Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Hong Kong Consumers Urged to Eat Less Dried Squid |
| Hacking the U.S. Post Office »
April 23, 2007
This sounds like a good idea. From a news article:
The technology, which measures the time for which keys are held down, as well as the length between strokes, takes advantage of the fact that most computer users evolve a method of typing which is both consistent and idiosyncratic especially for words used frequently such as a user name and password.
When registering, the user types his or her details nine times so that the software can generate a profile. Future login attempts are measured against the profile which, the company claims, can recognise the same user’s keystrokes with 99 per cent accuracy, using what is known as a "behavioural biometric."
I wouldn't want to automatically block users unless they get this right, and the false-positive/false-negative ratio would have to be jiggered properly, but if they can get it working right, it's an extra layer of authentication for "free."
Another news article. Slashdot thread.
Posted on April 23, 2007 at 6:49 AM
• 64 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
What happens when the user tries to log in while standing up, and has switched to hunt and peck instead of touch typing?
You will run into problems if the user is unable to type in their normal fashion, e.g. they've got an arm in a sling.
On the plus side it wouldn't hurt to make it harder to login when you're drunk so you won't end up making that ebay bid that you'll regret in the morning.
At 99% this shouldn't probably block login, but might for example write to a log file that a 'suspicious' login was made - and perhaps alert an admin via an email or something - naturally the measures should depend on the system and the potential severity of a false login.
I would agree with hullu. I quite often type in my username and password and think to myself "Hey that was realy fast. I rock at typing!", and other times I type it in and get it wrong. But then I am an impatient person. Should I run the risk of having my account blocked because I have a good or bad day on the keyboard?
I don't fink so!
More likely, what happens if the user is on a unfamilier computer? I use a natural keyboard at home, and am slower at typing on the "regular" keyboards like at the office, or in Internet Cafes. What happens if it detects this and doesn't let me log in because I'm on a different computer to normal?
Hey, Bruce, will you be upgrading Password Safe to "simulate the rhythm"?
Most of my password errors occur when I have someone on the phone and I am typing one handed.
I would certainly get rejected by this system.
So we have an authentication that only works under stress free normal conditions -- doesnt sound good to me.
..... on the other hand it might be worth recording this data for later use in Foresics.
It could invalidate a " 'snot me guv someone must 'ave stolen me password " defense.
"What happens when the user tries to log in while standing up, and has switched to hunt and peck instead of touch typing?"
"You will run into problems if the user is unable to type in their normal fashion, e.g. they've got an arm in a sling."
"More likely, what happens if the user is on a unfamilier computer?"
Exactly. This can't be used to block user if they don't get it right; there are just too many legitimate reasons for getting it wrong.
Think of it in the context not of an authentication system, but a transaction security system. There would be several factors that would increase suspicion: making odd transactions, making lots of high-value transactions, logging in at an odd hour, funny typing patterns, etc. None of this in itself is enough to block the account, but if some kind of threshold is reached the site would try to independently verify the transaction: perhaps through a phone call or an e-mail.
What bothers me the most is not the crossover error rate. I agree with Bruce that with some tweaking, you'll get a balance.
This is a kind of biometric authentication and you do not have a trusted path, at least not in an Internet setting. The user is alone with its keyboard.
But I like the idea as a low footprint hint to a transaction based anomaly detection system, like this :
- The customer changed his home address
- The customer is transfering everything to some foreign country
- The typing is funny
What problem can be solved by typo-rhythm?
What's wrong with passwords?
To short and easy passwords used?
A lack of theater?
Can anyone say "replay attack"?
A system like this might need long passphrases to get appropriate readings, and that in itself might be a good idea if users use them properly. On the other hand, familiarity with the phrase would change the way it is typed, so maybe customers would have an additional incentive to stick with one and not change it, which is a bad thing. And I agree with opinions above that this is useless for authentication... however it might be good for anomaly detection or forensics, at least for unsophisticated attacks.
I already hate changing my password, now I have to type it in correctly and "just right" 9 times before the system will accept it? And lets just say I'm using a 20-30 character passphrase...can you say carpal-tunnel?
I think I'd be more consistent with my typo pattern and habits than the speed and pattern of typing. A few weeks back I had to switch my laptop with my husband, and I'm still struggling as I constantly typo one row on both sides, somehow the keyboard angle is just so different .. or the stupid enter-key is so different on a UK keyboard.
I type waaaay different on different keyboards, different times of day, when doing something else, and for so many other reasons that I don't even want to consider the options of breaking a hand to type with one hand or anything weirder.
Why wouldn't natural typo (including especially typo corrections) pattern be at least as good?
The input technology also factors in. Switch keyboards, and your timing may be off. Try using this feature with a touchscreen or a foldable keyboard. Or any of the input aids for the disabled.
Now where did I keep the keyboard that I need to log into my savings account? Also, I must have Metallica running in the background to keep the rhythm ...
This was most likely tested on (and will be more effective for) older and more experiences users who already have a typing style. For a child learning to type this is probably a really bad idea.
What happens if injury your hand? What happens if you have a stroke and your motor skills? What happens if you arent the only one that needs to access the information under the same id? What happens if you are not a good typist but become better at it?
There is no way this should be a hard denial of access.
FP, heavy rock music should NEVER be 'running in the background', it should be making the walls shake and annoying the neighbours. For preference I'd go with Motorhead.
I highly suggest you try out their demonstation and read up on the technology, there are many different options on setting this up now and it works fantastic with various keyboards as well as providing monitor only mode, profile building over a period of time and followup actions to assist in not blocking out the account "on a bad day". Now works with OWA as well as CItrix new AAC and CAG..biggest security points are the level of accuracy and the fact that you can reset this biometric at anytime you need to and have it recreated by the end user. Then to top it all off I dont have to issue or maintain hadware or software tokens for millions of users around the world!
From the article:
"If users type with more vigour – or languor – than usual, additional security questions are posed to allow them to log in in the traditional manner. "
So your broken arms, natural keyboards, and hunt'n'peckers should still be OK, assuming your security questions are not subject to your bio-rhythms as well :)
When I change one of my passwords, I usually enter the new one quite slowly to avoid making typing mistakes. (This is especially true since I bought a new computer with a new keyboard. I still aren't really used to the behaviour of the new keyboard's shift keys, so I regularly make mistakes when typing capital letters.)
Once the new password is in place, I usually need some time to get fluent typing it. So my typing signature will change significantly over time, even without additional external factors like injury, new hardware and the like.
The question about logging in under unfamiliar circumstances is a good one. I think the proposed solutions are also good.
One is to set the bar low enough to encompass variations. No one has yet offered concrete information as to how exact the match must be to pass the test. Does any reader have knowledge or experience on this, or are we all guessing?
Another is to use a nonmatch as a suspicion factor rather than a denial factor. For example, if your pattern is abnormal you have to deal with another layer of security (Bruce tells us multiple weaker layers are more secure than a single stronger one). Or the abnormality is recorded to be used in conjunction with other abnormalities to trigger suspicion.
Angel One is right, but children have fewer systems that need to be protected.
Very good points all the way around, the system has a patented nueral engine built in to it that contiunously refines the typing biometrics so as your rythm changes it works with you henc the option to enroll over a period of time providing the user to work normally with different systems they would normally inteoperate with. The algorythms include the passsword and the login as one unit and measure between each keystroke as well as between each keystroke and the comparison between its overall fit, I believe the total algorythms it uses to form the profile is in the neighborhood of 27 but dont quote me.
I would hope this wouldn't operate against the user typing in the password, actually. Most strict authentication systems likely to use this will be the kind where you must change your password frequently and use hard-to-remember sequences. Typing speed for those will vary greatly between when you start using a new password and when you get familiar with it, just in time to change it again.
@Ian & FP:
I think you are both half right.
It should be Metallica making the walls shake.
I like the idea of using the rhythm method to prove that someone *did* log in when they say it was someone else. But I can't imagine too many scenarios where this would be the case.
If this ever becomes commonplace, I promise to alter between several entry positions, including, sitting down, standing up, typing with my toes, typing with my nose, and whilst thrashing my head around wildly to the exit solo from "fade to black".
Lets see what the clever software makes of that!
beyond the security issue, there is the "user identification" element, i.e. anytime a prosecutor attempts to, well, prosecute someone for computer misuse . . . always the question of predicates arises . . . one might argue that indeed john doe was at the keyboard and not the cleaning lady based on the consistency of keystrokes . . . are there auto keyboard strokers out there . . . not software, but real programmable mechanical keytappers????
just as an aside the technology has been around for quite a long time now and used successfully in different scenarios, there is one company that has been using this for a couple of years with a million or more online users and they swear by it, maybe not for everyone but I cant think of another at the moment that is built for the "masses" and is not cost prohibitive, once again all about defense in depth.
Worse, what if it's already being used and no one knows it? What if the NSA is keeping a 1-bit heuristic on every login that they log (probably a lot of them) on whether they believe it was the proper owner of the account or not?
There's a fine line between "free" security systems and big brother watching over us.
so what happens if someone whacks their hand with a hammer over the weekend? their rythym would be all screwed up on Monday... i think this is an interesting idea but people need to think about the scenarios before takeoff :)
We beta'd this system at my company. It's a very compelling solution. It seems that the way you type is nearly as unique as your fingerprint. We tested with even some fairly loose parameters, and we were still unable to mimic each other's typing styles. So, even if I leave my password written on a post-it behind my monitor (no, I don't) someone else cannot login with my credentials.
Yes, Hunt&Peck would be troublesome, but we found that even that could be mitigated fairly successfully by tightening the margins for that user. It makes it harder on the user because they then have to hunt & peck almost exactly the way they "trained" the system.
Sorry for the double-post, but I reread some of the comments and I have to agree with the person who said you should demo it before you draw your conclusions. I was equally skeptical about it when they approached me for testing, but there's a lot more to than what is described in the article.
a whitepaper background for this is here:
it's based on the study of wwII telegraph operators and their distinctive 'fists'
eanbling the British and German intelligence services to identify a particular sender
i don't have a reference,
but weren't they 'forgeable'
(i.e. some British telegraph key user's on the Continent sending messages with a 'different fist' ?
in any event, for something a short as a password/passphrase, it doesn't seem too hard to be able to forge...
use a keylogger that records intervals between keystrokes, and work on reproducing it ...
From my experience and experiments, I don’t think that this method is accurate and reliable enough. Number of false positives / false negatives is probably too high to have this as acceptable solution and depends on circumstances in which user type password. But it probably can be used as an additional method of authentication which will help to improve protection.
yes, or a keylogger/keystroker that "randomizes" intervals between keystroke input . . .
I use passwordsafe and have a 15 character password which I have to type several times a day, so I have some familiarity with typing a given phrase at different times in the day. Early a.m. when everything is tired my typing rhythm is totally different than in the afternoon when I'm awake and my fingers are lose, which is totally different than in the evening when my fingers are lose but my mind is tired. I can remember many times when I've tried over a dozen times to force my fingers to type the phrase which I've typed thousands of times before, but to no avail. This means I get locked out of my bank account for a while; I can't imagine the frustration at getting locked out of my computer, especially when I can't imagine how I'd "fix" it.
Picture the frustration of someone that has to stay at home because of a cold and finds that her tv and fridge shut down because her voice is too hoarse. What can you do to change it?
One problem is that with a series of quick repetitions, the behavior under study changes, while what we want to know about is the first try, the fresh attempt, because that is what we'll be looking at after training. The repititions after the first inform us only about 'stale' attempts.
This is similar to 'try saying that ten times really fast'.
The training should have each sample interspersed with long periods of distraction (say checking email or Internet news), interrupting by a prompt to enter username and password.
Patent number: 4621334
Filing date: Aug 26, 1983
Issue date: Nov 4, 1986
Inventor: John D. Garcia
Assignee: Electronic Signature Lock Corporation
I think the bottom line is this... I would want something like this protecting a logon to a site containing MY valuable data, not just any password protected site. And I'd much rather take the extra steps to type my password correctly than go through a million screens of challenge questions, pick a picture, verify my social number, etc...
It's new research and it can be used someday to make solid guesses over whether something suspicious is going on. It's pointless to second guess it since we have not done any of the research. If it doesn't work, don't use it. If it works to a certain level, use it for that level of security... etc.
Guillaume: How is Flash not client-side?
Interesting, if used where it makes sense.
I suspect this is more likely to generate false negatives, and few or no false positives. Implications...
... You hear "Good morning, Dave" from your HAL9000 without logging in.
... Typing (painfully) with a bashed finger becomes even more frustrating and painful.
... Spy shops will sell keyboard rhythm adjusters.
This may be considered as a second factor for two factor authentication?
Depending on my mood, I will change my type method on my passwords--sometimes pausing mid stream, or retyping sections, or using two finger instead of touch typing. Depending on the computer, I may also choose not to use the number pad for those sections.
This method might work for me on shorter passwords, but on passphrases, this "type signature" method would probably just drop an error about 60% of the time.
Heinlein mentioned something like this in "The Moon is a Harsh Mistress", where the computer recognizes the person by the rhythm of their typing.
If you can make a neural network representation of my typing, I can make a copy mimicking my typing. Spoofed.
Well, yes, given Heinlein's naval background, he'd probably have been familiar with the concept of recognizing the 'fist' of a radio/telegraph operator as vedaal mentioned above. It's not that big a conceptual jump from there.
sorry to disagree Bruce, but as an information security architect designing protection for critical systems I'll recommend against it, strongly.
it's snake oil. worse, it's failure prone snake oil. worst of all, it fails in many ways.
as joseph and vedaal pointed out, it's vulnerable to a trivial enhancement to a keylogger. so it fails to provide the security it pretends to offer.
fundamental problem there is that it depends on secure client side code which is an oxymoron. if those assumptions are true there are other perfectly good solutions already available.
it also will be prone to falsely reject legitimate users, likely including myself. I have observed several distinctly different typing styles for myself, depending on distraction level, use of both hands, whether the ganglia or cerebrum are running the show at the moment, keyboard location, etc.
as I see it, it's a bad solution in search of a market...
This would not always work reliably where you login over a network, it also would not work if I got really drunk beforehand, but in the latter case, that might not be a bad thing.
I dislike this for the same reason I dislike fingerprint systems (besides the latter being insecure): I have a nice fat blister on my finger because I thought that that piece of metal I touched will be cold. Well, typing with 9 fingers instead of 10 will make a different pattern. Typing with one hand on the keyboard and one on a piece of pizza will also change the pattern. Typing while drunk/extremely tired will also probably change the pattern. Typing while distracted will probably change the pattern...
I see a neat extension of keyloggers to measure the inter-character delay fingerprint associated with password entry, and so allow malcontents to recreate it on demand. Hell, with flash memory at under $1/Gigabit it's not as this will be a problem with modern keyloggers.
It seems to me that to make this work in the e-commerce sense a web site would have to download and install code that monitors the keystrokes, and either processes them locally or sends them off to be processed elsewhere. Does anyone see a problem with that solution? How on earth would the consumer know to trust that software? Why should downloaded software even have such access? I could go on and one, but until we solve the fundamental malware issue, this seems like a very bad idea for an e-commerce implementation.
It is a rather old idea (not sure about its public coverage though) which was proven to be bad enough already. The major issue here is the typing behaviour of legitimate user changes dramatically because of various reasons: relaxed/stressed mood, different keyboard model or quality among the same models, remote/PDA-enabled login disability, etc. Basically the sum of such keystroke biometrics is a high rate of false negatives and user annoyance. Yet, like a voice system can be defeated with a simple tape recorder, it can be compromised with a simple keylogger.
Flash is client side, of course. The phrase should have read "Other implementations will *also* rely on client side...".
I didn't want someone bringing up the "what about a signed applet" argument, which would be totally irrelevant.
As guvn'r said, secure client side code is an oxymoron.
I think its an appalling idea when used for password validation.
I think it could be used over the longer term as a background persistent user validation service.
But, being locked out of my PC because I got the timing wrong because my wrist is sore. Ironically, just the stress of knowing my "timing" is being measured will make me think about my data entry, and throw my timing. Its like how I cannot use a cellphones voice activated quick dial feature.
Everything has its faults. I have noticed key fobs with the pin/password taped/etched and know people pass them around if needed (oops forgot mine at home/work). It has its place I guess. Before it is disqualified, has anyone tried it?
But doesn't it break the original authentication layer of security.
Passwords are hashed and files are shadowed so that nobody can know the actual password (not even root/administrator). Admin can reset password but not know it.
Pattern matching for this system requires that we store the characters (sequences of them) in plain text. This greatly reduces the domain of characters which must be permuted in a brute force attack
It may not be viable as the only measure of security in it's layer but could be treated similar to voice-print when phoning to bank and asking to pay out some mortage to/from own personal account (which is a conveinience feature with limited security risk)
Furthermore - according to some legends - in WWII it was possible to identify submarine radist by their "key" or handwriting. I have been lead to believe that this fact was used against germany to plot the movements of their submarines and to inject messages once the security was broken.
Try it online in a demo here:
They give you various user names and the passwords to test it online in a demo.
I have installed and tested their software myself and it is very good (not perfect though).
It gives you the ability to set your sensitivity threshold of false accepts vs false rejects to suit your needs and environment.
They also have a Active directory version for protecting windows logins through the GINA and some command line
The primary advantage is no hardware required to distribute and potentially to lose. and cost is dramatically lower than other two factor authentication methods due to the lack of hardware.
> This sounds like a good idea.
> I wouldn't want to automatically block
> users unless they get this right, and the
> false-positive/false-negative ratio would
> have to be jiggered properly, but if they
> can get it working right, it's an extra layer
> of authentication for "free."
There are a lot of things that would be good ideas and free if given the same benefit of the doubt. Racial profiling for one.
However if you applied the same standard of criticism to this that you apply to others you should have decided that it is worthless and will serve only as a PITA for authenticated users.
Probability that someone tries to access your account * probability that someone does this with your correct login = The one in ############## chance that this will ever become an issue for an attacker.
1 in 1 is the probability it will become an issue for the proper user.
1 in 1 is the probability of a different keystroke pattern when using a laptop on your lap.
1 in 1 is the probability for typing in low light without a backlit keyboard. etc
Basically it's just a tool to piss off authenticated users. Why you would assume anyone would come up with such a biometric product and not make it block users is just bizarre.
I think that keystroke biometrics is long overdue... why hasn't Microsoft embedded this in their O/S? No ROI. (The same reason credit card companies do not have better safeguards on cards, the liability is placed outside of their revenue stream.)
The brightest part of keystroke dynamics is the fact that it CAN be part of any website authentication... why hasn't Google come out with an API? Again, no ROI (or perhaps NIH?).
Our product was evaluated by large financial institutions for FFIEC compliance, and one company did recognize the value in using it as a risk mitigator: If the user logged in with a high confidence, there was no impedance. If the biometric scored low, the user was either limited to in-bank transactions, challenged with another out-of-band question, or simply asked to call a customer rep to confirm any high-risk transaction.
I believe THAT is how cyber-security measures should be implemented.
Oh, and for those who think their typing changes during the day -- speed is usually not a large factor, cadence is. And what happens if you break a finger? Ask any call center whether they would rather reset 1000 passwords a day, or temporarily change the acceptance level of a keystroke biometric for a single user once every couple of months.... now there's a compelling cost saver.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.