Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Using Password "Keyprints" as Another Form of Authentication? 100

Adam Kiger asks: "I have written two programs with patents on both. The first program captures the keypress and keyup events per letter of a typed password in milliseconds and returns a numeric value per letter. I am also capturing the keypress of the first letter and the keyup of the next and returning a numeric value in milliseconds. My second program takes these values and runs an analysis of the values after 20 entries of your password to determine what I call a 'keyprint'. 91% of the time you enter the password my values captured matched each letter entry and the time between letters entered. I also can show the results of these tests in 2D graphical representaion. I used my wife as a test subject, gave her my password and she couldn't login to either Windows or my website! I have wrapped these programs around Windows Login and a Website's login control, and it works fine so far. The only problem I have found and not researched are the user using different keyboards. So I've come to ask Slashdot: Is this a viable security function?"
This discussion has been archived. No new comments can be posted.

Using Password "Keyprints" as Another Form of Authentication?

Comments Filter:
  • Yes it is (Score:3, Funny)

    by NiceGeek ( 126629 ) on Wednesday May 21, 2003 @03:13AM (#6005327)
    Give me your password and I'll prove it. :)
  • by Anonymous Coward
    They'll just record the way you type your password and play it back when necessary.
  • by Vendekkai ( 121853 ) on Wednesday May 21, 2003 @03:16AM (#6005345)
    While this adds an extra level of protection, how about a case where the user password is picked up by a keypress logger? In that case, the timings can be logged too, and it would be a simple matter of repeating those timings with a program to log in.

    Further, I am not sure how widely applicable this is. Whenever I change a password to a new, cryptic one, I type it in slowly for the first few times till my fingers start "remembering" the sequence.
    • Further, I am not sure how widely applicable this is. Whenever I change a password to a new, cryptic one, I type it in slowly for the first few times till my fingers start "remembering" the sequence. This will be a huge problem for you, as when you "learn" your password better, you type it out faster. You'd have to apply this at "critical level of ...remeberance(I know, not a word =P), and that would cause implimentation to be horrible.
    • Once I thought about implementing something like this. Instead of learning the password keyprint by fixed number of attempts, I thought about continuous learning --- the login box would just keep a database of all your login keyprints (not validating them) and once you get used to your password, the differences between successive keyprints would cross some given epsilon, turning on the keyprint checking.
    • Yea, this has been common knowledge for eons. i remember writing sumtin similar in BASIC on a crappy 64k amstrad to protect my programtapes...Back in the 80's. Even then we geeks (2 on the whole school, called us the freak brothers...) had read about things like that in magazines, so, old hat.
    • Prior art is irrelevent [uspto.gov] in getting patents from USPTO. :)
      • by WasterDave ( 20047 ) <<moc.pekdez> <ta> <pevad>> on Wednesday May 21, 2003 @04:07AM (#6005519)
        Sure, but it is relevant for enforcing them. Presumably that's the point?

        • Not always; there can be a lot of value in an unenforcable patent, to create a chilling effect on competitors, especially the smaller ones. That's because noone really knows if it's enforcable until someone can afford to spend a hefty sum on litigation to find out.
      • Uh, that patent looks pretty darn specific to me. It talks about specific shaped connectors, how wind drag affects certain-shaped spokes, their specific shape, etc. It looks like a non-obvious specific solution to a general problem. And there is a drawing of a particular implementation. It is not a generic patent for "spoked wheels", which is what I infer you meant by saying that the existence of prior art had no bearing on this particular patent.

        Unless you're seeing something I'm not seeing...
    • Hi,

      I actually tried to do this in a java applet for the second year project at reading university in 1995. But my neural networks teacher said that it had been done years before and we had to do someting inovative.

      Shame I have no docs to prove it!
    • Even better, I think there's a James Bond book (Dr No?) where the Secret Service use the same thing, but for morse keying. And that was the early 60's!
      • Neal Stephenson mentioned this in _Cryptonomicon_: at one point in the book, the British spoof a message to appear to be from a German submarine by imitating the "fist" of the sub's communications officer. I have no idea if this kind of thing really happened, but it seems plausible.
        • Telegraph operators have been able to tell which of their fellow operators was at the key practically ever since the invention of the telegraph. Sort of like no two piano players sound exactly the same even though playing the same sheet of music.
    • I found a program that did this in nibble. It was early 80s. I used it as protection on my disc. Its really annoying to have your password rejected when you've typed it correcty..
  • Will be great for a lone ranger, but sometimes certain passwords need to be shared and this would eliminate it. Unless, at the time the password is shared, you measure timing for that new user as well - but each successive time would weaken the strength of this new layer of security.

    Not much of a problem though. Sounds good to me in some ways.
    • When would you ever need to share a password? (Don't answer that...The answer is never.) Groups are for working with teams. SetGID bits are for working with teams. Sharing passwords is the bizarre action of someone who doesn't know better.

      • Re:Sounds good (Score:4, Interesting)

        by perljon ( 530156 ) on Wednesday May 21, 2003 @07:28AM (#6006085) Homepage
        And maybe you don't want to use this for authentication, but it could set off bells and whistles so that an admin could look into the security violations. You could find out exactly when someone decided to share their password. Then you could walk up to their desk in a black suite and sun glasses, and remind them that they are not supposed to share their password, and that it's been changed.

        This would also be a good measurement for hacker detection. If you keep a history of the password key stroke timing, and all of a sudden a seperate set of timings start to appear, you can start to look for other differences in the logins patterns. Finally, you could use this to see who is logging into root directly. Bad! Bad! Bad Boy!
        • I wouldn't think of this as a patentable idea on it's own and I swear I've read about the idea before several other places (probably /.), but it could be useful in an IDS, simply notifying the admin of a suspicious login. It could also be added to a login system that combined passwords with other imperfect ID checks like facial recognition.
        • Then you could walk up to their desk in a black suite...
          I read this and had a strange image of a sofa and 2 chairs turning up at my desk... Maybe that's the lack of coffee this morning.
      • When would you ever need to share a password? (Don't answer that...The answer is never.)

        You share passwords when it's forced upon you by an outside entity. For example, a website may charge for access and the company uses a single account for multiple users. I believe some section of Oracle used to (and possibly still does) use per company or per version accounts.

        "Never" is a word to stay away from when things are not 100% in control. How often have things been 100% in my control, you ask?

        Why, never!

  • by porksodas ( 515690 ) on Wednesday May 21, 2003 @03:20AM (#6005363)
    91% of the time you enter the password my values captured matched each letter entry and the time between letters entered.

    I don't want to have to retype my password one time out of ten just because I typed the third and fourth letter to close together. It's a good idea, but I think it needs a higher success rate (without compromising security, of course). I think a pattern-recognizer (like a neural network) might come in handy, though that may be slightly overkill for your Windows login screen.
    • I don't know about you, but every password I have, I have to re-type one time in ten anyway, because of mis=hits, double lettters, lrunpstf=djogy*, or whatever else. This goes too for most people I know. Heck, half the users I know forget their username anyway.

      Still, I think this would be an interesting idea, as long as it re-learned as time went on (people get faster at typing their password - and what about when passwords change? There are several trivial but important issues. Still, a cool idea. I wish
      • But this will just add to the times you have to retype. The password has to be correctly typed, and correctly timed. So it would be an inconvenience. Also when re-typing a password, the timing is often different because you want to get it right this time, and therefore focus more on each key.

        All in all it is bound to have a higher re-type rate than normal passwords, but it might still have application in areas where emphasis is more on security and less on speed...

  • No patents (Score:5, Interesting)

    by Roto-Rooter Man ( 520267 ) <cleanthosepipes@hotmail.com> on Wednesday May 21, 2003 @03:22AM (#6005370) Homepage Journal
    This guy has no patents. [uspto.gov] He's just trying to scare us off from stealing his idea. Why else jump to mention his patents at the first available opportunity, on a website which hates patents no less?
    • by Steve Cox ( 207680 ) on Wednesday May 21, 2003 @04:54AM (#6005639)
      Actually I think it was a misspelling. He wrote two programs with patterns on them.

      The first one has a nice plaid pattern, wheras the second one (and this is the clever bit) has a striking blue and green pattern on it.

      • "The first one has a nice plaid pattern, wheras the second one (and this is the clever bit) has a striking blue and green pattern on it."

        Somewhere there's bound to be a Scottish clan or two with prior art on that.

    • Presumably he has filed with the patent office but no patent has been granted yet. However his idea would still be protected should anyone else try to file an application covering the same idea.
      • Wouldn't it still show as a patent pending?
        • no.

          you know, theres things called submarine patents some devious companies can file, and then try to everyone get to use the already patented tech(whilst they don't know the company has patents on them) and then profit from this.

          this timing method however has very few uses, but very good uses those few are, for example for vaults or similar.

    • Good, that was one of the first programmes I ever wrote for the PC, a bastard long time ago.

      My thoughts were to continuisly monitor things like spelling mistakes and typo's as well as keypresses: 10Mins of odd activity and the PC questions the identity of the operator.

      This is find, untill you injure yourself and don't type quite the same.

    • I agree with this. Based on the prior art that was mentioned previously in this post (a few threads above at the moment). I highly doubt that the USPTO (I'm assuming) would issue a patent for this technology, or that one hasn't been issued already. If the poster has the patents he mentions, he could post links to them to establish credibility (since they're already "patented", his IP is safe).

      If he doesn't have patents, though, let's not burst his bubble on being creative and inventing. Let's just call
    • If he is for real, he probably means he has applied for patents. FYI the USPTO have both an issues and an application database [uspto.gov] and trust me when I say, it takes years to even have applications turn up in the DB - I have some patents that were applied for 3+ years ago that still have not made it (and no, I am not patent protagonist, but my employer is). Additionally, when they DO show up in that DB, they show the date on which they got entered NOT the application date, which is the one that counts.
  • by orthogonal ( 588627 ) on Wednesday May 21, 2003 @03:47AM (#6005450) Journal
    This does add another layer of protection, but it has some drawbnacks.

    I'm typing this on my Zaurus; the nnnnn key is hypersennnsitive, as you may have noticed by now.

    I can switch to another input method, like the on-screen software keyboard, as I am now, but the timings are completely different. If I switch to the "handwriting", as now, you'd have to clock penstrokes, again totally different.

    What about logging in remotely over a buffered or burst-y connection? You might be able to (roughly) time keystrokes, bnut not key-ups or key-downs (I'm nnback to the keyboard, see the extra "n"s?) .

    Even worse, what if I innnjure my finger or hand (yeah, it's /., I know the njokes I've set myself up for)? Will I nbe able to log in at all?

    With a password, as long as one finger works well enough to nhunt and peck, I can log in. With your method, I've got to nbe in the same physical shape, possibly as awake, as relaxed, etc. as when I recorded the password. Not to mention it's a pain to record a password 20 times.

    However, I think your method does have a use; its drawbacks as a general password system makes it perhaps useful for other purposes: it is an innexpensive (i.e software only) way to deternmine that the user is in substantially the same state of health and mind as when the password was recorded.

    This might make it a decent way to deny access to users under duress. I should note that users under duress might well be harmed when they cannnot make the password work, so it probnably should only be used to protect access the user considers more valuable than his own life.
    • I admit you have a point which is valid for people logging into home computers.

      However, in an organisation with sys admins, it would be trivial to go to a sys admin and tell them you have an injury which means you can't log in; they can then just reset your keyprint timings -- you just re-train the system and off you go again.

      A useful modificationto the system would be to have it do online learning: i.e. the keyprint timings are not learned from a batch of N sample logins, but the classifier is trained on
      • Nice idea on learning, but some injuries are rather sudden. I broke my collarbone and it instantly changed my typing style. I doubt any system could learn that quickly. (and if it learns it may learn to do the wrong thing.)
  • It works well (Score:5, Informative)

    by Pathwalker ( 103 ) * <hotgrits@yourpants.net> on Wednesday May 21, 2003 @03:49AM (#6005456) Homepage Journal
    What you are describing sounds like one of the most basic techniques for biometric authentication. I remember being assigned to write programs to do what you describe for a class several years ago. It was one of the easier assignments we had.

    If you are researching the subject, I strongly suggest Biometrics: Personal Identification in Networked Society [amazon.com], and anything else on the subject written or edited by Anil Jain [amazon.com].
    (His webpage is here [msu.edu], the webpage of his lab is here [msu.edu]).

    Dr. Jain is (IMHO) the current leader in biometric research worldwide.
  • But it could be used for musical applications.

    Plenty of prior art in this area though, I'm afraid ...
  • I think this should be researched with other people than yourself and your wife... Some will have a far worse success rate than 91%. Whenever I watch my dad punch in a password, it is as he has never seen the keys before. I am pretty sure that this idea would make him really frustrated.

    Personally, I am really used to punch in my password(s) and I would not be surprised if other could imitate me simply by trying to input it very efficiently. I guess I would be able to obfuscate my password with some pauses

    • > Personally, I am really used to punch in my password(s) and I
      > would not be surprised if other could imitate me simply by trying
      > to input it very efficiently.

      Me too, _except_ that I use a modified keyboard layout, which makes
      certain things take different amounts of time than usual. (For
      example, switching between upper and lower case is faster, because
      shift is under a home position on my layout. OTOH, k is rather
      out of the way and generates an extra pause before or after.)

      I still prefer the l
      • what is the layout called that your using?
        • > what is the layout called that your using?

          I call it "Jonadabian". It's a custom layout of
          my own design. I have an Avant keyboard, so I
          can put any key in any position I want.

          My layout is based on QWERTY, but there are some
          quite important differences. Most notably, I
          have shift and control under the home positions
          of my left and right pinkies (respectively) so
          that I don't have to hyperextend my pinkies every
          two seconds. My pinkies used to hurt after a few
          hours of using the computer, and now they don'
  • by Chilles ( 79797 ) on Wednesday May 21, 2003 @05:42AM (#6005755)
    Please, open your source and throw your patents in the public domain. As soon as you do that I'll be more than happy to evaluate your system. Right now, my only incline is to look for prior art. (which I'm pretty sure exists).
  • User Auditing (Score:3, Interesting)

    by clambake ( 37702 ) on Wednesday May 21, 2003 @05:43AM (#6005760) Homepage
    Instead of denying access when someone's keypressed don't match, which is a perfectly possible thing that could happen in a number of situations, just use the keypress score to alter how the system audits the user's actions. If he's under the threshhold, you can send a page to your beeper, just notifying that it happened, if he's way off, then grant him only basic privledges, no root, but if he's only a little off then let him have normal access, but turn the logging on for every action he does. Most of the time he won't be an intruder, just someone who was a little sleepy that morning, but when it is an intruder, you'll be able to watch more closely and roll back any changes he makes.
  • ... not for joe l. user! try to imagine explaining grandma why she can't log in to her windows me - box with the same password she used yesterday...

    or was it last week?

    mortimer! how did you type 'depression' again? with a coffee break between the 'p' and the 'r'?? ;)
  • Damn, I had thought of this many years ago but discarded it as a novelty. Good job!

    On a side note, this will help keep me off my computer while drunk too!!
  • 20 values (Score:5, Informative)

    by cgenman ( 325138 ) on Wednesday May 21, 2003 @09:35AM (#6006716) Homepage
    Why derive your key from the first 20 imputs? Why not continually re-derive the key from the last 20 imputs, to allow for typestyle drift over time?

    • Umm.. cos then Mr cracker comes in, types the password 20 times, and now the original user cant get in.

      And it would be a little pointless to only allow the past 20 _successful_ inputs, because they would all match the original fingerprint and no drift would occur.
      • And it would be a little pointless to only allow the past 20 _successful_ inputs, because they would all match the original fingerprint and no drift would occur.

        To millisecond accuracy? I don't think so. The verification algorithm has to accept each correct keypress within some margin of error; they won't all be exactly the same. Then the last 20 successful samples can be averaged and used as the baseline for new verifications each time.

        Mr. Cracker either doesn't know the correct keys, or will be so far

        • Mr Cracker, young as he is, remebers reading about some ancient l33wt hacker tricks. His hacker buddies stand back in awe as he... Changes the password without typing anything 20 times.
          • remebers reading about some ancient l33wt hacker tricks. His hacker buddies stand back in awe as he... Changes the password without typing anything 20 times.

            Yeah, I remember that trick. It's called a boot disk [lostpassword.com].

            I'm not sure if boot disks are "l33wt", but I know that if anyone has physical access to your machine, they can access your machine. This keystroke monitoring program is silly.
  • What about when the user siets down at a different type of keyboard; ie normal vs 'natural'?
  • You should have of done a study to see how often people type things the same way. Me, I'm a spaz and never type things the same way all the time. Especially when changing keyboards, machines, chairs, etc.

    Try again...

  • Arthritis (Score:4, Interesting)

    by Deanasc ( 201050 ) on Wednesday May 21, 2003 @11:03AM (#6007380) Homepage Journal
    I have arthritis. Some day's are good. Some days are bad. Mostly it's in my knees and elbows. Lately it's been creeping into my knuckles. Now before I start yelling at the clouds like Grampa Simpson let me get to the point. The typing I can do today is probably not going to be the typing I do tomorrow. I see this as nothing but a bad idea. I don't want to be locked out because I've run out of Motrin.
  • What about when im drunk? Or injure one hand? Or havent had coffee yet. Or need a co-worker to login as me?
    • I implemented this exact thing on Mac OS in the 1980s and we did the "what if you're drunk" test. You can't log in. In fact, being hung over or sick can also screw up the timing. Tuning it to find the acceptable threshhold of pickiness is tricky.

      I think it's not a bad idea, because it's based both on biometrics and something changeable (password). Any system based purely on biometrics does not allow for altering of the access "code" if it gets compromised.
  • ...bzzzt, try again. No one will adopt it until you can offer a permanent irrevocable guarantee that you'll grant royalty-free access to the patents.

    Otherwise, you're just another schmoe who thinks he's come up with something unique.
  • by runswithd6s ( 65165 ) on Wednesday May 21, 2003 @11:56AM (#6007760) Homepage
    This type of biometric measurement, bogus patent claim excluding, can be useful. It is limited, however, to how the input is collected. For local machine access, it is possible, given that the OS allows access to the input device. Remote access, however, is another beast altogether. If we were to limit the use of this biometric to simple 100BaseT full duplex ethernet LANS, and if you allow for a larger standard deviation of timing, there are only a few communication protocols that you could use this test on.

    Telnet will "work", for example. Open up an instance of tcpdump or some other real-time packet sniffer and telnet into your local machine. Type in your password. For every character you type in a telnet session, a packet is sent. This is one reason it is such a poor protocol for restricted or secure access. Add the fact that it's a plain text protocol, and someone could mimic your biometric quite easily.

    SSH, on the other hand, has lots of little enhancements to combat the network sniffer. Firstly, the traffic is encrypted. Secondly, ssh doesn't send your password one character at a time. It varies the packet sizes and timings "randomly", and well, it's just plain cool. So, unless you add a biometric test to password timing for the local ssh client used to connect to the server, you couldn't gather the information at all.

    Use with HTTP would also depend upon the cooperation of the remote client, but if there's anything a knowledgable programmer has learned over the years, it's that you NEVER trust client information fully. (Just as people don't fully trust closed-source software, but that's way off topic.) Always validate your input.

    So, although such biometric validation can be useful under certain circumstances, it's not reliable enough to be depended upon. I do like the idea that one poster presented for auditing user behavior, such as violating a system policy of sharing passwords for a single account, but once again, it's a very limited biometric.

  • I was one of my super-paranoid thought paths the other day, and ended up trying to think of a way to restrict access.

    Passwords are vulnerable to keylogging and snooping, your method would require that the keylogging/snooper timed the keystrokes - definately in the realm of possibility. Some sort of combined graphical/mouse/keyboard login would be more difficult, but snooping/screen captures/Van Eck freaking would do the trick. Biological measures would also be difficult, since you can be coerced into

    • Van Eck's freaking is still possible with an LCD display. Its to do with the rythmic timing of a PC. Its easy to spot the 70Hz (60, 80, whatever) of your monitor. Your LCD also refreshes. There is the writes to the video memory, etc.
      I suppose you could say its more difficult, but compared to actually doing Van Eck freaking in the first place, its only marginally more difficult. If you can freak VDUs, you can freak LCDs.

      As for the initial problem of restricting access. If you want to ensure that nobody can
  • As a password ages, finger familiarity increases. You type that sequence faster than the 1st few times. Especially if it is a strong pw, and not a standard word.

    At some point, you have to reset the timing. Say every n logons. But at that point, a cracker could reset the timming for you...:)
  • You can pay to get two patents but can't spring for a couple of keyboards?
  • You are not everyone (Score:3, Interesting)

    by KurdtX ( 207196 ) on Wednesday May 21, 2003 @08:20PM (#6012179)

    This is very typical of very bright, but narrow-minded people. What about people who don't touch type (gasp). What about if cut your finger and put a bandage over the end? What about people who don't always type the same way? I'm often eating or doing something else while I'm on the comptuer, and use [Backspace] more than any other key. I might have a burrito in my hand, and thus be typing with my pinkys.

    And for those of you reading this comment, it's not just stuff like this, but any time you make something for more than just yourself you can't use your "ultimate" idea because it is only ultimate for you. For example, my mom organizes our pots & pans by when she bought them - she can find anything blindfolded, but none of the rest of us can find anything.

    Remember, that if you're designing something for others, you're designing it for those that have trouble driving cars (how many of those people do you see every day?) and need to be told that food will be hot after microwaving.
  • That idea is so obvious as to be painfull. It isn't novel or original at all. If you really have patents on this then the patent office was smoking crack that day. I read about this being done YEARS ago. Didn't you do some research into prior art? Remeber, computing existed LONG before Google. Go look in the library - perhapse look through old ACM Journal - DO SOME HOMEWORK then go work on something really novel.

    Just becuase you can do it, doesn't mean you should get a patent on it.
  • my thesis (Score:2, Informative)

    I did a summer research project implementing this kind of a system using a neural network. The professor with whom I worked had patents on the system he had developed with one of his Masters students back in 1990/91. They are published. But, of course, the patent is for the *implementation* of the idea, not the idea itself. The idea has, as many have thankfully testified, been around since keyboards.

    My work was to improve the results using a different neural network. I later used this work as the basi
  • Nope -- not good, for a variety of reasons listed in other posts.

    Reminds me of a story by Orson Scott Card [hatrack.com] called Dogwalker [frescopictures.com] . The protagonist is someone who groks passwords. He ends up caught because he got a password correct on the first try, which the owner never ever did.
  • I'm not sure I like the idea that you're not sure about the validity, from a security standpoint, of the concept, but you've already patented it
  • So you'll forgive me for briefly commenting, because I have to type very slowly.

    Actually, that should answer your question.
  • However, I cannot think of anyone really paying for it in its current format. Finger print ids, keypads, that sort of thing, would be the choice of most.

    Doesn't mean it doesn't have other applications though. Sounds like it might be a better measurement of typing speed than what most use. Perhaps it could add complexity to games as well.

  • Well at least I know I'm not the only one who wastes money on worthless ideas...
  • These people [biopassword.com] state that their 'patented keystroke dynamics technology, a proprietary algorithm to make biometric measurements of a keyboard user's individual typing rhythm' was originally developed by SRI between 1979 and 1985. 'Today, the company has re-engineered keystroke dynamics into a software only biometric solution for user authentication in modern computers.'
  • Those who do not know history are doomed to patent it. [To acquire or issue patents]

    As others have mentioned, morse code users recognized the style of each other's signals a long time ago. Typing patterns have been used in various ways also; one of the less obvious was in decoding typed documents through spy transmitters which provided recorded audio of typing. Of course, Turing test tools have done the reverse when a computer emulated human typing for the purpose of seeming to be a human typist. An obv

"Atomic batteries to power, turbines to speed." -- Robin, The Boy Wonder