Typing Patterns for Authentication 259
Kelson writes "NPR's Marketplace is reporting on a new authentication scheme. BioPassword tracks the way you type your password: how long each key is depressed, the time between keystrokes, and overall speed. When someone tries to log into your account, it compares the pattern to what it has on file. It only allows you in if both the password and patterns match. The technique has been around a while. World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor."
Might come in handy... (Score:2, Interesting)
Morse vs. typing (Score:3, Interesting)
Richards has apparently forgotten that morse code uses 1-key as opposed to passwords which use 47 character keys with the ability for a person to hold down the shift key to enter in an alternate version of any of those.
Which means that, when a person starts using a new password, they type it fairly slowly. However, as they get used to typing it, they gradually get faster at it.
What do you do when your own system locks you out because you've gotten better at typing your own password?
Re:Might come in handy... (Score:4, Interesting)
Different typing methods (Score:2, Interesting)
I'd think that this system would have the user type their password multiple times looking for consistent spacing.
Evolving stream? (Score:3, Interesting)
Some added security, but not much (Score:5, Interesting)
"You're sleepy, right. They have a few little measures to catch that. If after a couple of goes it seems you're not typing the way it expects you to type, it will ask some additional security questions."
Ahh, so really all they've really done is increased the number of passwords an attacker has to try by a factor of 3 or so. Then you hit the question and you know you have the right password. At that point you can either solve the security questions (probably not as nearly as tough as the password, especially since no one expects it to be used) or they keep making occational tries at logging in with the correct password until you find their cadence (probably not that hard).
Note that I doubt that an attacker getting the password then bailing when they hit the question will raise any red flags, chances are there will be so many false positives that no one will bother to follow up.
Re:Strong passwords? (Score:3, Interesting)
Re:Fist (Score:4, Interesting)
Once trained, it was extremely hard to fool the thing, even by deliberately and extremely altering your typing habits. Of course, this was a multiple choice test and that's easier than the authentication situation, but it shows that the method can be more robust than would first appear.
Re:Sharing Secrets (Score:2, Interesting)
Really, if there's a way to guarantee that keys are being pressed, that'd even be good enough for that. There's not a hacker in the world that's going to run a brute-force attack manually.
Typschrift (Score:3, Interesting)
Well, it has been done before. I graduated from the Academy of Arts in Rottterdam in 1996 with some fonts that changed their shape depending on how you typed. Inspiration fo these fonts was exactly this technique, which I had heard about, on some big IT show, at least 5 years before.
A JAVA version of one of the fonts (Typschrift-B [www.typ.nl], a rather crude version but my JAVA-knowledge is kind of non-existent) is the only thing that is still on line of the whole project.
Re:I hate this so much (Score:2, Interesting)
1993-10 Pattern classification and scene analysis.pdf
1997-00 Keystroke Dynamics as a Biometric for Authentication.pdf
1997-04 User Recognition by Keystroke Latency Pattern Analysis.pdf
2001-10 Password hardening based on keystroke dynamics.pdf
2001-11 User authentication using keystroke dynamics.pdf
2002-06 Keystroke Biometrics.pdf
2002-10 typing dynamics biometric authentication.pdf
2003-00 Identity verification through dynamic keytroke analysis.pdf
2003-11 Keystroke dynamics.pdf
2004-00 dealing with different languages and old profiles in keystroke analysis of free text.pdf
2004-03 Identity Verification using Keyboard Statistics.pdf
2004-04 An analysis of keystroke dynamics use in user authentifcation.pdf
2004-05 Keystroke Dynamics Verification Using a Spontaneously Generated password thesis.pdf
2004-12 keystroke dynamics based authentication.pdf
2005-00 Username and Password Verification through Keystroke Dynamics thesis.pdf
2005-00 the potential for analysing free-text.pdf
2005-07 Biometric Authenticatio using Random Distributions(BioART).pdf
2006-00 Keystrok Dynamics and Corporate Security.pdf
2006-00 Keystroke Dynamics Verification Using a Spontaneously Generated password.pdf
2006-09 Keystroke dynamics- Low Impact Biometric Verification.pdf
It has been done before. (Score:3, Interesting)
1977, Rome:
G. Forsen, M. Nelson, and R. Staron, "Personal Attributes Authentication Techniques," Rome Air Development Center Report RADC-TR-77-1033, Air Force Base Griffis (New York, 1977).
1980, Rand:
R. Gaines, W. Lisowski, S. Press, and N. Shapiro, "Authentication by Keystroke Timing: Some Preliminary Results," Technical Report Rand report R-256-NSF, Rand Corporation (1980).
1990, Gupta:
R. Joyce and G. Gupta, "Identity Authentication Based on Keystroke Latencies," Communications of the ACM 33:2 (1990), 168-176.
1995, IBM:
http://ieeexplore.ieee.org/Xplore/login.jsp?url=/
1999, ATT:
http://avirubin.com/fgcs.pdf [avirubin.com]
2005, MIMOS:
http://digital.ni.com/worldwide/singapore.nsf/web
Different Keyboards? Public Terminals? Posture? (Score:2, Interesting)
Simply a horrid idea.