Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Identify and Verify Users Based on How They Type 196

LinucksGirl writes to share an IBM DeveloperWorks article that shows how to support user verification through keystroke-dynamics processing by modifying the GNOME Display Manager (GDM). You can create and store a one-way encrypted hash of your keystroke patterns when entering your user name. The article shows how to add code to GDM to read current keystroke patterns and permit a user to log in when the characteristics are a match. An interesting idea to be sure but I know I certainly am not that consistent when I type, so I'm skeptical of how well this may work.
This discussion has been archived. No new comments can be posted.

Identify and Verify Users Based on How They Type

Comments Filter:
  • not gonna work (Score:5, Insightful)

    by superwiz ( 655733 ) on Friday April 04, 2008 @01:54PM (#22965754) Journal
    Well, it might work if they allow for a rather broad variation in the frequence of mistakes. But personally, I make much more typos depending on how tired I am and how much caffeine I've had lately. I would assume that others do too. So when I am well-rested I might appear to be a completely different person from when I am even slightly tired.
    • Re:not gonna work (Score:4, Insightful)

      by RobBebop ( 947356 ) on Friday April 04, 2008 @02:13PM (#22966010) Homepage Journal

      Given the repletion required to type and retype our names and login IDs over the past 5-10 years, our fingers are conditioned to type these patterns quickly and repeatably.

      I can type my typical "lastname/firstinitial" login name in about a third of a second. I can type my "firstname.lastname" in about half a second.

      Given 5 minutes of practice with my name, you would probably be able to impersonate me - but as long as this system doesn't lock me out from my own account, this is a successful barrier that will make it harder for you to get into my system.

      Then again... having a password that is hard to hack and running an operating system that is not easily hackable are stronger barriers that protect me from your infiltrations...

      • Re:not gonna work (Score:4, Interesting)

        by TubeSteak ( 669689 ) on Friday April 04, 2008 @02:16PM (#22966058) Journal

        Given the repletion required to type and retype our names and login IDs over the past 5-10 years, our fingers are conditioned to type these patterns quickly and repeatably.
        Never IM'ed or IRC'ed with a drunk person, have you?

        On the upside, no more embarrassing drunken e-mails to come back and bite you!
        • Re: (Score:2, Interesting)

          by Jurily ( 900488 )
          You get that with a well-formed password too. I can't type mine drunk, ever.

          BTW, there's really nothing more easy/secure than a password. You even get to choose which end of a spectrum you want.
          I never cease to be amazed at the lenghts people go to make something better...

          The big question is, would you trust a GNOME developer to distinguish you from your sister if you can't be bothered to make up a password she can't guess? Nevermind more serious issues.
        • Re: (Score:3, Insightful)

          Or first thing in the morning after getting into work on a cold wintery day. Frozen fingers do not type well.
          • Quite so, and this sort of thing would make it quite difficult for those with arthritis or other joint problems to log in.

            And it would require that the key board be placed in a consistent manner, that the box not be under considerable load as well as for the person to touch type their log in information.
    • Re:not gonna work (Score:5, Interesting)

      by moderatorrater ( 1095745 ) on Friday April 04, 2008 @02:13PM (#22966014)
      plus for me, this will only work if they test it against another login with the same username and password. The rhythm and speed of my typing in a username depends on which one it is, and the same goes for the password.

      However, within the bounds of an identical username/password combination, I would imagine that it would work well for me. The problem is that if there are extenuating circumstances, this would lock me or someone else out of the computer. For instance, what if my wife needed to log in for me while I'm on a business trip? Or I die? Or I break my arm and have to type with one hand? I imagine the usefulness of this technology is in merely logging the "signature" pattern rather than locking someone else based on it. Bruce Schneier [] has the basic arguments and a much better analysis than I could produce.
      • The problem is that if there are extenuating circumstances, this would lock me or someone else out of the computer. For instance, what if my wife needed to log in for me while I'm on a business trip? Or I die? Or I break my arm and have to type with one hand?

        Treat your user account like it has a hidden volume.

        Your 'signature' password gives you full access to the account. Your password gives you basic access to the account, with the option of another password to unlock full access to your files and settings..

      • Re:not gonna work (Score:5, Interesting)

        by Z34107 ( 925136 ) on Friday April 04, 2008 @03:07PM (#22966696)

        There are characteristics in common with everything "normal" you type - for example, Mavis Beacon Teaches Typing(tm) back in the Glory Days of Windows 3.11 could tell me that my 4th finger on my left hand is weak - making a lot of typos on the "w", you see. It was nifty looking at the profiles of every user in that program for little tidbits like that, and logging onto my brother's profile and laughing as it commented how much he had "improved."

        But... do those things apply when typing a password? The whole consistent rhythm and speed thing? Or maybe that makes it easier.

        Perhaps a better solution would be to emulate voice recognition - train the security software to recognize your typing, and have it watch you as you're logged in. Just as you can train voice recognition to work with multiple speakers, you could train the security software to recognize "sober me", "drunk me", "caffeinated me", etc. (And not let "drunk me" send e-mail, and maybe schedule my development IDE processes at a higher priority for "caffeinated me", etc.)

      • Re:not gonna work (Score:4, Insightful)

        by pcgc1xn ( 922943 ) on Friday April 04, 2008 @04:27PM (#22967538) Homepage
        One thing which will kill it for sure is using a different keyboard.

        Desktop to laptop - *slightly* different keyboard layout.
        Different laptops - possibly different
        US keyboard to English keyboard - hope your passphrase doesn't have any special characters or punctuation.
        Any other language keyboard - those things are bad enough to type on at all, but trying to get your timing right? Forget it. If you have never had they joy of meeting one, as well as many of the punctuation keys being in different places, a few of the letters are as well. Just a few mind you, just enough so you fall back into touch typing and look back and find that all of your w's are actually z's

        Some of these problems are probably not too bad for logging into Gnome, but the idea is basically limited to anything where you are physically in front of the machine you are logging into, and the input device is the same every time. If you are going to limit it to that, then requiring a webcam and doing image recognition is probably easier on both sides.

        And all you need is a slightly cleverer key logger to defeat it - instead of recording the keystrokes in order, you need to record the keystrokes and time.

        Good to see people thinking about how to improve on passwords though.
        • You can tell that a few people have never had the joy of meeting a non-English keyboard. For example, the person who made ~~~~ the markup for signing a Wikia edit clearly doesn't have to type Alt-Gr-4 Space to type a single tilde. And I struggled for ages with placing a mark in nano, because Ctrl-^ is a bit hard to type when ^ is Shift-` Space. I only just found out that Alt-A is an alternative.
    • Re: (Score:3, Interesting)

      by SharpFang ( 651121 )
      I wouldn't be surprised if it produced less false negatives than standard login/password pair. By false negatives I mean typos in username/password.

      I mean, I don't know about you but I make typing mistakes at my login and password about as often as not, though I type them always in a consistent rhythm. The system could very neatly ignore the typos resulting from pressing a neighbor key or even typing with your hand a whole line of keys away, meaning you got half of what you typed wrong. "Timing is right, he
      • by Bozzio ( 183974 )
        Personally, I'm happy with the 100% accurate or nothing system.
        Do you really want somebody to video tape your typing and then easily get in to your account?
        I know with a video tape, even though some keys might be hidden, they'll eventually get in... but the system you're suggesting would let them in immediately.
    • Accidents? (Score:3, Funny)

      by blueboy31 ( 822804 )
      This works great until you lose a finger, thumb, hand, etc in that freak accident. Talk about adding insult to injury -- your own computer won't even accept you with your newfound handicap!
      • You have no idea how much, back on 11 May 2006 I caught on fire. If you have seen the Taco Bell commercial where the guys hand bursts into flames from holding the burrito that's what it was like except no one was their with a fire extinguisher. I ended up with second degree burn over the 3% that was the back of my right hand and it was just short of needing skin grafts, things have healed up pretty good and most people don't even notice the scars but the skin is stiffer and it throws off the timing of my ty
    • It works better than you'd imagine. See, for example, []
    • I'm typing this lying in bed. My typing dynamics are completely different than when I'm sitting at a desk. The keyboard makes a difference too.
    • That doesn't even apply to "conscious" differences. If I'm talking on the phone and typing in my password with my left hand (which will take a bit because I'll have to do the pinky-thumb shift dance to do the special characters), it's going to lock me out because I don't type like me?

      The only use I see for this is for an amusing/ironic plot twist in a hollywood movie, where someone gets killed because he can't type in the password like he would normally type it in due to some contrived stress situation.
    • I'll settle for getting GDM to distinguish between a my typing and my cat's.
    • Whatabout askingtheuser howmany cupsofcoffee they'vehad aspartof thelogin process,cuz I knowmytyping getsmuch betterafter2pots. Iloveallofyou.

      /shoutout totheguy whoposted likethisrecently.
    • If you make a mistake you just start over. It's just your username and password. I used keystroke timing measurements of password entry on an Apple II+ as additional verification of user identity (ca. 1983).

      Given it was an Apple II, there were plenty of other ways in, unless you had padlocks on the floppy drives and you replaced the ROMS.

      In other words this isn't a new idea. It's been around for at least 25 years.

    • by instarx ( 615765 )

      Well, it might work if they allow for a rather broad variation in the frequence of mistakes. But personally, I make much more typos depending on how tired I am and how much caffeine I've had lately. I would assume that others do too. So when I am well-rested I might appear to be a completely different person from when I am even slightly tired.

      Just as friends can recognize you no matter what clothes you have on, caffeine isn't going to change your basic key-stroke patterns in ways that will lock you out.


  • by LighterShadeOfBlack ( 1011407 ) on Friday April 04, 2008 @01:54PM (#22965758) Homepage
    ...And now I can't log in.

    • Did they say the same thing about biometric authentication (e.g. fingerprints)? Besides, if you're checking /. right after you break your finger, you might want to get out of the basement more often. :P
      • Re: (Score:3, Funny)

        by ShieldW0lf ( 601553 )
        Biometric authentication is a far, far stupider idea than this is. Yes, not being able to log in when you're drunk is bad, but having to exchange your finger and your eyeball for a new one because someone posted a high-resolution photo of them online is much, much worse.
        • That'd be really bad if the security mechanism only relied on one of the three main identifiers. Luckily most will use at least 2.

          3 main security identifiers:
          1. something you are (biometric, finger print, retina scan)
          2. something you have (id card)
          3. something you know (pin or password)
          • (1) is really a subset of (2)

            A subset with one limitation: changing it is very difficult.

            Security is very simple in its needs (though it can certainly get complicated in implementation.

            All you need is (3) "something you know". period. If it's not secure enough, you can make it longer.

            Now, if you're talking about a multi-user environment, you need to segregate peoples areas of access, or at the very least log their activity so if the nutrient rich plant feed hits the fan, you at least know who to blame. T
            • Re: (Score:3, Informative)

              3 alone doesn't protect from shoulder surfing. While someone can look at my eye all day it's going to be difficult for most people do get my retina scan. 1, while it is a subset of 2, is supposed to be something you can't accidentally misplace, or more importantly it's supposed to be something some nefarious person can't take from you. I agree with GP you need all three.
              • If you learn to touch type, you pretty much eliminate the threat of shoulder surfing (except from well-positioned cameras, but your company should be worrying about that, not you)

                More importantly, it is absurd to think that someone can't take your biometric bits from you. In fact, there's no bit of you that can't be removed with a sharp enough knife.* If you were in such a situation, wouldn't it be better to be able to just tell them your password, (or your "distress code password), rather than force them
      • Well breaking a finger wouldn't stop you getting the fingerprint generally speaking. Even if it did you'd have up to nine others to pick from with any decent system.

        If you manage to incapacitate all ten fingers in such a way that you can't get a print scan off any of them maybe that's a good warning to your boss that you need a competency review. Or at least a holiday until something heals.
    • Re: (Score:2, Interesting)

      by denmarkw00t ( 892627 )
      To the broken finger crowd and the "few too manys": you should also note that it didn't appear to me that this feature would lock you out, to me it seemed more like it might speed up the login process while making it slightly more secure - no clicking "Login" because it "knows" its you, and if its someone pecking at the keyboard it could send you an alert via /var/log/yourlogofchoice for later review (or mail sms whathaveyou). Of course, I'm sure you could change the level of aggressiveness to not allow som
    • by Thuktun ( 221615 )
      This is one of those +1 Funny ones that really should be +1 Insightful.
    • Re: (Score:2, Interesting)

      by SpydeZ ( 1196075 )
      Same thing would happen to a dvorak-layout typist when confronted by a qwerty keyboard.

      The Windows installs at work default to qwerty on start up but will stay in dvorak if all I do is just lock the screen. When I reboot, I usually botch my password a few times before I realize what's wrong and switch to hunt 'n' pecking...

      My qwerty-induced typing is way different from my normal touch typing...
  • by Gat0r30y ( 957941 ) on Friday April 04, 2008 @01:56PM (#22965782) Homepage Journal
    How am I supposed to log in after a few too many? Wait, maybe thats not an issue after all, maybe its a feature.
  • That's OK (Score:5, Insightful)

    by treeves ( 963993 ) on Friday April 04, 2008 @01:56PM (#22965790) Homepage Journal
    My guess is that your inconsistency is part of what distinguishes you from other typists and the software uses that information to its advantage. Other people are more consistent, less consistent, inconsistent in different ways. I know I type with about four fingers: my left index finger, my right index and middle fingers, and my right thumb, and I also know I tend to make certain typos more often than others. I suspect that those things contribute to the distinct pattern in my typing that could be identified. Still, I'm sure I would not want to use to such a scheme for identity verification.
    • What would this program think if it detected you periodically typing with just one hand?
      • Then Clippy pops up.

        Hi! It looks like your finger is broken! Would you like help filling out your insurance claim?

        |Yes| |No|
        • Then Clippy pops up. Hi! It looks like your finger is broken! Would you like help filling out your insurance claim? |Yes| |No|
          I think you have it wrong. After a minute or two of such typing:

          "Hi! It looks like this is becoming detrimental to your performance. Would you like me to order you some vasoline to help speed up the process next time?"
    • The school district I work for uses similar technology to verify all staff members. The software gathers up typing method from 9 entries of username and password, and allows for a percentage match - which we currently have set at the recommended 37%. We have a small percentage of users that have trouble logging in due to inconsistencies. For these users we recommend they slow down and consciously pick a rhythm for typing their username and password. For those with medical issues, we have a system in place
    • I know I type with about four fingers: my left index finger, my right index and middle fingers, and my right thumb, and I also know I tend to make certain typos more often than others.

      So, Vim. Right?

  • While they're at it, they should have the software periodically verify that whoever is typing on the system is (or could be) the same person that is logged in.

    But then again, how would I prank people at work when they leave their systems unlocked?
  • inconsistent (Score:4, Informative)

    by flynt ( 248848 ) on Friday April 04, 2008 @01:57PM (#22965802)
    An interesting idea to be sure but I know I certainly am not that consistent when I type, so I'm skeptical of how well this may work.

    That's precisely what some statistical methods are designed to do, find patterns about the inconsistencies. I haven't read this proposal, so can't comment more, but 'leaning' in the presence of variation is basically what modern statistics is all about.
  • by DRAGONWEEZEL ( 125809 ) on Friday April 04, 2008 @01:59PM (#22965830) Homepage
    Maybe not w/ gnome, but I remember a Slashdot article about this a few years back. One thing to note, while some people might be irregular, almost anyone who keys in a UID every day will have some sort of "pattern" to the time between keystrokes.

    Typematic rate lol....

    It's really interesting to see what the differences are between key presses when recording a macro w/ a G15. (if you have this awesome keyboard, and don't know what I am talking about try it out!) I have done this cause I am weird... but you could try too!

    If you record a significant count of you typing in a UID and PW on a given site (that you use frequently) you will find a unique structure to the timing of the keystrokes. While the G15 doesn't go to the # of digits needed for secure authorization, it can show you that there is little variance over a large number of true trials.
    • Re: (Score:3, Interesting)

      by jellomizer ( 103300 )
      Older then that...
      I thought about it when I was a kid running my own BBS. The old BBS Software had a realtime display of what the person is typeing so I could normally tell if it is someone who is the origional user or someone using someones else account. I though about making a program that checks the time between keystrokes and give them a level of error, as extra security... but I decided not to do it, for the main reasons. Somone may have something in their hands that day or. Bit tired or Hyper, also
      • Ahh you made me remember sweet violet, and BRE, and the Tacoma Area BBS listing (TABBS) that was printed in the paper. I met and ran into a few sysops in my day but never had the resources at that time to start one up. I often think the BBS format may rise again over tcp/ip if P2P gets destroyed. It'd be so easy to hide them on open networks accross the country.

        But that is offtopic, and I am probably flagged as a terrorist after that last sentance...
        Oh well.
        • ATDT 5551234
          Connected 2400 bps
          Login: jellomizer
          User not found

          Login: jelomizer
          User not found

          Login: +++ath0

          No Carrier
    • From the description, it sounds like identifying a morse code operator by their "fist"

      from the all knowing wikipedia []:

      All telegraphists unconsciously develop personal quirks, or characteristics, which collectively are called one's "fist." While it is easy to send a jerky or "choppy" code with any type of keyer, as well as to make inconsistently longer or shorter dits or dahs overall or in certain characters, the type of key in use may greatly influence one's sending as it sounds to the receiving operator. A

    • by Kelson ( 129150 ) *
      Yeah, I submitted a similar story [] to Slashdot about a year ago, and as others have pointed out it goes back at least as far as WW2 and morse code operators.
    • I saw this in practice in 1997. I don't know how old it was at the time.
    • The concept is even older than that. I did something like this on my 8088 about
      18 years ago, and since I was a kid, I think that many other people might have
      done this earlier.

      It was pretty simple under DOS because you could easily read one char at a time and
      check the elapsed time between each.

      It worked very well for words that I was used to type a lot (eg: password). You
      don't imagine how accurate you are when you type common words. Far more reliable
      than voice recognition IMHO.

      However, one poster reported a
  • by explosivejared ( 1186049 ) <> on Friday April 04, 2008 @01:59PM (#22965838)
    I don't know HOW to type!!
    • I don't know HOW to type!!
      But that's the great part, it recognizes that pattern too...

      Just stare at your keyboard and BAM! you're logged on!
  • by c0d3r ( 156687 )
    Dang, I still find it hard to press the C-T-R-L-A-L-T-D-E-L keys hard to press at the same time before entering my password on windows.
    • Luckily TFA only mentions implementation in gnome, then.

      Ever thought about getting one of these []?

    • by pavon ( 30274 )
      If you think it's hard now, just imagine what we had to do before USB keyboards. How the heck am I supposed to press three L keys and two T keys with a single PS2 port? Thank Hubbard for network terminals.
  • Why not add a signature verification pad to the pc as well? If you can type the right way and reasonably falsify a signature you can login and go to /. to read all about it....
  • It wouldn't be good as a primary means of validation (for the reasons listed in prior comments), but it would be good as a supplemental validation, giving a "higher likelihood" that the person is who they say they are.
    • It would certainly be better than answering all those stupid questions when trying to view your checking account balance online.
    • It should be used for primary validation because it is hardened against keylogging. The trick to this is that you don't have to type in the same phrase every time, in fact repeating the same phrase should be disallowed.
      Password login should be secondary and have it be algorithmic or challenge/response based.
  • by amplt1337 ( 707922 ) on Friday April 04, 2008 @02:14PM (#22966032) Journal
    How on God's green earth am I going to write down my keystroke patterns on a sticky note on my monitor???
  • A quick skim, and I didn't see any details on the false alarm rate of this method, or any detail on how a user could log in with a broken (or severely papercut!) finger. Or when breaking in a new keyoard. It would certainly be a fatal problem for this method if it would lock out users who for whatever reason have their timings temporarily altered. It would also be a pretty fatal flaw if it turns out there's a substantial false alarm rate.
  • by 6Yankee ( 597075 ) on Friday April 04, 2008 @02:32PM (#22966252)
    I don't fancy using this as a replacement for login/password, but if you haul Joe User down to HR for surfing pr0n, he pulls the "Naughty Bob stole my password" trick, and you can demonstrate that the usage pattern looks a hell of a lot more like Joe User's other sessions than Naughty Bob's... ...or vice versa, and have some idea who really did steal Joe's password.
  • My bank does this with my login info. You can know my username and password, but if you don't type it like I do, you don't get in.
  • by Vellmont ( 569020 ) on Friday April 04, 2008 @02:35PM (#22966284) Homepage
    I just have to believe this is going to produce a lot of rejected authorizations that shouldn't have been rejected. Also as someone pointed out, what about the legitimate times when someone else is using your username/password? (your boss needs something while you're away on vacation, etc).

    This might work out well for some kind of intrusion detection system though. Look for cases where there's two people consistently typing in the password two different ways. Then set off an alert to the administrator. There's legit cases for that of course (root/admin password comes to mind), but you just exclude those cases.
  • by 192939495969798999 ( 58312 ) <info&devinmoore,com> on Friday April 04, 2008 @02:39PM (#22966340) Homepage Journal
    I don't think a username is enough of a sample set to determine a typing pattern. Wouldn't you need to copy down a paragraph of text to have any chance of determining patterns in typing style? I.e. at the very least, "the quick brown fox jumped over the lazy sleeping dog" type stuff to hit all the characters?
    • I don't think a username is enough of a sample set to determine a typing pattern. Wouldn't you need to copy down a paragraph of text to have any chance of determining patterns in typing style?

      The answer is: "Yes, you're right. It isn't enough by itself."

      But I think the conclusion most are jumping to is that this would be used as a black-n-white type of authentication; if I don't type at the correct cadence I'll get locked out.

      More likely, it would have value in terms of being a first step in a stronger
    • Who has time to type all that? Use 'Jackdaws love my big sphinx of quartz' instead.
  • by xtracto ( 837672 ) on Friday April 04, 2008 @02:43PM (#22966390) Journal
    From []


    stupid lameness filterstupid lameness filterstupid lameness filterstupid lameness filter stupid lameness filter Filter error: Please use fewer 'junk' characters. Filter error: Please use fewer 'junk' characters.
  • My bank uses this as the biometric factor required to access online services. When they announced this change I expected to be having to respond to my additional ID challenges almost every time I logged in. That hasn't turned out to be the case, I have only tripped up on it once. I suspect that it is not a strong enough test in itself to rely upon, but when combined with having to know the password it probably does add an extra layer of security.
  • Whenever I select a new password for myself I am always a little bit slower at typing it because I am not used to it. Weeks go by and I find myself getting faster and faster at typing my password until finally I am able to type out a 20 character password in under a second.

    To this system I will be two completely different people from the time I changed my password to the time I mastered it and presumably at notable milestones in between.

    Obviously this is a problem.
  • I typed a LOT different when I broke my finger and had the hand in a brace. B-(
  • ...and when this hashing algorithm was implemented in Javascript, it meant the end for anonymous cowards...
  • Since presumably this would also be a kind of keyboard sobriety test.
  • I'm responsible for maintenance and development of the online banking software for a mid-sized credit union. I'm currently in the midst of a project to integrate BioPassword []'s implementation of this technology as a second authentication factor in our online banking product, and while I initially had some skepticism of their claims, I can assure you that the technique is actually surprisingly effective, even for relatively inconsistent typists like myself.

    Don't just take my word for it, though — BioPas
  • I agree it's probably not going to work as full-blown analysis, especially as typing patterns change...

    But I did have a very simple variant of this: I imposed a timeout. I had a 20-character (roughly) password that I could type in about two seconds, so I set the screensaver password timeout to five seconds. That, and it was in dvorak. So someone had to know my password and be able to type dvorak as fast as I can to login, but there was little chance that a change in typing patterns would lock me out, unless
  • If they added audible cues eg. music tones corresponding to the stroke frequencies that would be a pretty good way to get feedback to help avoid mistakes. They could also provide a text reproduction of those tones if you needed to tell someone your password.

    Just a thought.
  • The login / password input is done through a Flash object. If the rhythm is correct, you're logged in just like you used to be with the old system. If the rhythm is not correct, you're presented with some additional security questions before being allowed to proceed.
  • Wouldn't this be much better for picking up if somebody else is using the computer, e.g tell if another person is using my laptop and hide the porn stash.
    Id leave username/pass for login but, if your computer doesnt think its you it could lock the keychain preventing access to anything that youve chosen to lock down.
  • This would be great if it could sense when people are drunk; kind of like a breathalizer, but triggered by lack of muscle control.

    Another practical use would be if there were pressure-sensitive keyboards and it could tell when you're pissed off by analyzing how hard you press down on the keys. That might actually postpone a few people's employment termination dates.
  • Saw this at some German university years ago, forgot the name, they wrote a custom GINA and implemented it for some flavor of Windows.

    I don't think they thought it was reliable or secure enough in the end. Was an interesting bit of research and code though.
  • Like a bad flu, this comes up every few years. It still isn't a good idea for oh-so-many reasons.
  • What about those of us with horribly short usernames? I'm "tom" on my personal box, so I can't imagine two samples (time between T and O, and between O and M) is enough to tell if it's me or not. Plus, like many posters said, that doesn't work if I'm logging in one-handed. (But that could be recorded as a separate pattern, as I always do it the same way.)
  • I wonder how much your typing differs from keyboard to keyboard. I'd love to figure out which differences are due solely to the muscles and remain static whatever you use to input and which are variable based on using the laptop keyboard/desktop keyboard or the work computer/home computer.
  • So my brothers bank is using this already. He needed me (don't ask why) to login to his acct the other day. He gave me his username/password and the damn system wouldn't let me in as my cadence/speed of entry was wrong. This should be a second level of authentication, not the primary. I had the right u/p.

"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken