Using Password "Keyprints" as Another Form of Authentication? 100
Adam Kiger asks: "I have written two programs with patents on both. The first program captures the keypress and keyup events per letter of a typed password in milliseconds and returns a numeric value per letter. I am also capturing the keypress of the first letter and the keyup of the next and returning a numeric value in milliseconds. My second program takes these values and runs an analysis of the values after 20 entries of your password to determine what I call a 'keyprint'. 91% of the time you enter the password my values captured matched each letter entry and the time between letters entered. I also can show the results of these tests in 2D graphical representaion. I used my wife as a test subject, gave her my password and she couldn't login to either Windows or my website! I have wrapped these programs around Windows Login and a Website's login control, and it works fine so far. The only problem I have found and not researched are the user using different keyboards. So I've come to ask Slashdot: Is this a viable security function?"
Sorry to burst your bubble (Score:5, Informative)
http://216.239.53.100/search?q=cache:Dmq6W8su71gC: www.cs.columbia.edu/~angelos/teaching/COMS4180/lec ture10.ps+Biometrics+Password+Timing&hl=en&ie=UTF- 8 [216.239.53.100]
http://ctl.ncsc.dni.us/biomet%20web/BMKeystroke.ht ml [ncsc.dni.us]
http://www.giac.org/practical/GSEC/Patricia_Wittic h_GSEC.pdf [giac.org]
http://searchsecurity.techtarget.com/originalConte nt/0,289142,sid14_gci801112,00.html [techtarget.com]
It works well (Score:5, Informative)
If you are researching the subject, I strongly suggest Biometrics: Personal Identification in Networked Society [amazon.com], and anything else on the subject written or edited by Anil Jain [amazon.com].
(His webpage is here [msu.edu], the webpage of his lab is here [msu.edu]).
Dr. Jain is (IMHO) the current leader in biometric research worldwide.
20 values (Score:5, Informative)
-C
Input locality... Local or Remote (Score:3, Informative)
Telnet will "work", for example. Open up an instance of tcpdump or some other real-time packet sniffer and telnet into your local machine. Type in your password. For every character you type in a telnet session, a packet is sent. This is one reason it is such a poor protocol for restricted or secure access. Add the fact that it's a plain text protocol, and someone could mimic your biometric quite easily.
SSH, on the other hand, has lots of little enhancements to combat the network sniffer. Firstly, the traffic is encrypted. Secondly, ssh doesn't send your password one character at a time. It varies the packet sizes and timings "randomly", and well, it's just plain cool. So, unless you add a biometric test to password timing for the local ssh client used to connect to the server, you couldn't gather the information at all.
Use with HTTP would also depend upon the cooperation of the remote client, but if there's anything a knowledgable programmer has learned over the years, it's that you NEVER trust client information fully. (Just as people don't fully trust closed-source software, but that's way off topic.) Always validate your input.
So, although such biometric validation can be useful under certain circumstances, it's not reliable enough to be depended upon. I do like the idea that one poster presented for auditing user behavior, such as violating a system policy of sharing passwords for a single account, but once again, it's a very limited biometric.
my thesis (Score:2, Informative)
My work was to improve the results using a different neural network. I later used this work as the basis for my thesis. I didn't quite achieve the results I was hoping for, but my test samples were small. I am also published.
My research was purely academic. I distributed the source code to my implementation. I used an open-source implementation of an ART2 neural network. So, my entire project can be picked up where I left off and continued.
Your affinity for patents is rather silly at this stage of the game and you probably wasted a lot of money on those patents. Your implementation sounds rather simplistic, as well. In my extensive literature survey, statistical methods *always* lagged neural networks in their results. If you want to see my literature survey, it is in the IJCIA:
http://www.worldscinet.com/157/02/0202/S1469026
(I know, you would have to pay. Use this info to find it at a library.)
Oh yeah, I also implemented it in Java for my senior project and got lousy results because you can't get millisecond timing accuracy from that technology. The other implementation is in Tcl/Tk.
Finally, to address all the brilliant observations like "what if you hurt your hand?" or "what about logging/network attacks?". Yes, obviously this has limited application. In fact, my senior project combined this approach with Java iButtons. And yes, there will always have to be a backup authentication method, with a human involved, OR this is stealth authentication, allowing any typing style to get through, but triggering a warning if it doesn't match.
Jason