Authenticating With Your Mouse? 58
degauss asks: "I am looking into various authentication schemes form my home machine, and one that I thought would be interesting would to be having a dummy login screen up with a user/pass prompt, but instead of entering a user/pass, you click at certain points on the screen in certain rytmhmic patterns (all of this is of course unknown to any unauthorized users, who will pound at the password for years). I was wondering if there it any such software or interface currently being developed, as it provides an interesting [semi-]biometric security solution without dumping a ton of cash on new hardware."
tinfoil hat (Score:4, Funny)
Don't count on obscurity (Score:5, Insightful)
Maybe if you were to 'draw' the password on the screen and the computer would both use the password and analyze the writing it could give you an extra level of security. That would probably work better with a stylus or a touch screen than with a mouse, though.
As for hoping for people to try to type in passwords instead of using the mouse, that is only security by obscurity. Don't trust that.
Re:Don't count on obscurity (Score:5, Insightful)
As for hoping for people to try to type in passwords instead of using the mouse, that is only security by obscurity. Don't trust that.
By the way, relying on people to not type in your password is security through obscurity. Don't trust that. :-P
Seriously though, if you are going to use clicking as a password, you need to treat it the same way. Since anyone who watches you could easily see where the mouse is moving, this would be similar to letting other people watching the keyboard as you slowly typed your password: not a good idea. Even worse, a tempest-like system would allow someone to watch your "password", without your even seeing a person there!
Instead, I would suggest drawing as an extra layer of security before the password. Meaning, you have to draw the "password" before typing the real password. If you don't draw the correct "password" first, then even the real password isn't accepted.
Re:Don't count on obscurity (Score:2)
So unless you want to change the combination of clicks all the time, it's worthless.
Daniel
Re:Don't count on obscurity (Score:1)
And here I thought cryptography taught us how to make information hard to read without a key.
But seriously, a password is not "security through obscurity"-- not unless you want to stretch the meaning of the phrase so far as to make it mostly useless. "Security through obscurity" is relying on being overlooked (e.g. "no one will ever guess that I have top-secret info at this weird URL") as a method of keeping stuff away from prying eyes.
As long as this key input method (clicking on various screen areas in a certain order or whatever) is completely transparent in the code it's not any different than using a sequence of typed characters (i.e. reading the code won't tell you anything about the keys themselves except that they consist of clicks on the screen). It's no different than having a virtual keyboard on the screen and using that to "type" in the password.
Re:Don't count on obscurity (Score:2)
NO A password is NOT security through obscurity.
If you believe it is, then you simply don't know what obscurity really is.
"Obscurity" is reliance on hiding information, in the hopes that nobody finds it. Since a properly-administered password scheme (such as storing the password hash) is not hiding anything, then it's not obscurity.
Re:Don't count on obscurity (Score:2)
Having a 'secret' string of characters is security through obcurity, don't do that! =P
Along the same lines... (Score:5, Interesting)
Re:Along the same lines... (Score:5, Funny)
Re:Along the same lines... (Score:2)
Just display a picture of a keyboard with the letters randomly re-arranged. Key in your password by clicking on the correct letter, wherever it is. Spies would have to be viewing your your screen. Mix it so part is entered by mouse, part by keyboard, part by voice, etc.
Interesting ... (Score:1, Interesting)
Hmm, now that could be useful - a program that sits in the background doing a screen grab everytime the user clicks the mouse. Saves having to capture every change in the screen to figure out what they are doing with the mouse.
Accessibility options - Onscreen keyboard (Score:1)
hey! (Score:1)
How about.... (Score:4, Funny)
Re:How about.... (Score:1)
Re:Stupid. (Score:2, Interesting)
Giving someone the password would be akin to the Second Trial getting to the Grail in 'Indiana Jones and the Last Crusade', where they spell the name of God by jumping on stones; clicketh upon said obscureth spots, in this order, etc. Timed pauses between events should be easy to implement, like 'click here, count to three, then click there'.
Sounds like fun.
Re:Stupid. (Score:1)
And how does that help me log in with SSH, SCP, telnet or FTP? The webpage would need to give me some sort of textual authentication token as part of mastering a series of clicks. I would then give telnet/ftp/ssh/scp the textual authentication token in order to log in.
And where would I provide that token to these programs? At the password prompt.
I guess one thing you could do with this is make the passwords single-use only.
--JoeSomething Similar (Score:3, Interesting)
Mouse based authentication (Score:3, Interesting)
I have also heard about a bio auth method that takes into account your typing rythym. As a simple example, if you type your password in to the beat of 'Shave and a haircut... two bits' it would only accept that valid password if it were typed with this rythym.
But since the timer resolution on a computer is so small it can detect minute differences between you and an imposter. A neural network can be trained to learn your pattern of typing. Each successful login becomes a sample in its training set. That way it learns your natural variations and you don't have to perform perfectly each time or risk being rejected. Again no expensive biometric hardware required.
Re:Mouse based authentication (Score:2)
I dont know about that. unless it learns time of day with logon, I would be screwed.
In the morning im too groggy to type in my password quickly, usually resorting to a two finger hunt and peck routine that often somehow misses the right keys the first time anyway.
In the afternoon my rythm is much improved and quicker, with less mistakes.
I think there is too much variation like that for a neural net to train on that it would risk it overgeneralizing too much.
Re:Mouse based authentication (Score:1)
Motive explanation? (Score:3, Insightful)
Here is my thinking. This is your HOME machine. But you make it sound like this will be in a place where it will be exposed to a lot of people who have no business using it, or are desperate to break in.
I mean, are your siblings or spouse wanting to use your PC that badly? Are they after your porn stash?
Or is your password that easily guessable... that is something you can fix without resorting to clever software that only belabors the authentication via obfuscation.
Even if it wasn't under attack, obfuscating the login screen is not really a good idea. All the malicious user would need to do to discover the secret is casually observe a legitimate user bypassing said fake login screen.
Moreover, your login program should not allow someone to sit at the computer all day and attempt passwords. It should lock unprivledged accounts out after a few wrong tries ( 5, preferably 3). If it does unlock itself, the cool off period should be at least an hour. Also, each attempt should take progressively longer to check after each failure. This is especially important for Administrator / root accounts which should not lock themselves out.
Nah.... (Score:3, Insightful)
I think Gesture recognition would be a better method, personally.
drawing and puzzles (Score:2)
The question isn't how the interface would be, but rather how to impliment it
Re:drawing and puzzles (Score:4, Funny)
Want to take a bet on how many stick people you get as passwords?
Re:drawing and puzzles (Score:1)
Re:drawing and puzzles (Score:1)
What about.. (Score:1)
Oh well, that has been discussed on so many movies that will make people scared:
We all know someone can cut our finger to get the fingerprint..
yeah, I know, grouse.
let's wait for dna authentication..
but again, anyone can get samples from us and use it..
hmm..
let's stick with passwords for some time ok?
Re:What about.. (Score:1)
here [analysthouse.com.sa], here [eyenetwatch.com],or simply this [google.com]... and i think it would be a better security system than using a fake login screen.... (altough it could make a really good joke...)
Dorky idea.. (Score:1)
Hey wait, this sounds like something I read earlier today
There probably isn't more than 128M of stuff I really need to keep private, so it might make just as much sense to keep all the files on the USB drive too.
Re:Dorky idea.. (Score:1)
If it was that important I'd keep a backup in a vault somewhere and wouldn't have the -only- copy on just my keyring.
Why not make it easy... use a camera (Score:1)
If it isn't you sitting at the computer, the computer says, do you want to leave a message for the owner of the computer, and allows you to type a message in
Re:Why not make it easy... use a camera (Score:1)
Non-typing passwords... (Score:4, Interesting)
I wrote a routine which put a login prompt on the screen, and then waited for a particular cadence on the DTR line of COM2. I patched this code into some blank space on the EGA's BIOS extension ROM, and executed it before the keyboard was even enabled during POST
Then came a change in company ownership, with its attendant politics... I was canned on a Friday afternoon with no notice whatsoever. Nobody asked about my password. Of course the vultures descended on my office, and among the first things to go was the plotter. No plotter, no password.
Apparently after several frustrating weeks in Software Engineering the PC was returned to IBM for an expensive "repair" -- if someone had asked I'd have told them to swap the original EGA ROM from my desk drawer back into the EGA. Nobody asked.
Re:Non-typing passwords... (Score:3, Interesting)
I was perusing various car sites a while ago, looking for fix-it information on my car. I found an interesting thing that someone had done for a kill switch: they integrated a push of the passenger's window "up" button (on the driver's side only) to allow the passlock 2 (GM) signal to the ECM.
Kind of a neat hack, seeing as if you didn't tell anyone, and no one paid close attention as you started the car, they probably wouldn't pick up on the trick. However, one of the dumber things you can do in that situation is post it on the internet for all to see..... Guess that's why you didn't announce your "lock out" until well after you were finished with that type of security.
Kudos as well to you, though -- that was a neat trick. Almost makes me wish I was more into hardware (like I was as a teenager)....
Re:Non-typing passwords... (Score:2)
Siemens Fingerprint Mouse (Score:1)
Re:Siemens Fingerprint Mouse (Score:1)
I don't know how Siemens claim the the mouse has 'comfort and security', as the mouse is about as unergonomic as they come. These aren't going to take off until someone (Microsoft, Logitech...) actually starts producing a ergnomic and comfortable biometric mouse.
Re:Siemens Fingerprint Mouse (Score:1)
Not very practical (Score:1)
They will be immediately be able to see where you clicked on the screen. Hiding the cursor as the clicking is done won't do any good either as you won't know where you are clicking!
This is why passwords are blanked out when you enter them, so somebody watching the screen won't find your password out.
Watch the clickityckick (Score:2, Interesting)
It would have to be auto adjusting, or subtle changes in they way you type in general could throw it off, and heaven help you if you break your hand, but an interesting idea anyway.
There are other reasons why it would be problematic as well. You'd probably bet out of luck if you needed to log in on a keyboard that was different in some substantial way from your own.
Anyone know if anything like this has been done?
Re:Watch the clickityckick (Score:1)
Related to this, I dropped using passwords some time ago, and started using long passphrases; it happens to work great under Linux w/MD5 passwords and OpenBSD. But the problem is that these are pretty long and it's easy to make a mistake. What I'd like is to incorporate the cadence into the password, as you suggest, and take advantage of whatever "fuzzy hashing" you'd need to do that to also allow a one- or two-character variation in the password. In other words, if my password is "it's like a noodle in a salad", it would accept "it's tlike a noodle it a salad" if I often make that mistake.
Just thought of something (Score:1)
The reason is simple, the buttons make an obvious sound, but the wheel should not. It could give some extra security.
Morse code... Seriously. (Score:2)
Now, I'm not saying you should enter your password by Morse code on the mouse button, but something that reads the rhythm of mouse clicks or keypresses would work.
PDA (Score:1)
I know that some application are available for PalmOS that use this things, however I don't remember the names.