Become a fan of Slashdot on Facebook


Forgot your password?

Identify and Verify Users Based on How They Type 196

LinucksGirl writes to share an IBM DeveloperWorks article that shows how to support user verification through keystroke-dynamics processing by modifying the GNOME Display Manager (GDM). You can create and store a one-way encrypted hash of your keystroke patterns when entering your user name. The article shows how to add code to GDM to read current keystroke patterns and permit a user to log in when the characteristics are a match. An interesting idea to be sure but I know I certainly am not that consistent when I type, so I'm skeptical of how well this may work.
This discussion has been archived. No new comments can be posted.

Identify and Verify Users Based on How They Type

Comments Filter:
  • by LighterShadeOfBlack ( 1011407 ) on Friday April 04, 2008 @01:54PM (#22965758) Homepage
    ...And now I can't log in.

  • Re:not gonna work (Score:5, Interesting)

    by moderatorrater ( 1095745 ) on Friday April 04, 2008 @02:13PM (#22966014)
    plus for me, this will only work if they test it against another login with the same username and password. The rhythm and speed of my typing in a username depends on which one it is, and the same goes for the password.

    However, within the bounds of an identical username/password combination, I would imagine that it would work well for me. The problem is that if there are extenuating circumstances, this would lock me or someone else out of the computer. For instance, what if my wife needed to log in for me while I'm on a business trip? Or I die? Or I break my arm and have to type with one hand? I imagine the usefulness of this technology is in merely logging the "signature" pattern rather than locking someone else based on it. Bruce Schneier [] has the basic arguments and a much better analysis than I could produce.
  • Re:Really? (Score:3, Interesting)

    by ArcherB ( 796902 ) on Friday April 04, 2008 @02:14PM (#22966024) Journal

    Something like a password that you've typed hundreds of times probably has a more regular pattern than you think, unless you regularly get interrupted in the half second i takes for you to type it... Muscle memory, etc
    That's all find and dandy until you break a finger, or get a hang nail or try to log in while holding a cup of coffee or any of the limitless things that can happen to slow, speed up, or change the rhythm of your typing.
  • Re:not gonna work (Score:4, Interesting)

    by TubeSteak ( 669689 ) on Friday April 04, 2008 @02:16PM (#22966058) Journal

    Given the repletion required to type and retype our names and login IDs over the past 5-10 years, our fingers are conditioned to type these patterns quickly and repeatably.
    Never IM'ed or IRC'ed with a drunk person, have you?

    On the upside, no more embarrassing drunken e-mails to come back and bite you!
  • by jellomizer ( 103300 ) on Friday April 04, 2008 @02:19PM (#22966084)
    Older then that...
    I thought about it when I was a kid running my own BBS. The old BBS Software had a realtime display of what the person is typeing so I could normally tell if it is someone who is the origional user or someone using someones else account. I though about making a program that checks the time between keystrokes and give them a level of error, as extra security... but I decided not to do it, for the main reasons. Somone may have something in their hands that day or. Bit tired or Hyper, also a lot of pople had the passwords as Key Macros, so it was just kinda not worth the work and any fustration on the users part.
  • Re:not gonna work (Score:3, Interesting)

    by SharpFang ( 651121 ) on Friday April 04, 2008 @02:23PM (#22966142) Homepage Journal
    I wouldn't be surprised if it produced less false negatives than standard login/password pair. By false negatives I mean typos in username/password.

    I mean, I don't know about you but I make typing mistakes at my login and password about as often as not, though I type them always in a consistent rhythm. The system could very neatly ignore the typos resulting from pressing a neighbor key or even typing with your hand a whole line of keys away, meaning you got half of what you typed wrong. "Timing is right, he pressed 'o' instead of 'p', we can accept it."

    It should not replace password-based authentication but it can neatly suplement it - you either type your password 100% correctly (say, with one hand, holding earphone in the other so the "rhythm" is none), or you type it fast, you make a mistake, but the way you type it, and the kind of mistake says it's you and the password gets accepted.
  • Re:inconsistent (Score:1, Interesting)

    by Anonymous Coward on Friday April 04, 2008 @02:25PM (#22966162)
    I used to work as a developer at Netnanny Software, who produced Biopassword (Now Biopassword, LLC).

    I worked on a port from the windows system, using the MS GINA, to develop a plain input-agnostic library that you could plug X/GNOME/KDE/whatever into using Linux, with the aim of making it portable across all platforms.

    Believe me when I say that keystroke dynamics really does work. The first iterations of the BioPassword product were "OK", but really were limited in the sense that when a user enrolled, their typing template was based on a static number of entries (normally 15), so the data set was limited by the fact that those 15 entries can vary quite significantly. It also did not learn over time about how the user entered their username/password combo. (the reason this is important is that after a couple of weeks, you no longer think about your password, it is a physical "memory" that your fingers type for you).

    Later iterations created several "buckets" (low/med/high) that an enrollment sample went into, and you kept entering the u/p combo until enough of a particular bucket had been filled enough, compared to the other buckets. This made it much more reliable, and although I was able to "break" the first iteration about 1 out of every 20 times after listening to the person enroll, I never once was able to break it after the new categorization system.

    The real beauty of it is that it works for "hunt and peckers", as well as touch/speed typers. Each person has a unique way of typing a particular username and password combination, and the concept is very simple, really, with at its core, is the timing of the "flight time" (time between keypresses) and "landing time" (time that a key is held for), in microseconds.

    As with any biometric, there needs to be an "override" or backdoor that can be overridden by an administrator or even yourself. That's why even the fingerprint readers don't completely commit to being biometric only (although some you can set it to only use fingerprints). Actually, the IBM fingerprint software I'm using basically ends up typing in your username/password FOR YOU to the MS GINA.

    The override is useful in times when you've broken your hand, fingers, are drunk, or whatnot. For a local user on your own home PC the latter would be nice to override, but at work, it might actually be a useful "mental state" indicator. Speaking of which, we often found that typing rhythms changed throughout the day. Monday mornings were slower than Thursday afternoons, for example, and could trip a false negative.

    Which also reminds me that the threshold for accuracy was adjustable as well by the administrator, so there was some measure of control over how mean you wanted to be.

    It was really fun and interesting work. I have often thought of developing a FOSS version for the world to use, but I fear repercussions from litigation for the fact that I was so intimately involved with the innards of it.

    I would definitely recommend downloading a demo (they used to have one available, don't know if that's still the case now), and trying it out - it's fascinating, since it's one of those things you need to see to believe.

  • Re:not gonna work (Score:2, Interesting)

    by Jurily ( 900488 ) <jurily@g m a i l . com> on Friday April 04, 2008 @02:38PM (#22966332)
    You get that with a well-formed password too. I can't type mine drunk, ever.

    BTW, there's really nothing more easy/secure than a password. You even get to choose which end of a spectrum you want.
    I never cease to be amazed at the lenghts people go to make something better...

    The big question is, would you trust a GNOME developer to distinguish you from your sister if you can't be bothered to make up a password she can't guess? Nevermind more serious issues.
  • by denmarkw00t ( 892627 ) on Friday April 04, 2008 @02:38PM (#22966334) Homepage Journal
    To the broken finger crowd and the "few too manys": you should also note that it didn't appear to me that this feature would lock you out, to me it seemed more like it might speed up the login process while making it slightly more secure - no clicking "Login" because it "knows" its you, and if its someone pecking at the keyboard it could send you an alert via /var/log/yourlogofchoice for later review (or mail sms whathaveyou). Of course, I'm sure you could change the level of aggressiveness to not allow someone to login unless the differences is stroke pattern are within a small error tolerance.
  • by 192939495969798999 ( 58312 ) <info&devinmoore,com> on Friday April 04, 2008 @02:39PM (#22966340) Homepage Journal
    I don't think a username is enough of a sample set to determine a typing pattern. Wouldn't you need to copy down a paragraph of text to have any chance of determining patterns in typing style? I.e. at the very least, "the quick brown fox jumped over the lazy sleeping dog" type stuff to hit all the characters?
  • Re:not gonna work (Score:5, Interesting)

    by Z34107 ( 925136 ) on Friday April 04, 2008 @03:07PM (#22966696)

    There are characteristics in common with everything "normal" you type - for example, Mavis Beacon Teaches Typing(tm) back in the Glory Days of Windows 3.11 could tell me that my 4th finger on my left hand is weak - making a lot of typos on the "w", you see. It was nifty looking at the profiles of every user in that program for little tidbits like that, and logging onto my brother's profile and laughing as it commented how much he had "improved."

    But... do those things apply when typing a password? The whole consistent rhythm and speed thing? Or maybe that makes it easier.

    Perhaps a better solution would be to emulate voice recognition - train the security software to recognize your typing, and have it watch you as you're logged in. Just as you can train voice recognition to work with multiple speakers, you could train the security software to recognize "sober me", "drunk me", "caffeinated me", etc. (And not let "drunk me" send e-mail, and maybe schedule my development IDE processes at a higher priority for "caffeinated me", etc.)

  • by Anonymous Coward on Friday April 04, 2008 @03:21PM (#22966842)
    The concept appears in "When Harlie Was One" by David Gerrold (1972). The main (human) character sits down at a random typewriter, and on a whim types "Harlie". The typewriter immediately responds "Yes, Auberson?" Harlie, an intelligent machine, had infiltrated all of the network devices, and had recognized Auberson by the rhythm of his keystrokes.

  • by SpydeZ ( 1196075 ) on Friday April 04, 2008 @05:07PM (#22967958)
    Same thing would happen to a dvorak-layout typist when confronted by a qwerty keyboard.

    The Windows installs at work default to qwerty on start up but will stay in dvorak if all I do is just lock the screen. When I reboot, I usually botch my password a few times before I realize what's wrong and switch to hunt 'n' pecking...

    My qwerty-induced typing is way different from my normal touch typing...

If you suspect a man, don't employ him.