Using Password "Keyprints" as Another Form of Authentication?

Adam Kiger asks: "I have written two programs with patents on both. The first program captures the keypress and keyup events per letter of a typed password in milliseconds and returns a numeric value per letter. I am also capturing the keypress of the first letter and the keyup of the next and returning a numeric value in milliseconds. My second program takes these values and runs an analysis of the values after 20 entries of your password to determine what I call a 'keyprint'. 91% of the time you enter the password my values captured matched each letter entry and the time between letters entered. I also can show the results of these tests in 2D graphical representaion. I used my wife as a test subject, gave her my password and she couldn't login to either Windows or my website! I have wrapped these programs around Windows Login and a Website's login control, and it works fine so far. The only problem I have found and not researched are the user using different keyboards. So I've come to ask Slashdot: Is this a viable security function?"

Won't stop advanced key-capturing programs

[Anonymous Coward]

They'll just record the way you type your password and play it back when necessary.

No patents

[Roto-Rooter Man]

This guy has no patents. [uspto.gov] He's just trying to scare us off from stealing his idea. Why else jump to mention his patents at the first available opportunity, on a website which hates patents no less?

Re:Sorry to burst your bubble

[Rxke]

Yea, this has been common knowledge for eons. i remember writing sumtin similar in BASIC on a crappy 64k amstrad to protect my programtapes...Back in the 80's. Even then we geeks (2 on the whole school, called us the freak brothers...) had read about things like that in magazines, so, old hat.

Ouch! I njust bnanged my finger!

[orthogonal]

This does add another layer of protection, but it has some drawbnacks.

I'm typing this on my Zaurus; the nnnnn key is hypersennnsitive, as you may have noticed by now.

I can switch to another input method, like the on-screen software keyboard, as I am now, but the timings are completely different. If I switch to the "handwriting", as now, you'd have to clock penstrokes, again totally different.

What about logging in remotely over a buffered or burst-y connection? You might be able to (roughly) time keystrokes, bnut not key-ups or key-downs (I'm nnback to the keyboard, see the extra "n"s?) .

Even worse, what if I innnjure my finger or hand (yeah, it's /., I know the njokes I've set myself up for)? Will I nbe able to log in at all?

With a password, as long as one finger works well enough to nhunt and peck, I can log in. With your method, I've got to nbe in the same physical shape, possibly as awake, as relaxed, etc. as when I recorded the password. Not to mention it's a pain to record a password 20 times.

However, I think your method does have a use; its drawbacks as a general password system makes it perhaps useful for other purposes: it is an innexpensive (i.e software only) way to deternmine that the user is in substantially the same state of health and mind as when the password was recorded.

This might make it a decent way to deny access to users under duress. I should note that users under duress might well be harmed when they cannnot make the password work, so it probnably should only be used to protect access the user considers more valuable than his own life.

User Auditing

[clambake]

Instead of denying access when someone's keypressed don't match, which is a perfectly possible thing that could happen in a number of situations, just use the keypress score to alter how the system audits the user's actions. If he's under the threshhold, you can send a page to your beeper, just notifying that it happened, if he's way off, then grant him only basic privledges, no root, but if he's only a little off then let him have normal access, but turn the logging on for every action he does. Most of the time he won't be an intruder, just someone who was a little sleepy that morning, but when it is an intruder, you'll be able to watch more closely and roll back any changes he makes.

Re:Sounds good

[perljon]

And maybe you don't want to use this for authentication, but it could set off bells and whistles so that an admin could look into the security violations. You could find out exactly when someone decided to share their password. Then you could walk up to their desk in a black suite and sun glasses, and remind them that they are not supposed to share their password, and that it's been changed.

This would also be a good measurement for hacker detection. If you keep a history of the password key stroke timing, and all of a sudden a seperate set of timings start to appear, you can start to look for other differences in the logins patterns. Finally, you could use this to see who is logging into root directly. Bad! Bad! Bad Boy!

Arthritis

[Deanasc]

I have arthritis. Some day's are good. Some days are bad. Mostly it's in my knees and elbows. Lately it's been creeping into my knuckles. Now before I start yelling at the clouds like Grampa Simpson let me get to the point. The typing I can do today is probably not going to be the typing I do tomorrow. I see this as nothing but a bad idea. I don't want to be locked out because I've run out of Motrin.

You are not everyone

[KurdtX]

This is very typical of very bright, but narrow-minded people. What about people who don't touch type (gasp). What about if cut your finger and put a bandage over the end? What about people who don't always type the same way? I'm often eating or doing something else while I'm on the comptuer, and use [Backspace] more than any other key. I might have a burrito in my hand, and thus be typing with my pinkys.

And for those of you reading this comment, it's not just stuff like this, but any time you make something for more than just yourself you can't use your "ultimate" idea because it is only ultimate for you. For example, my mom organizes our pots & pans by when she bought them - she can find anything blindfolded, but none of the rest of us can find anything.

Remember, that if you're designing something for others, you're designing it for those that have trouble driving cars (how many of those people do you see every day?) and need to be told that food will be hot after microwaving.