Just as access can be granted based on a fingerprint or retina scan, biometrical analysis of the keyboard typing style can produce a unique pattern. A project to produce an authentication scheme based on hardware that every computer has already (unlike a retina scanner) was started in 1999 for BeOS but now is available on MacOS X, in a beta release.
User Authentication Based on Keyboard Usage
Submitted by Chris 2003-09-03 Privacy, Security 20 Comments
I have excema problems on my fingers which sometimes causes me to have deep cracks in my skin near the joints. I’m guessing with this I’d end up spending half the day trying to figure out how to get into my computer…
Solution: hire people you can trust.
Yes, clearly if a solution isn’t ideal for you, it’s useless. As we all know, it’s easy to tell if a person is trustworthy when you hire them (especially if you hire a lot of people–that way you’re better at it, right?) and employees never become disgruntled. And, of course, corporate laptops are never lost or stolen, and hackers never get access to proprietary stuff…
This solution is great because users who can’t be bothered to remember passwords can scarcely forget the way that they type–it’s just part of them. Not only that, but you’re no longer susceptible to users picking bad passwords–‘god’ anyone?
This is a dumb solution. I use only the best passwords! They are: lobsters, fishsticks, seagull and oceans
There is no security, there never will be. There is no spoon. Maybe we should have thought of that before opening pandoras box after 911. Too late now. Deal with it.
Once your corporate laptop is stolen it better have an encrypted filesystem, because the attacker is not going to boot whatever OS exists on it. They’re going to mount it off their desktop or do a raw bit for bit copy and a distributed crack attempt for whatever data they’re after.
Or they’ll wipe it and keep the laptop. Depending on what they’re after.
no offense to anybody, but this surge of we-need-biometrics-for-everything is really starting to get out of control: first off, identifying typing patterns would prolly work fine in a small group of 20, applied to 5000+ individuals, it simply cannot work. humans are all not THAT different. stick to retina scans. this does have some type of geek appeal, but it’s utterly useless for real-life application.
You type differently according to mood, according to energy levels, according to sickness, according to your environment.
There’s a million and one factors in this. What happens if you sprain a finger? That’s one of a billion possibilties.
Just get people to remember decent passwords. I mean, if you use a password regularly, it’s not difficult to remember it.
Retinas can’t be faked just by wanting to.
I can intentionally type slow and fidgety, and voila, I’m now logged in as the company CEO!
BHand is written to detect slow types, this wat we called “robot” types.
Yes, many complaint about basically “noise”. If you type different than you normally would, that’s noise. That’s what neural nets are for, to pull the signal out of the noise. Any researcher worthy of the name is going to take the fact that the world isn’t ideal into account.
Anyway, what ever happen to that whole “using pictures, as passwords” idea?
I work at a company in Canada called Musicrypt. [http://www.musicrypt.com] We use keyboard based BioMetrics from BioNet Systems [http://www.bionetsystems.com] on the PeeCee world and they do work just nicely.
BioNet’s implementation is slick but not cross platform…
>Just get people to remember decent passwords. I mean, if you use a
> password regularly, it’s not difficult to remember it.
I agree with you, but the most complicated password can’t fight against spy softwares such as keylogger.
The problem that most of these solutions present is that they are not out of band solutions. Essentially, it appears they still rely on a self contained unit. If someone gets ahold of your computer, that’s it. Out of band solutions could prevent this, such as phone verification. Now a person not only needs to have your local information and local access, but needs to compromise a system that isn’t local, and also inherently much more complex to overcome.
I broke my wrist (scaphoid) in March. I’m still slowly recovering. Each day, my typing improves back a little.
Imagine someone who types slower in the morning because of stiff fingers in cold air? Or who types slower in the winter? What are they going to do?
Can you imagine the number of support calls this would create?
And if you conveniently enable a password fallback for the many who cannot use this, is there really much point? The weakest link in a one link chain is probably as good or better than the weakest link in a two link chain.
OK, you could set up your system to allow the administrator to control which authentication mechanism gets used… Still, many support calls.
OK, maybe you could set up your system to allow the enduser to choose. Still many support calls. “You want me to do what? What do you mean I’m not typing the same? I’m typing the same characters I typed yesterday!”
just used tryed it out, one of my family was able to crack it by listening to the “beat” of my typing very quickly as in 2nd attempt. so its not there yet, though it is a beta software and work in progress.
still its a intresting idea
like other mentioned A) people are to similar in typing, we all had the same typing classes and were told how to do it. B) we arn’t consistant.
Think of handwritting recongnition. It’s easy to pic a person out if they are perfect in there writting and such. But many of us randomly misspell things and even more so have no consistancy in our writting. we varry styles and methods randomly as we right. Jump between cursive and print. abrivated words differantly each time. make letters in completely differant ways, trangle A’s verses Mounded A’s and so forth.
This kind of thing is bad. I’ve always been baffeled by the whole idea of signitures and compairing them. Mine are never even remotely the same (i don’t think many people are consistant) depending on my mood and so forth i might leave letters out, sometimes they look like initials or random lines, other times it actully looks like something. To expect people to do the some thing the same for ever as a form of identification is insane.
Heck it’s now even been shown fingerprints are not unique, so even passive methods are no good. In time i’m sure they will come up with issues even with DNA.
At some point you just have to get to know people and decide if you trust them, or just not create things that you have to worry so much over. If you got a document or similar that is so critical and secrect you have to go to such measures maybe it’s time to go back and analysis how you got to that point and if it is as important as you think or if it should even exist.
I recall I saw earlier today something about recognizing the way you use your mouse
don’t remember where though.
> Retinas can’t be faked just by wanting to.
No, but if you have a cold or have allergies you tend to fail a retinal scan. Many things that might alter the fluid in your eye can screw up a retinal scanner.
IMHO they should use face recognition cameras for this stuff.
IMHO they should use face recognition cameras for this stuff.
What if I am an open source developer? The geometry and topology of my face will be constantly changing. This solution will just not work.
>>IMHO they should use face recognition cameras for this
>What if I am an open source developer? The geometry and
>topology of my face will be constantly changing. This
>solution will just not work.
Sound’s painful 😉
I thing that profiling someone’s typing style is a good idea if it is used *in addition* to other forms of security. Along with other forms of systems usage profiling it could alert the security team to the *possibility* that security has been compromised, and that further investigation may be necessary.