Identify and Verify Users Based on How They Type

LinucksGirl writes to share an IBM DeveloperWorks article that shows how to support user verification through keystroke-dynamics processing by modifying the GNOME Display Manager (GDM). You can create and store a one-way encrypted hash of your keystroke patterns when entering your user name. The article shows how to add code to GDM to read current keystroke patterns and permit a user to log in when the characteristics are a match. An interesting idea to be sure but I know I certainly am not that consistent when I type, so I'm skeptical of how well this may work.

not gonna work

[superwiz]

Well, it might work if they allow for a rather broad variation in the frequence of mistakes. But personally, I make much more typos depending on how tired I am and how much caffeine I've had lately. I would assume that others do too. So when I am well-rested I might appear to be a completely different person from when I am even slightly tired.

That's OK

[treeves]

My guess is that your inconsistency is part of what distinguishes you from other typists and the software uses that information to its advantage. Other people are more consistent, less consistent, inconsistent in different ways. I know I type with about four fingers: my left index finger, my right index and middle fingers, and my right thumb, and I also know I tend to make certain typos more often than others. I suspect that those things contribute to the distinct pattern in my typing that could be identified. Still, I'm sure I would not want to use to such a scheme for identity verification.

This concept is about 3 years old if IIRC

[DRAGONWEEZEL]

Maybe not w/ gnome, but I remember a Slashdot article about this a few years back. One thing to note, while some people might be irregular, almost anyone who keys in a UID every day will have some sort of "pattern" to the time between keystrokes.

Typematic rate lol....

It's really interesting to see what the differences are between key presses when recording a macro w/ a G15. (if you have this awesome keyboard, and don't know what I am talking about try it out!) I have done this cause I am weird... but you could try too!

If you record a significant count of you typing in a UID and PW on a given site (that you use frequently) you will find a unique structure to the timing of the keystrokes. While the G15 doesn't go to the # of digits needed for secure authorization, it can show you that there is little variance over a large number of true trials.

Would be nice as a supplement, however

[Thought1]

It wouldn't be good as a primary means of validation (for the reasons listed in prior comments), but it would be good as a supplemental validation, giving a "higher likelihood" that the person is who they say they are.

Re:not gonna work

[RobBebop]

Given the repletion required to type and retype our names and login IDs over the past 5-10 years, our fingers are conditioned to type these patterns quickly and repeatably.

I can type my typical "lastname/firstinitial" login name in about a third of a second. I can type my "firstname.lastname" in about half a second.

Given 5 minutes of practice with my name, you would probably be able to impersonate me - but as long as this system doesn't lock me out from my own account, this is a successful barrier that will make it harder for you to get into my system.

Then again... having a password that is hard to hack and running an operating system that is not easily hackable are stronger barriers that protect me from your infiltrations...

Useful after the fact, perhaps

[6Yankee]

I don't fancy using this as a replacement for login/password, but if you haul Joe User down to HR for surfing pr0n, he pulls the "Naughty Bob stole my password" trick, and you can demonstrate that the usage pattern looks a hell of a lot more like Joe User's other sessions than Naughty Bob's... ...or vice versa, and have some idea who really did steal Joe's password.

Might make a good alarm, but poor authorization.

[Vellmont]

I just have to believe this is going to produce a lot of rejected authorizations that shouldn't have been rejected. Also as someone pointed out, what about the legitimate times when someone else is using your username/password? (your boss needs something while you're away on vacation, etc).

This might work out well for some kind of intrusion detection system though. Look for cases where there's two people consistently typing in the password two different ways. Then set off an alert to the administrator. There's legit cases for that of course (root/admin password comes to mind), but you just exclude those cases.

Re:not gonna work

[WaltBusterkeys]

Or first thing in the morning after getting into work on a cold wintery day. Frozen fingers do not type well.

Re:not gonna work

[pcgc1xn]

One thing which will kill it for sure is using a different keyboard.

Desktop to laptop - *slightly* different keyboard layout.
Different laptops - possibly different
US keyboard to English keyboard - hope your passphrase doesn't have any special characters or punctuation.
Any other language keyboard - those things are bad enough to type on at all, but trying to get your timing right? Forget it. If you have never had they joy of meeting one, as well as many of the punctuation keys being in different places, a few of the letters are as well. Just a few mind you, just enough so you fall back into touch typing and look back and find that all of your w's are actually z's

Some of these problems are probably not too bad for logging into Gnome, but the idea is basically limited to anything where you are physically in front of the machine you are logging into, and the input device is the same every time. If you are going to limit it to that, then requiring a webcam and doing image recognition is probably easier on both sides.

And all you need is a slightly cleverer key logger to defeat it - instead of recording the keystrokes in order, you need to record the keystrokes and time.

Good to see people thinking about how to improve on passwords though.