Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security

Authenticating With Your Mouse? 58

Posted by Cliff from the obscure-but-cool dept.
degauss asks: "I am looking into various authentication schemes form my home machine, and one that I thought would be interesting would to be having a dummy login screen up with a user/pass prompt, but instead of entering a user/pass, you click at certain points on the screen in certain rytmhmic patterns (all of this is of course unknown to any unauthorized users, who will pound at the password for years). I was wondering if there it any such software or interface currently being developed, as it provides an interesting [semi-]biometric security solution without dumping a ton of cash on new hardware."
This discussion has been archived. No new comments can be posted.

Authenticating With Your Mouse? More

Authenticating With Your Mouse?

Comments Filter:

  • tinfoil hat (Score:4, Funny)

    by Hubert_Shrump ( 256081 ) <{moc.liamg} {ta} {tenarboc}> on Saturday February 01, 2003 @11:21PM (#5208141) Journal
    tinfoil hat linux [shmoo.com] does this, to some degree. IIRC, The login screen is called "arcade mode" for good reason.

  • Don't count on obscurity (Score:5, Insightful)

    by bkhl ( 189311 ) <bkhl@elektrubadur.se> on Saturday February 01, 2003 @11:24PM (#5208157)
    I don't know if this would work. I guess it would really give you less variation in possible passphrases than a normal password.

    Maybe if you were to 'draw' the password on the screen and the computer would both use the password and analyze the writing it could give you an extra level of security. That would probably work better with a stylus or a touch screen than with a mouse, though.

    As for hoping for people to try to type in passwords instead of using the mouse, that is only security by obscurity. Don't trust that.

    • Re:Don't count on obscurity (Score:5, Insightful)

      by ShmuelP ( 5675 ) on Saturday February 01, 2003 @11:52PM (#5208292)

      As for hoping for people to try to type in passwords instead of using the mouse, that is only security by obscurity. Don't trust that.

      By the way, relying on people to not type in your password is security through obscurity. Don't trust that. :-P

      Seriously though, if you are going to use clicking as a password, you need to treat it the same way. Since anyone who watches you could easily see where the mouse is moving, this would be similar to letting other people watching the keyboard as you slowly typed your password: not a good idea. Even worse, a tempest-like system would allow someone to watch your "password", without your even seeing a person there!

      Instead, I would suggest drawing as an extra layer of security before the password. Meaning, you have to draw the "password" before typing the real password. If you don't draw the correct "password" first, then even the real password isn't accepted.

      • It *is* security through obscurity, as is a password. And cryptography teaches us that security through obscurity (through a secret) only works when that secret can be easily changed.

        So unless you want to change the combination of clicks all the time, it's worthless.

        Daniel
        • And cryptography teaches us that security through obscurity (through a secret) only works when that secret can be easily changed.

          And here I thought cryptography taught us how to make information hard to read without a key. :)

          But seriously, a password is not "security through obscurity"-- not unless you want to stretch the meaning of the phrase so far as to make it mostly useless. "Security through obscurity" is relying on being overlooked (e.g. "no one will ever guess that I have top-secret info at this weird URL") as a method of keeping stuff away from prying eyes.

          As long as this key input method (clicking on various screen areas in a certain order or whatever) is completely transparent in the code it's not any different than using a sequence of typed characters (i.e. reading the code won't tell you anything about the keys themselves except that they consist of clicks on the screen). It's no different than having a virtual keyboard on the screen and using that to "type" in the password.
        • It *is* security through obscurity, as is a password.

          NO A password is NOT security through obscurity.

          If you believe it is, then you simply don't know what obscurity really is.

          "Obscurity" is reliance on hiding information, in the hopes that nobody finds it. Since a properly-administered password scheme (such as storing the password hash) is not hiding anything, then it's not obscurity.
      • By the way, relying on people to not type in your password is security through obscurity. Don't trust that. :-P

        Having a 'secret' string of characters is security through obcurity, don't do that! =P

  • Along the same lines... (Score:5, Interesting)

    by thecampbeln ( 457432 ) on Saturday February 01, 2003 @11:28PM (#5208177) Homepage
    How about using both of these ideas together? Have it to where even the correct username/password is not accepted unless the user clicks on the right section of the screen, or right sequence of sections of the screen in place of simply clicking "Ok"!? So in essence the "Ok" button would be a dummy and the correct "button" would be another portion of the screen entirely?

    • Re:Along the same lines... (Score:5, Funny)

      by Motherfucking Shit ( 636021 ) on Sunday February 02, 2003 @01:34AM (#5208654) Journal
      So in essence the "Ok" button would be a dummy and the correct "button" would be another portion of the screen entirely?
      Good idea. I propose that we give the real button the appearance of the Pi symbol, and place it in the far lower right-hand corner of the screen... ;)

    • Just display a picture of a keyboard with the letters randomly re-arranged. Key in your password by clicking on the correct letter, wherever it is. Spies would have to be viewing your your screen. Mix it so part is entered by mouse, part by keyboard, part by voice, etc.

  • Interesting ... (Score:1, Interesting)

    by Anonymous Coward
    This would certainly foil those hardware keylogger devices that nip between your keyboard and computer to grab passwords and the like. As far as I know, nothing comparable has been done for the mouse as the relative movements of the mouse aren't particularly useful, both because they don't always map to the relative position of the mouse, and because you don't know what the user is clicking on without a screen grab too.

    Hmm, now that could be useful - a program that sits in the background doing a screen grab everytime the user clicks the mouse. Saves having to capture every change in the screen to figure out what they are doing with the mouse.
  • Shouldnt there be accessibility functions with an onscreen keyboard? use that and your keystrokes wont be seen atleast via the keyboard...
  • Leave *my* mouse out of this!

  • How about.... (Score:4, Funny)

    by orthogonal ( 588627 ) on Sunday February 02, 2003 @12:17AM (#5208398) Journal
    How about logging in by executing some steps on your Dance Dance Revolution pad?
    • That's a fantastic idea!! =) You could also add a biometric blood pressure cup, a heart monitor, and a couple of those picture frames that show digital pictures. When your detects you and your "significant other" making love, it can rotate pictures of your parents, grandparents, clowns, Anna Nicole Smith, or any type of picture that kills the mood to prolong the "moment". Those two combined could make you, "Do a little dance, Make a little love". Seriously, what about chair that has a seat cushion to detect your weight, a seat back to detect your posture, and height to detect your body type. Require you put both hands on the side handles (as if you were standing up) so it can read your hand size, heat, and fingerprints.

  • Something Similar (Score:3, Interesting)

    by one9nine ( 526521 ) on Sunday February 02, 2003 @12:49AM (#5208511) Journal
    I did something similiar (in terms of security) when I was developing a client/server app. What I did was trap for the backspace key after entering the first and last letter of a password, for instance if your password was "monkeyfeces", you would have to type "m(backspace)monkeyfeces(backspace)s". That way, if someone knew your password, watched you type it in or even had some rouge program monitoring your keystrokes they would still have a tough time figuring out why your password doesn't work. I am not saying this is foolproof but it's better than the man with the rubber glove who isn't suprisingly gentle.

  • Mouse based authentication (Score:3, Interesting)

    by Radical Rad ( 138892 ) on Sunday February 02, 2003 @12:51AM (#5208515) Homepage
    IIRC there was a Slashdot article (or a quickie) not long ago related to this. I think the password was actually a sequence of symbols which appeared on the screen and they had to be clicked on in the proper order and the order that they appeared in a grid with other abstract symbols would change at each login. Hope I explained that right.

    I have also heard about a bio auth method that takes into account your typing rythym. As a simple example, if you type your password in to the beat of 'Shave and a haircut... two bits' it would only accept that valid password if it were typed with this rythym.

    But since the timer resolution on a computer is so small it can detect minute differences between you and an imposter. A neural network can be trained to learn your pattern of typing. Each successful login becomes a sample in its training set. That way it learns your natural variations and you don't have to perform perfectly each time or risk being rejected. Again no expensive biometric hardware required.
    • "A neural network can be trained to learn your pattern of typing. Each successful login becomes a sample in its training set. That way it learns your natural variations and you don't have to perform perfectly each time or risk being rejected. Again no expensive biometric hardware required."

      I dont know about that. unless it learns time of day with logon, I would be screwed.

      In the morning im too groggy to type in my password quickly, usually resorting to a two finger hunt and peck routine that often somehow misses the right keys the first time anyway.

      In the afternoon my rythm is much improved and quicker, with less mistakes.

      I think there is too much variation like that for a neural net to train on that it would risk it overgeneralizing too much.
    • A neural network can be trained to learn your pattern of typing. Each successful login becomes a sample in its training set. That way it learns your natural variations and you don't have to perform perfectly each time or risk being rejected.
      Excellent. Now first time you break/injure your wrist/hand/finger your Really Fucked.

  • Motive explanation? (Score:3, Insightful)

    by Ayanami Rei ( 621112 ) <rayanami&gmail,com> on Sunday February 02, 2003 @01:02AM (#5208551) Journal
    Degauss:

    Here is my thinking. This is your HOME machine. But you make it sound like this will be in a place where it will be exposed to a lot of people who have no business using it, or are desperate to break in.
    I mean, are your siblings or spouse wanting to use your PC that badly? Are they after your porn stash? :-) Just kidding.
    Or is your password that easily guessable... that is something you can fix without resorting to clever software that only belabors the authentication via obfuscation.

    Even if it wasn't under attack, obfuscating the login screen is not really a good idea. All the malicious user would need to do to discover the secret is casually observe a legitimate user bypassing said fake login screen.

    Moreover, your login program should not allow someone to sit at the computer all day and attempt passwords. It should lock unprivledged accounts out after a few wrong tries ( 5, preferably 3). If it does unlock itself, the cool off period should be at least an hour. Also, each attempt should take progressively longer to check after each failure. This is especially important for Administrator / root accounts which should not lock themselves out.

  • Nah.... (Score:3, Insightful)

    by bpb213 ( 561569 ) <bpbyrne@@@gmail...com> on Sunday February 02, 2003 @01:13AM (#5208581)
    First, there is the question of how many clickable subdivisions that you divide the screen in. Second, it will take a lot longer, especially as the subdivisions get smaller, as it will require more precise mousing.

    I think Gesture recognition would be a better method, personally.
  • I saw a movie where the authentication was done via a puzzle. Creating a drawing would be a great way to authenticate for some people (obviously not for the blind!). It would also be a terror for public terminals in which left-handed people most use (such as myself).

    The question isn't how the interface would be, but rather how to impliment it :)
  • What about nice simple mouse fingerprinting devices on mice?

    Oh well, that has been discussed on so many movies that will make people scared:

    We all know someone can cut our finger to get the fingerprint..

    yeah, I know, grouse.

    let's wait for dna authentication..

    but again, anyone can get samples from us and use it..

    hmm..

    let's stick with passwords for some time ok?
    • What about nice simple mouse fingerprinting devices on mice?

      here [analysthouse.com.sa], here [eyenetwatch.com],or simply this [google.com]... and i think it would be a better security system than using a fake login screen.... (altough it could make a really good joke...)
  • Something I've wanted to do for a while is get one of those keychain USB drives, and keep my private key on it, and perhaps also a symmetric key. Then I can run a crypto filesystem (not for everything, just for the stuff I want to keep private) and unplug the key when I'm away from the computer.

    Hey wait, this sounds like something I read earlier today .. !

    There probably isn't more than 128M of stuff I really need to keep private, so it might make just as much sense to keep all the files on the USB drive too.

  • Simple. Get a secure camera on the system that will log the person sitting there, if it isn't you don't allow ANY login to succeed. I've seen demo's that do this from years back, is pretty cool...

    If it isn't you sitting at the computer, the computer says, do you want to leave a message for the owner of the computer, and allows you to type a message in

    • Get a secure camera on the system that will log the person sitting there, if it isn't you don't allow ANY login to succeed.
      And why not take further advantage of the camera and lock the system if the person that is logged in moves away from the computer. When they come back to the computer it would be automatically unlocked. Of course an administrator could also sit in front of the computer and be identified in order to unlock the machine.

  • Non-typing passwords... (Score:4, Interesting)

    by Crash Gordon ( 233006 ) on Sunday February 02, 2003 @02:21AM (#5208861)
    Many years ago, I needed to secure my work PC (a spanking-new IBM XT-286) from the night shift; since I was doing CAD I had an EGA and a fast machine so my office became the midnight game room.

    I wrote a routine which put a login prompt on the screen, and then waited for a particular cadence on the DTR line of COM2. I patched this code into some blank space on the EGA's BIOS extension ROM, and executed it before the keyboard was even enabled during POST :-) COM2 had a plotter attached & I would turn the plotter on and off appropriately to boot the system. I never booted when there was somebody else in the room.

    Then came a change in company ownership, with its attendant politics... I was canned on a Friday afternoon with no notice whatsoever. Nobody asked about my password. Of course the vultures descended on my office, and among the first things to go was the plotter. No plotter, no password.

    Apparently after several frustrating weeks in Software Engineering the PC was returned to IBM for an expensive "repair" -- if someone had asked I'd have told them to swap the original EGA ROM from my desk drawer back into the EGA. Nobody asked.
    • Sort of offtopic:

      I was perusing various car sites a while ago, looking for fix-it information on my car. I found an interesting thing that someone had done for a kill switch: they integrated a push of the passenger's window "up" button (on the driver's side only) to allow the passlock 2 (GM) signal to the ECM.

      Kind of a neat hack, seeing as if you didn't tell anyone, and no one paid close attention as you started the car, they probably wouldn't pick up on the trick. However, one of the dumber things you can do in that situation is post it on the internet for all to see..... Guess that's why you didn't announce your "lock out" until well after you were finished with that type of security.

      Kudos as well to you, though -- that was a neat trick. Almost makes me wish I was more into hardware (like I was as a teenager)....
      • That's a bit like how you get the ECUs of various cars into diagnostic mode. Most of them just need a code reader plugged in, and the diagnostic line connected to earth for about three seconds. But then you get the BMWs which need you to turn them on, then off, then on again and blip the throttle five times (with the engine stopped) to read the code.
  • Try this [siemensidmouse.com] for a mouse you can authenticate with. Not sure if there are Linnu drivers for the fingerprint stuff though
    • We have one of these at work for biometric authentication to a portal system we develop.

      I don't know how Siemens claim the the mouse has 'comfort and security', as the mouse is about as unergonomic as they come. These aren't going to take off until someone (Microsoft, Logitech...) actually starts producing a ergnomic and comfortable biometric mouse.
    • misplaced sensor on that mouse. I was hoping it would be on the buttons themselves.
  • Sure it's a nice idea, but what happens when you need to authenticate with someone else standing behind you?

    They will be immediately be able to see where you clicked on the screen. Hiding the cursor as the clicking is done won't do any good either as you won't know where you are clicking!

    This is why passwords are blanked out when you enter them, so somebody watching the screen won't find your password out.
  • I've always thought that it would be interesting to watch the way that someone types in the password as well as what they type in. If your cadence isn't within your normal parameters, then you don't get in even if you have the right password.

    It would have to be auto adjusting, or subtle changes in they way you type in general could throw it off, and heaven help you if you break your hand, but an interesting idea anyway.

    There are other reasons why it would be problematic as well. You'd probably bet out of luck if you needed to log in on a keyboard that was different in some substantial way from your own.

    Anyone know if anything like this has been done?

    • Related to this, I dropped using passwords some time ago, and started using long passphrases; it happens to work great under Linux w/MD5 passwords and OpenBSD. But the problem is that these are pretty long and it's easy to make a mistake. What I'd like is to incorporate the cadence into the password, as you suggest, and take advantage of whatever "fuzzy hashing" you'd need to do that to also allow a one- or two-character variation in the password. In other words, if my password is "it's like a noodle in a salad", it would accept "it's tlike a noodle it a salad" if I often make that mistake.

  • A graphical login screen where you have to choose pictures in the right order sounds like a good idea, and I think I've just though of an improvement. Make them selectable with the mouse wheel without giving any feedback.

    The reason is simple, the buttons make an obvious sound, but the wheel should not. It could give some extra security.
  • As long ago as WW2, it was realised that different people had distinctly different "styles" of keying. If you had a sample of a person's Morse code, for example drawn on paper tape, you could compare an unknown sample to see if they were sent by the same person. This turned out to be a very accurate "fingerprint".

    Now, I'm not saying you should enter your password by Morse code on the mouse button, but something that reads the rhythm of mouse clicks or keypresses would work.
  • The most useful usage of such authentication schemes is for authenticatino on a PDA such as a Palm.
    I know that some application are available for PalmOS that use this things, however I don't remember the names.

Slashdot Top Deals

God help those who do not help themselves. -- Wilson Mizner

Close