pass it on to the host? A Javascript implementation would be trivial to circumvent. And an ActiveX-like implementation would be a security risk.
For another, what about stored passwords? I may use an identifiable cadence when typing in a new password for the first time, but if I choose to let my browser store that password, it's going to subsequently get pasted in at the speed of . How many false negatives will this cause?
Re:Whatever! (Score:3, Insightful)