Typing Patterns for Authentication

Kelson writes "NPR's Marketplace is reporting on a new authentication scheme. BioPassword tracks the way you type your password: how long each key is depressed, the time between keystrokes, and overall speed. When someone tries to log into your account, it compares the pattern to what it has on file. It only allows you in if both the password and patterns match. The technique has been around a while. World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor."

Might come in handy...

[Tatisimo]

Wonder if it can be used to prevent people from editing important documents while you take a quick break (hint: preventing your little brother from posting comments with your account)... "Error: Your Words Per Minute Do Not Match Your Normal Style. Please Try Again."

Morse vs. typing

[VGPowerlord]

While I think measuring typing speed as well as the password itself might work, comparing it to morse code speed is ludicrous.

Richards has apparently forgotten that morse code uses 1-key as opposed to passwords which use 47 character keys with the ability for a person to hold down the shift key to enter in an alternate version of any of those.

Which means that, when a person starts using a new password, they type it fairly slowly. However, as they get used to typing it, they gradually get faster at it.

What do you do when your own system locks you out because you've gotten better at typing your own password?

Re:Might come in handy...

[mollymoo]

You'd don't need this techniology for that, a regular password will do the job perfectly well. You just need to lock your computer when you're not using it. Every decent OS lets you do this with minimal fuss.

Different typing methods

[mjensen]

When holding a book or other items, I type one-handed. (joke as required)

I'd think that this system would have the user type their password multiple times looking for consistent spacing.

Evolving stream?

[fineghal]

So I haven't RTFA and am just thinking out loud. Couldn't the problem of your typing speeding up or whatever due to your "comfort" level be solved by using an evolving stream? You've got the algorithm to determine similarity. Let's assume it's tuned to a 99% significance level. This is security right? But instead of comparing to an original, or arbitrary previous time, it compares it to your previous login, or perhaps a composite of the previous 2 logins. This way, your stored "fist" will evolve with you. I like it. It's conceptually easy at least. Any ideas on the CPU hit for this? Proof of concept?

Some added security, but not much

[quantaman]

From the article:

"You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions."

Ahh, so really all they've really done is increased the number of passwords an attacker has to try by a factor of 3 or so. Then you hit the question and you know you have the right password. At that point you can either solve the security questions (probably not as nearly as tough as the password, especially since no one expects it to be used) or they keep making occational tries at logging in with the correct password until you find their cadence (probably not that hard).

Note that I doubt that an attacker getting the password then bailing when they hit the question will raise any red flags, chances are there will be so many false positives that no one will bother to follow up.

Re:Strong passwords?

[thePowerOfGrayskull]

RighT! Because that's an easy thing for the 90% of users who use their pet or spouse or birthday for their password. (Yes, I did pull 90% out of my ass, but it's probably true in spite of that.)

Re:Fist

[Ailicec]

Sometime in the early 90s a company sent me a neural network demo that did typist identification. Users trained it by typing a paragraph, and you could enter several typists into the system. Then an unknown user typed some new text, and the system tried to identify the user.
Once trained, it was extremely hard to fool the thing, even by deliberately and extremely altering your typing habits. Of course, this was a multiple choice test and that's easier than the authentication situation, but it shows that the method can be more robust than would first appear.

Re:Sharing Secrets

[Torvaun]

Wouldn't it be easier just to measure the amount of time it takes to type in your password a few times, and any password entry that takes more than a couple standard deviations from that is nulled? After all, brute-forcing types of programs enter passwords a hell of a lot faster than I do, even with muscle memory.

Really, if there's a way to guarantee that keys are being pressed, that'd even be good enough for that. There's not a hacker in the world that's going to run a brute-force attack manually.

Typschrift

[Incadenza]

I think this is a pretty nifty idea, and I'm surprised it hasn't been done before.

Well, it has been done before. I graduated from the Academy of Arts in Rottterdam in 1996 with some fonts that changed their shape depending on how you typed. Inspiration fo these fonts was exactly this technique, which I had heard about, on some big IT show, at least 5 years before.

A JAVA version of one of the fonts (Typschrift-B [www.typ.nl], a rather crude version but my JAVA-knowledge is kind of non-existent) is the only thing that is still on line of the whole project.

Re:I hate this so much

[ecidquad]

Well, it is not new at all, even in the IT field, and Biopassword is not the only company editing such kind of software. Take a look also at all the patents already registered, and if it is not enough to convince you, here is a list of free available pdf documents I have collected about keytroke dynamics:

1993-10 Pattern classification and scene analysis.pdf
1997-00 Keystroke Dynamics as a Biometric for Authentication.pdf
1997-04 User Recognition by Keystroke Latency Pattern Analysis.pdf
2001-10 Password hardening based on keystroke dynamics.pdf
2001-11 User authentication using keystroke dynamics.pdf
2002-06 Keystroke Biometrics.pdf
2002-10 typing dynamics biometric authentication.pdf
2003-00 Identity verification through dynamic keytroke analysis.pdf
2003-11 Keystroke dynamics.pdf
2004-00 dealing with different languages and old profiles in keystroke analysis of free text.pdf
2004-03 Identity Verification using Keyboard Statistics.pdf
2004-04 An analysis of keystroke dynamics use in user authentifcation.pdf
2004-05 Keystroke Dynamics Verification Using a Spontaneously Generated password thesis.pdf
2004-12 keystroke dynamics based authentication.pdf
2005-00 Username and Password Verification through Keystroke Dynamics thesis.pdf
2005-00 the potential for analysing free-text.pdf
2005-07 Biometric Authenticatio using Random Distributions(BioART).pdf
2006-00 Keystrok Dynamics and Corporate Security.pdf
2006-00 Keystroke Dynamics Verification Using a Spontaneously Generated password.pdf
2006-09 Keystroke dynamics- Low Impact Biometric Verification.pdf

It has been done before.

[wireloose]

In fact, research and methods have been done for years. There have also been some systems developed as a result. A partial listing of research:

1977, Rome:
G. Forsen, M. Nelson, and R. Staron, "Personal Attributes Authentication Techniques," Rome Air Development Center Report RADC-TR-77-1033, Air Force Base Griffis (New York, 1977).

1980, Rand:
R. Gaines, W. Lisowski, S. Press, and N. Shapiro, "Authentication by Keystroke Timing: Some Preliminary Results," Technical Report Rand report R-256-NSF, Rand Corporation (1980).

1990, Gupta:
R. Joyce and G. Gupta, "Identity Authentication Based on Keystroke Latencies," Communications of the ACM 33:2 (1990), 168-176.

1995, IBM:
http://ieeexplore.ieee.org/Xplore/login.jsp?url=/i el3/3531/10615/00491588.pdf?tp=&arnumber=491588&is number=10615 [ieee.org]

1999, ATT:
http://avirubin.com/fgcs.pdf [avirubin.com]

2005, MIMOS:
http://digital.ni.com/worldwide/singapore.nsf/web/ all/ACCD272C9FEF487D8625703D005562A0 [ni.com]

Different Keyboards? Public Terminals? Posture?

[grgyle]

I touch type, and am very used to my own particular keyboard. The moment I sit down at a different keyboard (my wife's laptop, a public station, a horrendous split-ergonomic keyboard), then I revert to hunt-and-peck mode. I'll also type differntly if I don't have my ergonomic puffy wrist pad for my hands.

Simply a horrid idea.