Yes. A friend of mine has a patent on a gun that fires only for one person. The gun has been extensively tested and works great. The fire/no-fire decision is based on the way the trigger is pulled.
Gun manufacturers hate it because it has scary gun control implications. But if/when it does become available New Jersey police will all use it.
Keystrokes should be way more distinctive than a trigger pull.
Screenplay for the opening scene of Bond 24 (Skyfall is already in post-production).
James Bond is chasing a villain. Draws his gun to aim for a long range shot. (Gun has a little green LED on the side)
Out of the side lunges a henchman who engages Bond in hand to hand combat. The gun goes skidding away.
Henchman wins combat over Bond and runs to the gun. It appears Bond is done for. Henchman draws gun. The LED is red, but the henchman doesn't notice.
<CLICK>
Henchman thinks the gun is out of bullets and flings it at Bond as a projectile and runs at him to reengage hand-to-hand combat.
Bond deftly catches the gun. He draws it. The LED is green.
That's fascinating. Can you share more detail? How do they key it to the individual? Do people really not pull the trigger differently in high-stress situations vs at the firing range?
Is it an active thing? Does it learn and adapt to your pull style as you grow as a marksman? A lot of my range time is spent trying to smooth out my trigger pull. As I get better, does the gun recognize this change in pull style?
I built some network security software in the early part of the 2000s. Around 2005, a local guy built a keystroke pattern recognizer utilizing neural networks to learn your keystrokes and was able to correctly identify who you were after a minimal amount of learning (typing). He brought it buy to see if we were interested in licensing it and using it in our product.
While somewhat of a black box demo, we were able to play with the technology. We tried a ton of stuff to fool the system (physical only, we didn't use keystroke macros or anything like that) and it would correctly identify us every time. It was showing us the probabilities as they'd change and it was uncanny how it would immediately know that I started typing instead of a coworker.
So, it's not only probable/possible/exists, it's only drawback is the lack of necessity. Outside of the the highly paranoid using it to prevent outside intrusions (government mostly), not many systems need it due to lower-end attacks that are much easier to do and typically successful enough.
How many people were there? Did he have any way of estimating the entropy of the signatures? Did you try the demo over multiple days, and at different times of day, to see if it continued to identify you correctly?
>it's only drawback is the lack of necessity
No, that's not the only drawback. Be very careful when talking about cryptography and security never to assume that you are aware of all of the weaknesses unless you've got a formal proof.
One very big drawback I can think of off the top of my head is that it would essentially be like having the same password everywhere, and being completely unable to change that password. If someone records your typing style once, they will be able to get to absolutely everything that identifies you based on typing style. At least with retina scans and fingerprints, there are mechanical obstacles to producing a facsimile.
The major problem with this scheme is that if I type it "wrong", I have no conscious way of recalling how to type it correctly. In fact, my natural cadence will likely be thrown off even more by the stress of not being able to log in. I would quite literally have to walk away from the computer, do something relaxing for a few hours, and then walk back hoping that I type naturally again.
I think gatekeeping example serves just as a proof of concept. It could be more useful for continuous monitoring. For example to tell you that somebody else may be using the computer that you are still logged in to.
I've once evaluated a product like this pretty extensively. This was about 5 years back and I think the company is now called Admit One Security.
Surprisingly enough, that company's userbase absolutely hated carrying tokens and they wanted to bend over backwards to accommodate them. The entire point was to provide an alternative way of doing 2-factor authentication.
The bottom line is that it mostly did work as advertised. The place where it struggled were poor typers of the hunt and peck variety. They just didn't have a good enough pattern and the failure rate was fairly high.
Another weak point would be any type of hand injury or even being under the influence would throw it off completely.
I liked the approach a lot, but ultimately, when it does fail, its extremely frustrating to the end user, since
they don't really understand what they did wrong.
My first thought is that this can trivially be spoofed by installing a keylogger with playback functionality, but at that point a password wouldn't save you, either.
Your first thought is correct. This fails. Trivially.
If you got through the problem of people's keystroke speed varying with local factors, you'd wind-up with a situation where not only is your "password" the same on every site, even sites you visited without logging into could "sniff" your "password".
Could you keylog/model a user when using another machine i.e. a public library computer, then use that model to simulate the user (playback) elsewhere? Do you have to capture them typing the 'passphrase'?
The late Michael Crichton wrote an Apple II program in the mid 80's using intra-letter timings to check if the person typing a password in was the person who set it. Worked pretty well; better if improved to sample multiple times, use long phrases, and adjust tolerance.
This idea has some history to it, I remember reading that they tried to use this same analysis in the trials against Kevin Mitnick. Some clever sysadmin had recorded Mitnick's telnet activity (as it went across some crappy modem) and claimed to be able to identify him based on the timing of different keys. The judge threw it out as not being reliable evidence.
Wish I could remember where I read that; it was some book about hackers in general.
yes. i did it back in 6th grade (i.e. somewhere in 1997 probably) using Turbo Pascal without all this fancy/shmancy neural stuff. just 3 dimensional array, one plane for each user and get average time between key strokes. It was good enough to detect me, my mom, father and my friend.
It also have downside - your patter will change overtime and if this is sole authentication measure - it will fail eventually. I would use it as fuzzy monitoring to detect stolen credentials instead.
The biggest problem with this is that it requires uniqueness to be traded for error tolerance. People are going to have different typing styles depending on their mental and physical state, and their typing styles will change over time. In addition, while the space of possible typing signatures is very large, the space of actual typing signatures is much smaller. So we simultaneously have to assign each person a blob of signature space which is big enough that it can positively identify them regardless of whether they've had their morning coffee (or, god help them, they cut their finger or break their arm), and small enough that we don't have so much signature overlap as to make the system useless.
In either case everybody will have to have a fallback password in case their stride is off one day. If the system works well, then that password will be rarely used. A rarely used password is harder to remember than a regularly used one, so people will choose weak passwords for the fallback.
So the only way that this system has any chance of working without grossly compromising everyone's security, is if it barely ever positively identifies anyone.
Of course, even if it did work perfectly, it would be the equivalent of having the same password everywhere. In that case, why not just memorize one strong password?
It's sometimes said that if you aren't embarrassed by your product at launch then you've waited too long. It's important to get early feedback, and build on early reactions and responses.
Likewise, by making ideas like this, along with an early investigation, perhaps someone can build on it, or throw out another idea, and perhaps people can work together to find a good solution to the mess that is current user identification.
Or would you rather people beavered away in secret, never sharing ideas, never sharing their results, and never working together?
And it differs quite a bit based on _what_ I am typing, too. Plus the tactivity(?) of the keyboard factors in, because as soon as I have feedback that the key was registered, I am on to the next one.
Especially if a Dvorak user is forced to use Qwerty on another person's computer. At that point, they become completely unable to log in via this method.
I worked for a company that makes test taking / proctoring software that attempts to do this, I didn't work on the product myself but it seemed a bit of a trainwreck as they would always be having to do overrides for people who couldn't make it past the typing authentication (which was based on a previous sample of their typing), it measured pace, speed, etc.. the company itself wasn't that great so not surprising their implementation of this wasn't optimal, however its an interesting concept.
I experimented with this a couple of years ago when I saw that video, by implementing an ajaxy authentication system that timed keystrokes. Ignoring the fact that you could probably keylog the heck out of it, I found that a single user's typing patterns varied substantially, depending on typing skill, input device, and so on. Oh, well.
I once wrote a simple keystroke analyzer for a login page.
It was based just on the duration and pauses of your keystrokes. Worked great but had little practical usefulness.
The advantage and disadvantage is you cannot simply write down the password.
So for authentication this doesn't seem like it could completely replace the password. That said wouldn't it be interesting as a way to tell when someone is stressed out or tired. For instance I know when I'm super mad my spelling goes down the pot.
Remember gmail's arithmetic questions after watershed to prevent drunken users writing 'regrettable' emails? This could be another angle to provide the same functionality.
[+] [-] paulsutter|13 years ago|reply
Gun manufacturers hate it because it has scary gun control implications. But if/when it does become available New Jersey police will all use it.
Keystrokes should be way more distinctive than a trigger pull.
EDIT: Michael Recce is his name, http://www.njit.edu/news/2003/2003-125.php
[+] [-] arjunnarayan|13 years ago|reply
James Bond is chasing a villain. Draws his gun to aim for a long range shot. (Gun has a little green LED on the side) Out of the side lunges a henchman who engages Bond in hand to hand combat. The gun goes skidding away. Henchman wins combat over Bond and runs to the gun. It appears Bond is done for. Henchman draws gun. The LED is red, but the henchman doesn't notice.
<CLICK>
Henchman thinks the gun is out of bullets and flings it at Bond as a projectile and runs at him to reengage hand-to-hand combat. Bond deftly catches the gun. He draws it. The LED is green.
Cue gunbarrel sequence.
http://www.youtube.com/watch?v=4_XPjcAFuQY
[+] [-] defen|13 years ago|reply
[+] [-] naeem|13 years ago|reply
[+] [-] goostavos|13 years ago|reply
Does it also detect the changes under duress?
Really fascinating stuff.
[+] [-] hobin|13 years ago|reply
[+] [-] ktizo|13 years ago|reply
I wonder what other 2000AD technologies might start cropping up soon. We already have riot foam, however from what I read it didn't work very well when first used. http://discovermagazine.com/1999/apr/warwithoutdeath1610
[+] [-] Zimahl|13 years ago|reply
While somewhat of a black box demo, we were able to play with the technology. We tried a ton of stuff to fool the system (physical only, we didn't use keystroke macros or anything like that) and it would correctly identify us every time. It was showing us the probabilities as they'd change and it was uncanny how it would immediately know that I started typing instead of a coworker.
So, it's not only probable/possible/exists, it's only drawback is the lack of necessity. Outside of the the highly paranoid using it to prevent outside intrusions (government mostly), not many systems need it due to lower-end attacks that are much easier to do and typically successful enough.
[+] [-] mistercow|13 years ago|reply
>it's only drawback is the lack of necessity
No, that's not the only drawback. Be very careful when talking about cryptography and security never to assume that you are aware of all of the weaknesses unless you've got a formal proof.
One very big drawback I can think of off the top of my head is that it would essentially be like having the same password everywhere, and being completely unable to change that password. If someone records your typing style once, they will be able to get to absolutely everything that identifies you based on typing style. At least with retina scans and fingerprints, there are mechanical obstacles to producing a facsimile.
[+] [-] colanderman|13 years ago|reply
[+] [-] mertd|13 years ago|reply
[+] [-] melvinmt|13 years ago|reply
Erh.. no thank you.
[+] [-] lucian1900|13 years ago|reply
Yeah, no thanks.
[+] [-] vnorby|13 years ago|reply
[+] [-] golovast|13 years ago|reply
Surprisingly enough, that company's userbase absolutely hated carrying tokens and they wanted to bend over backwards to accommodate them. The entire point was to provide an alternative way of doing 2-factor authentication.
The bottom line is that it mostly did work as advertised. The place where it struggled were poor typers of the hunt and peck variety. They just didn't have a good enough pattern and the failure rate was fairly high.
Another weak point would be any type of hand injury or even being under the influence would throw it off completely.
I liked the approach a lot, but ultimately, when it does fail, its extremely frustrating to the end user, since they don't really understand what they did wrong.
[+] [-] pavel_lishin|13 years ago|reply
[+] [-] joe_the_user|13 years ago|reply
If you got through the problem of people's keystroke speed varying with local factors, you'd wind-up with a situation where not only is your "password" the same on every site, even sites you visited without logging into could "sniff" your "password".
0-factor "identification"!
[+] [-] JoeAltmaier|13 years ago|reply
[+] [-] ctdonath|13 years ago|reply
[+] [-] sirclueless|13 years ago|reply
[+] [-] aiscott|13 years ago|reply
I.e. THIS POST TO BE DOWNVOTED?
Vs SHOULD THIS POST BE DOWNVOTED?
[+] [-] Terretta|13 years ago|reply
[+] [-] marquis|13 years ago|reply
[+] [-] paulhodge|13 years ago|reply
Wish I could remember where I read that; it was some book about hackers in general.
[+] [-] hippich|13 years ago|reply
It also have downside - your patter will change overtime and if this is sole authentication measure - it will fail eventually. I would use it as fuzzy monitoring to detect stolen credentials instead.
[+] [-] mistercow|13 years ago|reply
In either case everybody will have to have a fallback password in case their stride is off one day. If the system works well, then that password will be rarely used. A rarely used password is harder to remember than a regularly used one, so people will choose weak passwords for the fallback.
So the only way that this system has any chance of working without grossly compromising everyone's security, is if it barely ever positively identifies anyone.
Of course, even if it did work perfectly, it would be the equivalent of having the same password everywhere. In that case, why not just memorize one strong password?
[+] [-] sbornia|13 years ago|reply
[+] [-] ColinWright|13 years ago|reply
Likewise, by making ideas like this, along with an early investigation, perhaps someone can build on it, or throw out another idea, and perhaps people can work together to find a good solution to the mess that is current user identification.
Or would you rather people beavered away in secret, never sharing ideas, never sharing their results, and never working together?
[+] [-] mdaniel|13 years ago|reply
[+] [-] alaithea|13 years ago|reply
[+] [-] 1123581321|13 years ago|reply
[+] [-] devs1010|13 years ago|reply
[+] [-] inportb|13 years ago|reply
I experimented with this a couple of years ago when I saw that video, by implementing an ajaxy authentication system that timed keystrokes. Ignoring the fact that you could probably keylog the heck out of it, I found that a single user's typing patterns varied substantially, depending on typing skill, input device, and so on. Oh, well.
[+] [-] davidwparker|13 years ago|reply
[+] [-] zafriedman|13 years ago|reply
[+] [-] john61|13 years ago|reply
[+] [-] jeremyarussell|13 years ago|reply
[+] [-] eliasmacpherson|13 years ago|reply
[+] [-] ThomPete|13 years ago|reply
1. You ask a user to type in a couple of words. 2. Create a profile for them.
so that when you sign up for something you:
3. verify they are who they say they are as they fill out the form. 4. can skip captcha? (i.e. the form filling is the captcha)
?
[+] [-] riobard|13 years ago|reply