Typing Patterns for Authentication

Kelson writes "NPR's Marketplace is reporting on a new authentication scheme. BioPassword tracks the way you type your password: how long each key is depressed, the time between keystrokes, and overall speed. When someone tries to log into your account, it compares the pattern to what it has on file. It only allows you in if both the password and patterns match. The technique has been around a while. World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor."

Bad Idea

[dynamo]

This will make it possible for a change of mood to deny your access to your own accounts. ..which will probably not help with the mood thing.

No Soup For ... me?

[mindlessLemming]

Great, now every time I fall off my bike or some other stupid accident that involves my hands, I won't be able to log in at all due to not matching the timing/pressure/etc. I can definitely see this ending in smashed keyboards. "It's me!!! Let me in you b@st@rd machine!"

Re:Fist

[OECD]

Oy. So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover? Because my typing pattern is going to be different in each case.

Not very accurate for real world use

[Jimmy King]

I read about this semi-recently (as in within the last year) and at that point the recognition based on the actual keystroke timing was pretty poor. With only 2 or 3 people they could tell who it was something like 90% of the time if I remember right. It got considerably worse as there were more people to recognize.

Now, you could possibly argue that it only needs to be able to recognize 1 person or at most 2, you and "not you", as once it determines it is not you the system does not care about the specific identify. Still, until they get that number to 100% it's going to be more hassle than it's worth, especially at a place with a 3 attempt lockout policy or the like.

Nothing To See Here, Move Along

[mmurphy000]

I'm beginning to think we're going to have to work up a check-off-the-problems sheet for these new authentication schemes like we pass around for anti-spam "solutions".

Here, I see two problems off the cuff:

1. If it thinks you're not typing the password the same way, "it will ask some additional security questions". Hence, this is not significantly different than the cookie-based or IP-address based solutions used by some banks, where you need only a password if you're coming from a familiar PC and need to answer more questions if you're not. Phishers can just let the password-typing fail and fall back to collecting the answers to the security questions and break in that way.
2. It'll only be reliable for people who use the same keyboard all the time. I know I type differently when I'm on my home PC (natural keyboard) vs. an office PC (flat keyboard) vs. my PDA (thumbboard). Particularly the way I type with two thumbs bears little resemblance to the way I touch-type. Now, it's possible they'll track different typing profiles, but eventually the profiles will grow to cover just about any typing pattern...

Color me unimpressed. Is it an incremental improvement over plain passwords? Yes, but not enough to go with a $34,000 plus $1.15/user fee structure, as cited in the article.

Seems like it would not work as I learn my passwd

[rminsk]

When I first create a new password I typically stumble just a bit when typing it. After a few days/weeks I start building up motion memory for my password. How would the system handle when people impove typing their password?

Re:Reminds me of a story...

[Anonymous Coward]

Some keys on his keyboard had been switched. When he was sitting down, he wasn't looking at his keyboard and thus would type the correct password whereas he needed to look at it when he was standing up, therefore entering the wrong one.

--
Nicolas, who doesn't know if he spends too much time on /., but this story has been posted already. Oh, and I'm sorry for the bad english of this post, too.

Re:Bad Idea

[arth1]

If one more brain dead security system asks me my mother's maiden name and my city of birth, I'm going to scream!

--
*Art

Re:Sharing Secrets

[Anonymous Coward]

Never, EVER, give your wife your password! What the heck are you smoking?!?!

Re:Fist

[Rakishi]

and after I answer them the 20th time I'd say "fuck you" and either disable the system or use a service that doesn't have it.

Re:Nothing To See Here, Move Along

[Michael Woodhams]

Furthermore, if the software can detect the password cadence, so can an appropriately programmed keylogger.

Almost all security is a tradeoff against usability. This one looks like a bad trade - you lose lots of usability for only a small increase in security.

busted, useless and insecure

[Anonymous Coward]

This is dumb.

1) it will have too many false errors due to the inconsistent way people type. Things change as we age, as we trim our nails, how rushed we are, etc.

2) a decently sophisticated keylogger can record and play back key strokes as if the original typist was doing the typing. People who want in badly enough WILL have that sort of tool so don't laugh it off.

3) The in thing is computing anywhere. One login from any computer gets you to your particular desktop or set of apps. This is becoming the norm where I work. But not all the computers are the same. Some Dell, some HP, some Mac, some IBM. Most of the keyboards are different so it stands to reason the *exact* timing on keystrokes will differ from one to the next. The margin of error may be enough to cause trouble. We don't know. Nothing has ever looked into keypresses so deeply before.

4) No matter how many key-press passwords and other biometric junk (easily bypassed + woefully oversold) you attach to a computer, it's still easy to steal the entire computer or at least the hard drive and do all sorts of evil to it as much as you want. Sure, encrypt the drive but how many people actually DO that?

PS: for everybody chattering about how morse operators "used to" have a "fist" or style, please note that morse code users STILL exist along with all those terms and techniques and whatever. So maybe it might seem like something from 1935, but it is still in use in amateur radio. So drop the "used to" stuff OK?

PPS: I think morse is long past its date with destiny. Bring on NO CODE baby! But I have to stand up for my fellow CW users. They are out there, tapping away even now. It's very bandwidth efficient and it's rather easy to use for SMS too. Mobile phones should have it as an option instead of T-9 or alpha-numeric.

Re:Sharing Secrets

[LordSnooty]

Agreed. Everything might be hunky-dory now, but what will the future hold? The bank can easily solve this by providing the wife with her own logon account, then attaching the various bank accounts she has authority over. At the very least it will maintain a proper audit trial, if the relationship went bad and the wife used the husband's logon to empty all the accounts, could he prove that it wasn't him who did the deed?

Re:Bad Idea

[arth1]

Well, don't be so truthful! Give them made-up information instead. Ideally, you should have a different "Mother's maiden name" and "city of birth" for each service you use; that way, if any one gets compromised, all the others are safe.

The problem with that is remembering all the different answers.
To be honest, I don't see a good solution to the problem that people are required to remember more and more passwords. I would think that most people either pick the same passwords for most things, or store the passwords on their primary machine. In the first case they're screwed if the password is compromised just one place, and in the latter, they're screwed if they can't access their primary machine.
And, no, I don't think biometrics is the answer either. You can't change your biometric data, and if someone gets ahold of it, you are then compromised for the rest of your life.

A good authentication system should IMO be:

1: Quick and easy to use.
2: Location-independent. With the same authentication being used regardless of location of user or device.
3: Near impossible to break.
4: Maintenance free for the user.
5: Mutable. It should be possible to change the key or invalidate it.
6: High robustness. The user having a fever or a laptop being stolen shouldn't make it impossible or even harder to use.
7: Have possibility for escrow with user's consent.
8: Not require a user to remember one or more passwords for each place he authenticates against. Nor a master password that can compromise all other passwords.
9: Transparent and documented. No black box.

Surgically implanted key ring in your head? We're not there yet...

Re:Sharing Secrets

[Kattspya]

To me it looks like a specific case of the general rule: "don't give your (secure) pasword to anyone, period".

Are you sure you aren't seeing misogyny where there isn't any because that's the way you look at things?

Re:Sharing Secrets

[Kidbro]

sharing a simple piece of information that can be changed at any time with someone you have no good reason to be keeping secrets from

I can think of several people that could know the password after that telephone conversation, some of which the people having the conversation won't even know exist. One of many reasons to never share your password with anyone is that in the act of sharing it you expose it to potential (untrusted) snoopers, even if you trust the intended recipient.
Frankly, the whole argument was probably the poorest I've seen against the proposal. "I don't want a security system that ensures I'm me since I want other people to be able to fake being me." That's just plain nonsense.

not for web apps, I assume

[poot_rootbeer]

How useful is this method going to be when it can't be used with web-based applications?

For one, how's the web browser going to obtain that keystroke timing info and pass it on to the host? A Javascript implementation would be trivial to circumvent. And an ActiveX-like implementation would be a security risk.

For another, what about stored passwords? I may use an identifiable cadence when typing in a new password for the first time, but if I choose to let my browser store that password, it's going to subsequently get pasted in at the speed of

strcpy()

. How many false negatives will this cause?

Re:Whatever!

[ajs318]

And it's kind of cool to have a Christmas every week.

That's as maybe; but it's not so cool having a January statement every month, though .....