I need someone to explain this to me.

Safelock: biometric typing security

We’ve seen some ways to bypass biometric security measures but here’s a new offering that we think will be hard to fool. The Safelock system is used in conjunction with a password to identify a specific user. This software records your typing style including the time between keystrokes, the time keys are held, and key pressure data. This information is then normalized and compared to the information stored about the user when the password was originally set. If you don’t fall within specifications that match the stored data, you won’t get in even with the right password.

The icing on the cake is that Safelock will look for malicious users. If you enter the wrong password, it will begin to record and analyze your typing style. If you make enough incorrect attempts you will be labeled as a security threat and locked out of the system altogether. We can only think of one reliable way to circumvent this and that’s using a man-in-the-middle method of recording the keyboard inputs of the legitimate user for playback later.

This is an innovative user identification system and we’re not the only ones that think so. [Jeff Allen] and [John Howard], students at SMU won first prize for the Student Innovation Contest at the 2009 User Interface Software and Technology Symposium.

Comments

  1. Aaron Kafton says:

    Add this with the pressure sensitive keyboard and its almost unbeatable

  2. MS3FGX says:

    Very interesting idea, though it requires a special pressure sensitive keyboard to work to it’s full potential. Obviously they could do the key press timing and hold times with a regular board, but I suppose it would lose a lot of accuracy without the hold pressure data.

    It also seems like the effectiveness of this system is directly proportional to the length and complexity of the password; there is only so much timing data that could be extrapolated from a 4 letter password. That, and I am not sure how much I like the idea of being denied access to the system even if I typed in the correct password, even though they say the system is 96% accurate, I KNOW there are some times I am not typing the same way as I usually do for whatever reason.

  3. vonskippy says:

    Unfortunately, that method doesn’t travel well. People type different at different keyboards, different typing positions (sitting, standing up, one handed, etc). So all you get is a security system that locks out it’s own users. Not all that useful (we tried a system like this in a mid-size hospital). Two factor authentication (i.e. password PLUS swipe card) is still the easiest and most effective/secure method – at least for environments where people move about and use multiple different platforms.

  4. Aaron Kafton says:

    and… i’m a retard

  5. Skyler says:

    What happens if the user takes a typing speed course? Hey presto, no more access for you!

    Talk about punishment that doesn’t fit the crime… lol!

  6. Jesse says:

    I can attest to what MS3FGX said; I’m typing one-handed after breaking three fingers, and my typing style is different. Not only did it change after the accident, it’s changed nearly every day as I get used to touch-typing this way. As a sysadmin, getting locked out because of hunt-and-pecking the password is not a good thing.

  7. Alex says:

    Will this kick me out if I type with one hand? (One hand typing is necessary for much of my internet research.)

  8. user says:

    Post 1:
    This seems to use the pressure sensitive keyboard covered a while back.

  9. nave says:

    I thought of this a year or two ago and started to program it. But I told my older brother about it and he told me that it was pointless because someone would of done it by then(I actually listen to my brothers sometimes) and so I stopped programming it.(Like I would of even got close) lol

    I’m not going to listen to my brother anymore.

  10. anon says:

    When is a man-in-the-middle attack not the most reliable hacking method?

  11. Till says:

    broken arm/finger – no access. Doh! ;)

  12. Mr. Sandman says:

    @Alex: I don’t want to know what “research” you do that requires one hand…

  13. Concino says:

    This is not a new technology at all, it’s been around for at least couple of years.

  14. Verence says:

    Doesn’t travel at all.

    Try to enter your complex password on a German keyboard (QWERTZ) or a French keyboard (AZERTY) with the same speed pattern…

  15. Alastair says:

    Knowing my luck, I’d break my hand the day after I get this set up.

  16. Jeff says:

    Our (primitive) website addresses a couple of the issues brought up. (http://jdadesign.net/safelock/).

    Breaking/losing a finger would likely be problematic, yes. Thankfully, that seems to be an extraordinary situation – a sysadmin could likely turn off some of the timing in such an event?

    @Jesse / @Skyler: The algorithm is adaptive; it will be slightly tuned with every successful login. As you get more comfortable typing a password (which surely happens the longer you’ve had the password), your typing “signature” grows with you.

  17. anonymousposter says:

    This is just as weak as any other password-based system. How are most passwords stolen? Viruses. What can a virus do once it gets on your system? Anything it wants, including recording the time/pressure data as you enter the password into your online banking site, which the evil botnet overlord can then replay from his evil lair at his leisure.

  18. aztraph says:

    if you don’t want someone to use your computer, just reset the keyboard to dvorak but don’t change the keys around, sit back and watch the confusion.

  19. M4CGYV3R says:

    This was a system described in detail in the beginning of the book ‘Prey’ by Michael Crichton(an excellent read, dealing in high-tech and proverbial grey-goo). It’s not a new concept, and it’s not accurate by any means. My typing style changes quite often based on my mood, the time of day, and how lazy I’m feeling. This will never be a viable biometric verification.

  20. Hacker Harry says:

    come on guys…
    this is not a new technology…

  21. dannyMal says:

    These guys http://www.biopassword.com/ were doing this back in 2007 or earlier. Others have worked in this space, too.

    I’ve seen (unpublished, unfortunately) results showing how ineffective this is, and the short of it is that there’s a reason that biopassword/AdmitOne and ID Control BV have not got noticeable market shares. Keystroke metrics are either so loose that they prevent almost nothing or are so tight that the intended user can’t get access, and anything in the middle lets too much in while still often rejecting the real deal.

  22. Angus McInnes says:

    Why is this useful? How is it more secure than just using a password? Someone using a keylogger can log the timing data and play it back almost as easily as a normal password.

    Plus it’s much more inconvenient for the legitimate user, forcing them to type the password the same way every time. Sometimes I log in with one hand while doing something else, and often if I make a mistake in my password I want to type it more carefully on the second attempt rather than getting locked out. This system stops me from doing that.

  23. Matt says:

    @vonskippy

    I think that biometric systems have a lot of room for improvement. Two factor systems are simple, but they still have the same fundamental flaw of not identifying a user based on an unique trait which cannot be mimicked.

    A better authentication system could be one based on facial expressions. Something like a randomized series of facial expressions that the user must recreate could be a better solution. Muscle control and facial structure is relatively unique. Short of bashing up your face or getting plastic surgery, both of which are events significant enough for the user to know a change in their password is necessary, you shouldn’t have problems with failed authentication in.

  24. Arrangemonk says:

    is would great if it let you thou if the password isnt 100% correct but the typestyle fits

  25. dsfdsf says:

    not practical all! break your hand and get that cracker ready

  26. inportb says:

    i’m really happy for you and i’ma let you finish, but this is not news. sorry.

    i released some example code last month demonstrating biometric authentication through keystroke timing. it’s in javascript and is thus suitable for use in web development.

    http://www.110mb.com/forum/a-novel-biometric-authentication-aid-ecmascript-demo-inside-t50338.0.html

  27. Tachikoma says:

    Interesting idea… I’d like to know the stats on how much false negatives you experience with this thing. I can imagine people getting pissed off pretty quickly if it rejects you for minor things like a slight change of typing habit, posture, etc.

  28. Ted says:

    This would be fine as a confidence test; As a transparent layer of security that would be useful mainly in log files to see if more than one person has been logging in with a single account.

    Take a user being given a domain credential that is meant only for that person, yet the person distributes his login to a few other people in the office. You would likely start seeing trends where everyone would have distinct ways of logging in and you could assess how many people have been using it and more importantly when. Maybe person X shows up as using the login more than person Y.

    Like the polygraph, it would probably not be admissible in court but with creative implimentation it could be used in data mining.

  29. Stu says:

    As others have said, this has been out for quite a while. The ones I’ve seen recently factor in other markers, such as known IP addresses and time-of-day data, to minimize some of the issues discussed. Type differently before that first cup of coffee? The system understands and corrects for that. Static IP address? Bump up the confidence level. All factors match except one? Lower the confidence, but allow limited access.

    It’s still not perfect, but with adequate tuning, it could be “good enough”…

  30. oNo says:

    This just makes the human the weaker link.
    http://xkcd.com/538/

  31. Dan Fruzzetti says:

    Drug users will not be able to use this system as most of the ‘good drugs’ cause changes in cognition that affect typing speed / key pressure / ‘clumping’ of keys typed.

    Also musicians will have issues as well — when you play your instrument you activate all sorts of kinesthetic pathways in the brain. most of them stay active when you move to your computer and start typing right afterward. anyone who’s played a guitar and then responded to e-mail has noticed this.

  32. Fantastic site and great content. Thanks for the very informative and timely content. Please keep up the quality. Thanks…

  33. NKT says:

    @neve: No, your brother was right – this is a crappy idea.

    @Jeff: Great, I’ll remember to deactivate the pressure and timing check before I go and break my hand.

    Timing attacks like this are easy to beat anyway, as you only need an audio or video recording of the password being typed, or even just listen to the cadence whilst shoulder surfing, and you are then double authenticated.

    Plus, when you get the password wrong the second time, you change your typing for the 3rd go, to be certain you haven’t left caps lock on and to avoid the time-out penalty. This would *ensure* you never got in!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s