Also, this suffers from the same issue as many (all?) biometric authentication systems: revocation support.
Say someone hacks the db where my particular typing style signature is stored. Now they can skip the typing and send the signal my keyboard would have sent and authenticate as me to whatever service was using that db.
You can push the problem into hardware (authenticate the keyboard as well) but that's just making the same mistake twice (once the keyboard gets hacked...).
Part of a good authentication system is being able to change the locks on the door when someone loses a key, which is why biometric data is particularly unsuited for the purpose.
Or, what if the attacker set up a website (say, a forum) and enticed someone to visit it and type something, and the site used javascript to log their typing patterns?
Perhaps if it relied on strength of hitting the keys, this would be harder, though some of this data might be retrievable from an accelerometre.
The article really doesn't say anything more than the headline already did (then gets into "high-entropy random character strings are hard to remember" --> solution: "read xkcd, use passphrases"). Also, the DARPA program is more involved than this implies.
They do link to the DARPA Active Authentication program:
The thrust of which is that they want a better way to establish that the expected user is in fact the one at the keyboard, including ongoing verification of whether they are still the person at the keyboard.
They'd also be extra happy if it works with existing hardware, so they'd like the answer to be things like analyzing the way the keyboard or mouse is used, or analyzing patterns in how you write (IMO probably more trouble than it's worth!). "Implant RFID chips in the hands of all DOD personnel" is off the menu for the moment.
An extremely interesting idea, but consider me a sceptic until proven wrong. I strongly suspect this is something that might see a few "Show HN: I made..." type posts (not neccesarily on HN), which receive feedback that can be summarised as "nice POC, nice code, not suitable for real use because x, y and z".
I agree. Maybe this would be harder than I'd expect, but it seems that if an attacker knows what criteria are used for identification, they could simulate a a given user's typing patterns. And to collect data on how you type, they could collect it when you're typing into your text editor, IDE, website forms, or anywhere else.
It seems there would also be a problem when the same person is signing in on a computer with a keyboard vs on their phone/tablet.
There is research stretching back 30 years in this area. Some of the results are very promising, but the field is severely encumbered with patents. I was even threatened with a cease-and-desist while doing a research project in this area for a graduate class.
Admit One Security already does this as a part of their keystroke dynamics tool. One interesting thing they do with it is to use key strokes to see if users are sharing passwords for subscription services.
http://admitonesecurity.com/keystroke_dynamics_advantages.as...
It all sounds interesting, though wouldn't it be incredibly hard to identify the same person typing in a keyboard with a different layout or a different device?
I think the original idea (or at least the one that DARPA is researching) is that this tech will be only used on government computers, so, assuming they all use the same computer, that should eliminate some of the problem.
For other uses, you're right, this would be impractical, because typing on a physical keyboard is obviously different than a touch-screen phone keyboard.
[+] [-] gsoltis|14 years ago|reply
Say someone hacks the db where my particular typing style signature is stored. Now they can skip the typing and send the signal my keyboard would have sent and authenticate as me to whatever service was using that db.
You can push the problem into hardware (authenticate the keyboard as well) but that's just making the same mistake twice (once the keyboard gets hacked...).
Part of a good authentication system is being able to change the locks on the door when someone loses a key, which is why biometric data is particularly unsuited for the purpose.
[+] [-] simonbrown|14 years ago|reply
Perhaps if it relied on strength of hitting the keys, this would be harder, though some of this data might be retrievable from an accelerometre.
[+] [-] Herring|14 years ago|reply
There's a chance they can make that a non-trivial problem, like recovering plaintext given a hash.
[+] [-] glimcat|14 years ago|reply
They do link to the DARPA Active Authentication program:
http://www.darpa.mil/Our_Work/I2O/Programs/Active_Authentica...
The thrust of which is that they want a better way to establish that the expected user is in fact the one at the keyboard, including ongoing verification of whether they are still the person at the keyboard.
They'd also be extra happy if it works with existing hardware, so they'd like the answer to be things like analyzing the way the keyboard or mouse is used, or analyzing patterns in how you write (IMO probably more trouble than it's worth!). "Implant RFID chips in the hands of all DOD personnel" is off the menu for the moment.
[+] [-] rprospero|14 years ago|reply
[+] [-] corin_|14 years ago|reply
[+] [-] AndrewHampton|14 years ago|reply
It seems there would also be a problem when the same person is signing in on a computer with a keyboard vs on their phone/tablet.
[+] [-] alenlpeacock|14 years ago|reply
There is research stretching back 30 years in this area. Some of the results are very promising, but the field is severely encumbered with patents. I was even threatened with a cease-and-desist while doing a research project in this area for a graduate class.
[+] [-] dhx|14 years ago|reply
[+] [-] vdondeti|14 years ago|reply
[+] [-] ttt_|14 years ago|reply
[+] [-] xymostech|14 years ago|reply
For other uses, you're right, this would be impractical, because typing on a physical keyboard is obviously different than a touch-screen phone keyboard.