Identify and Verify Users Based on How They Type 196
LinucksGirl writes to share an IBM DeveloperWorks article that shows how to support user verification through keystroke-dynamics processing by modifying the GNOME Display Manager (GDM). You can create and store a one-way encrypted hash of your keystroke patterns when entering your user name. The article shows how to add code to GDM to read current keystroke patterns and permit a user to log in when the characteristics are a match. An interesting idea to be sure but I know I certainly am not that consistent when I type, so I'm skeptical of how well this may work.
not gonna work (Score:5, Insightful)
Re:not gonna work (Score:4, Insightful)
Given the repletion required to type and retype our names and login IDs over the past 5-10 years, our fingers are conditioned to type these patterns quickly and repeatably.
I can type my typical "lastname/firstinitial" login name in about a third of a second. I can type my "firstname.lastname" in about half a second.
Given 5 minutes of practice with my name, you would probably be able to impersonate me - but as long as this system doesn't lock me out from my own account, this is a successful barrier that will make it harder for you to get into my system.
Then again... having a password that is hard to hack and running an operating system that is not easily hackable are stronger barriers that protect me from your infiltrations...
Re:not gonna work (Score:4, Interesting)
On the upside, no more embarrassing drunken e-mails to come back and bite you!
Re: (Score:2, Interesting)
BTW, there's really nothing more easy/secure than a password. You even get to choose which end of a spectrum you want.
I never cease to be amazed at the lenghts people go to make something better...
The big question is, would you trust a GNOME developer to distinguish you from your sister if you can't be bothered to make up a password she can't guess? Nevermind more serious issues.
Re: (Score:3, Insightful)
Re: (Score:2)
And it would require that the key board be placed in a consistent manner, that the box not be under considerable load as well as for the person to touch type their log in information.
Re:not gonna work (Score:5, Interesting)
However, within the bounds of an identical username/password combination, I would imagine that it would work well for me. The problem is that if there are extenuating circumstances, this would lock me or someone else out of the computer. For instance, what if my wife needed to log in for me while I'm on a business trip? Or I die? Or I break my arm and have to type with one hand? I imagine the usefulness of this technology is in merely logging the "signature" pattern rather than locking someone else based on it. Bruce Schneier [schneier.com] has the basic arguments and a much better analysis than I could produce.
Re: (Score:2)
The problem is that if there are extenuating circumstances, this would lock me or someone else out of the computer. For instance, what if my wife needed to log in for me while I'm on a business trip? Or I die? Or I break my arm and have to type with one hand?
Treat your user account like it has a hidden volume.
Your 'signature' password gives you full access to the account. Your password gives you basic access to the account, with the option of another password to unlock full access to your files and settings..
Re:not gonna work (Score:5, Interesting)
There are characteristics in common with everything "normal" you type - for example, Mavis Beacon Teaches Typing(tm) back in the Glory Days of Windows 3.11 could tell me that my 4th finger on my left hand is weak - making a lot of typos on the "w", you see. It was nifty looking at the profiles of every user in that program for little tidbits like that, and logging onto my brother's profile and laughing as it commented how much he had "improved."
But... do those things apply when typing a password? The whole consistent rhythm and speed thing? Or maybe that makes it easier.
Perhaps a better solution would be to emulate voice recognition - train the security software to recognize your typing, and have it watch you as you're logged in. Just as you can train voice recognition to work with multiple speakers, you could train the security software to recognize "sober me", "drunk me", "caffeinated me", etc. (And not let "drunk me" send e-mail, and maybe schedule my development IDE processes at a higher priority for "caffeinated me", etc.)
Re:not gonna work (Score:4, Insightful)
Desktop to laptop - *slightly* different keyboard layout.
Different laptops - possibly different
US keyboard to English keyboard - hope your passphrase doesn't have any special characters or punctuation.
Any other language keyboard - those things are bad enough to type on at all, but trying to get your timing right? Forget it. If you have never had they joy of meeting one, as well as many of the punctuation keys being in different places, a few of the letters are as well. Just a few mind you, just enough so you fall back into touch typing and look back and find that all of your w's are actually z's
Some of these problems are probably not too bad for logging into Gnome, but the idea is basically limited to anything where you are physically in front of the machine you are logging into, and the input device is the same every time. If you are going to limit it to that, then requiring a webcam and doing image recognition is probably easier on both sides.
And all you need is a slightly cleverer key logger to defeat it - instead of recording the keystrokes in order, you need to record the keystrokes and time.
Good to see people thinking about how to improve on passwords though.
Other language keyboards (Score:2)
Re: (Score:3, Interesting)
I mean, I don't know about you but I make typing mistakes at my login and password about as often as not, though I type them always in a consistent rhythm. The system could very neatly ignore the typos resulting from pressing a neighbor key or even typing with your hand a whole line of keys away, meaning you got half of what you typed wrong. "Timing is right, he
Re: (Score:2)
Do you really want somebody to video tape your typing and then easily get in to your account?
I know with a video tape, even though some keys might be hidden, they'll eventually get in... but the system you're suggesting would let them in immediately.
Accidents? (Score:3, Funny)
Re: (Score:2)
Re: (Score:2)
Only works sometimes (Score:2)
Re: (Score:2)
The only use I see for this is for an amusing/ironic plot twist in a hollywood movie, where someone gets killed because he can't type in the password like he would normally type it in due to some contrived stress situation.
Cat-like typing detected? (Score:3, Funny)
Additional Input required (Score:2)
/shoutout totheguy whoposted likethisrecently.
It will work... (Score:2)
Given it was an Apple II, there were plenty of other ways in, unless you had padlocks on the floppy drives and you replaced the ROMS.
In other words this isn't a new idea. It's been around for at least 25 years.
Re: (Score:2)
Just as friends can recognize you no matter what clothes you have on, caffeine isn't going to change your basic key-stroke patterns in ways that will lock you out.
This
Oww I broke a finger... (Score:5, Interesting)
Pass.
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:2)
Hint:
3 main security identifiers:
1. something you are (biometric, finger print, retina scan)
2. something you have (id card)
3. something you know (pin or password)
Re: (Score:2)
A subset with one limitation: changing it is very difficult.
Security is very simple in its needs (though it can certainly get complicated in implementation.
All you need is (3) "something you know". period. If it's not secure enough, you can make it longer.
Now, if you're talking about a multi-user environment, you need to segregate peoples areas of access, or at the very least log their activity so if the nutrient rich plant feed hits the fan, you at least know who to blame. T
Re: (Score:3, Informative)
Re: (Score:2)
More importantly, it is absurd to think that someone can't take your biometric bits from you. In fact, there's no bit of you that can't be removed with a sharp enough knife.* If you were in such a situation, wouldn't it be better to be able to just tell them your password, (or your "distress code password), rather than force them
Re: (Score:2)
http://www.theregister.co.uk/2008/03/30/german_interior_minister_fingerprint_appropriated/ [theregister.co.uk]
He sure seemed to think it was a big deal. Wonder how anxious he will be to create pervasive biometric requirements now.
Re: (Score:2)
If you manage to incapacitate all ten fingers in such a way that you can't get a print scan off any of them maybe that's a good warning to your boss that you need a competency review. Or at least a holiday until something heals.
Re: (Score:2)
Re: (Score:2, Interesting)
Re: (Score:2)
Re: (Score:2, Interesting)
The Windows installs at work default to qwerty on start up but will stay in dvorak if all I do is just lock the screen. When I reboot, I usually botch my password a few times before I realize what's wrong and switch to hunt 'n' pecking...
My qwerty-induced typing is way different from my normal touch typing...
Obvious issue (Score:3, Funny)
Re:Obvious issue (Score:5, Funny)
All Cell phones , Not just the BBs (Score:4, Funny)
for each # called...
1st offense:
A stern warning.
2nd offense:
$250 restitution to the victim, 1 months probation
3rd offense:
Death.
Re: (Score:2)
99% of the time, the drunk call (and its social aftermath) is punishment enough. I want to protect myself, not the people in my speed dial.
They exist (Score:2)
That's OK (Score:5, Insightful)
Privacy implications (Score:2)
Re: (Score:2)
Hi! It looks like your finger is broken! Would you like help filling out your insurance claim?
|Yes| |No|
Re: (Score:2)
"Hi! It looks like this is becoming detrimental to your performance. Would you like me to order you some vasoline to help speed up the process next time?"
Re: (Score:2)
Re: (Score:2)
So, Vim. Right?
Check more often? (Score:2)
But then again, how would I prank people at work when they leave their systems unlocked?
Don't prank gnome users (Score:2)
inconsistent (Score:4, Informative)
That's precisely what some statistical methods are designed to do, find patterns about the inconsistencies. I haven't read this proposal, so can't comment more, but 'leaning' in the presence of variation is basically what modern statistics is all about.
Nice technology for once. (Score:2)
In my case, I'd go one step further and enter my password with a one second pause between characters. Anything automated or even if it has built-in random delays is instant failure.
This concept is about 3 years old if IIRC (Score:3, Insightful)
Typematic rate lol....
It's really interesting to see what the differences are between key presses when recording a macro w/ a G15. (if you have this awesome keyboard, and don't know what I am talking about try it out!) I have done this cause I am weird... but you could try too!
If you record a significant count of you typing in a UID and PW on a given site (that you use frequently) you will find a unique structure to the timing of the keystrokes. While the G15 doesn't go to the # of digits needed for secure authorization, it can show you that there is little variance over a large number of true trials.
I think this may have been the paper /. discussed (Score:2)
Re: (Score:3, Interesting)
I thought about it when I was a kid running my own BBS. The old BBS Software had a realtime display of what the person is typeing so I could normally tell if it is someone who is the origional user or someone using someones else account. I though about making a program that checks the time between keystrokes and give them a level of error, as extra security... but I decided not to do it, for the main reasons. Somone may have something in their hands that day or. Bit tired or Hyper, also
Flashbacks... (Score:2)
But that is offtopic, and I am probably flagged as a terrorist after that last sentance...
Oh well.
Re: (Score:2)
[click...buzz...Beep.Beep.Beep.Bop.Bee.Bu.baa...Dedededeeeeee....Kcshrrrrrrrrrrrrrrrr]
Connected 2400 bps
Login: jellomizer
User not found
Login: jelomizer
User not found
Login: +++ath0
No Carrier
Old as morse code? (Score:2)
from the all knowing wikipedia [wikipedia.org]:
Re: (Score:2)
Re: (Score:2)
It was implemented in or before 1997.. (Score:2)
Even more than 3 years old! (Score:2)
18 years ago, and since I was a kid, I think that many other people might have
done this earlier.
It was pretty simple under DOS because you could easily read one char at a time and
check the elapsed time between each.
It worked very well for words that I was used to type a lot (eg: password). You
don't imagine how accurate you are when you type common words. Far more reliable
than voice recognition IMHO.
However, one poster reported a
Re: (Score:2)
j/k.
ty for the correction, I never preview.
Insensitive Clods!!! (Score:3, Funny)
Re: (Score:2)
Just stare at your keyboard and BAM! you're logged on!
CTRL-ALT-DEL (Score:2, Funny)
Re: (Score:2)
Ever thought about getting one of these [sadinoff.com]?
Re: (Score:2)
sure, this can work... (Score:2)
Would be nice as a supplement, however (Score:2, Insightful)
Re: (Score:2)
I disagree (Score:2)
Password login should be secondary and have it be algorithmic or challenge/response based.
It'll never work (Score:5, Funny)
lock out injured users? (Score:2)
Useful after the fact, perhaps (Score:3, Insightful)
Bank does this (Score:2)
Might make a good alarm, but poor authorization. (Score:3, Insightful)
This might work out well for some kind of intrusion detection system though. Look for cases where there's two people consistently typing in the password two different ways. Then set off an alert to the administrator. There's legit cases for that of course (root/admin password comes to mind), but you just exclude those cases.
Re: (Score:2)
Do you really give your passwords out?
Generally no, but if there were a good reason to do so, of course. I've also seen over the years it's very common for people to give passwords to trusted colleagues. It's how they get work done, and nobody really thinks much of it.
Large enough sample set? (Score:4, Interesting)
Re: (Score:2)
The answer is: "Yes, you're right. It isn't enough by itself."
But I think the conclusion most are jumping to is that this would be used as a black-n-white type of authentication; if I don't type at the correct cadence I'll get locked out.
More likely, it would have value in terms of being a first step in a stronger
Re: (Score:2)
Re: (Score:2)
Oblig Bash quote (Score:4, Funny)
HOW THE FUCK CAN YOU TELL THAT I'M 13 BY LOOKING AT WHAT I'M WRITEING??????????????????????
stupid lameness filterstupid lameness filterstupid lameness filterstupid lameness filter stupid lameness filter Filter error: Please use fewer 'junk' characters. Filter error: Please use fewer 'junk' characters.
Works for me (Score:2)
Faster over time? (Score:2)
To this system I will be two completely different people from the time I changed my password to the time I mastered it and presumably at notable milestones in between.
Obviously this is a problem.
Damaged hand? (Score:2)
Tin-Foil Story (Score:2, Funny)
That solves the drinking and commenting problem! (Score:2, Funny)
Hardly new or unproven. (Score:2)
Don't just take my word for it, though — BioPas
I did something similar. (Score:2)
But I did have a very simple variant of this: I imposed a timeout. I had a 20-character (roughly) password that I could type in about two seconds, so I set the screensaver password timeout to five seconds. That, and it was in dvorak. So someone had to know my password and be able to type dvorak as fast as I can to login, but there was little chance that a change in typing patterns would lock me out, unless
Audiable Feedback (Score:2)
Just a thought.
My credit union is already doing this (Score:2)
User changes (Score:2)
Id leave username/pass for login but, if your computer doesnt think its you it could lock the keychain preventing access to anything that youve chosen to lock down.
Practicality: prevent people from doing dumb shit (Score:2)
Another practical use would be if there were pressure-sensitive keyboards and it could tell when you're pissed off by analyzing how hard you press down on the keys. That might actually postpone a few people's employment termination dates.
It has been done... (Score:2)
I don't think they thought it was reliable or secure enough in the end. Was an interesting bit of research and code though.
Re: (Score:2)
You mean you did it in 1995? Or you found prior art from 1984?
1985 would be rather early.
oh, not again (Score:2)
Short usernames? (Score:2)
keyboard hand (Score:2)
Already a pain in the ass (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)