Forgot your password?
typodupeerror
Input Devices Security Science

Users Identified Through Typing, Mouse Movements 149

Posted by Soulskill
from the this-guy-always-whacks-his-space-bar-really-hard dept.
mask.of.sanity writes "Users can be identified with a half percent margin of error based on the way they type. The research work has been spun into an application that could continuously authenticate users (PDF), rather than just relying on passwords, and could lock accounts if another person jumped on the computer. Researchers are now integrating mouse movements and clicks, and mobile touch patterns into the work."
This discussion has been archived. No new comments can be posted.

Users Identified Through Typing, Mouse Movements

Comments Filter:
  • by six025 (714064) on Friday November 22, 2013 @09:52AM (#45490195)

    So that means no more posting on Slashdot while drunk?

    Not sure If this post is funny or insightful ;-)

    • by Anonymous Coward

      I'm guessing my typing and mouse useage habits change significantly when I get pissed off from being locked out of a system by a security method I can't directly control.

      Using the mouse and keyboard as high velocity projectiles, cords streaming out behind them as they fly across the cube farm and impact the managers face that implemented such an idiotic authentication scheme come to mind. Authenticate this bitches!

      • by TWX (665546)
        Well, being angry is certainly one thing that may matter, but having multiple devices is another.

        I'm typing this on a Sun Type 6 USB keyboard. Next to me is one of those early full-size clear Apple USB keyboards. At home I use a Gateway 2000 "Anykey" keyboard on my desktop, and the integrated keyboard in my laptop when using that machine. I use a Kensington Expert Mouse trackball at home on the desktop, the integrated touchpad on the laptop as well as an external Logitech mouse, a Kensington Orbit Opt
        • Different devices really aren't a problem. It's a lot like recognizing your family members while they are wearing different outfits. A twenty-something black lady, pregnant, with medium length braids sitting in my couch is probably my wife. Without my glasses my vision is 20/100 but I could almost always distinguish an intruder vs. my wife. Most likely, an intruder would look nothing at all like my wife.

          That's a good analogy for how we use this type of technology in Strongbox. We start with the f

          • by jonbryce (703250)

            But my typing pattern is surely very different if I am typing on an IBM Model M keyboard, or on the on-screen keyboard on my iPad, just like your wife's walking pattern is probably very different if she is walking in 6" stilletos, or in a pair of trainers.

            • The point being that there will still be identifying characteristics that will span all walking styles of regardless of shoe type. Meaning someone that always types hte instead of the will do it no matter which keyboard they are tying on. A person that uses the hunt and peck will do it no matter which keyboard they are using.
              • by mjr167 (2477430)
                What if I'm eating my lunch and only typing with one hand?
                • What if I'm eating my lunch and only typing with one hand?

                  Then this is probably something you do regularly.

                  The thing that gets me though is, how does this deal with network lag? If you're doing remote login, it'll add all sorts of interference based on how responsive the connection is. Thus, if I went on a business trip to China and attempted to log in, would the system still recognize me as me?

                  Mouse use really is a very personal thing though; people tend to do very different things with their mice while typing.

                  Think of this not as a way of identifying an indivi

                  • > Think of this not as a way of identifying an individual, but of screening out those who are obviously NOT that individual.
                    > This problem is _much_ easier to solve.

                    Absolutely. What we do with Strongbox, anyway, is start with "this person is claiming to be _____". Then we can start checking various parameters. Rather than list of our exact parameters and algorithm, I'll stick with the analogy:

                    Does the height match?
                    Does the weight match?
                    Does the age range match?
                    Does the race match?
                    Does the clothing

                    • And to apply that test to FPs:

                      Test 1: 90.00 % of legit users remain.
                      Test 2: 89.00 % of legit users remain.
                      Test 3:88.75% of legit users remain. ....

                      So if you set your threshold at some reasonable level, like 50% confidence, pretty much all the imposters will be blocked, while for legit use to change, you'd have to be remotely logging in over a laggy connection, dictating your commands to someone else to perform. There's still both FN and FP possibilities, but it's less than you'd get with biometric methods,

                • by hoggoth (414195)

                  > What if I'm eating my lunch and only typing with one hand?

                  Yeah, right. "eating my lunch"...

                  If the system detects you are "eating your lunch" and typing with one hand, it will automatically direct you to your favorite porn sites.

                • Yeah I bet you're "eating" when you only have 1 hand available at your computer.
          • I am not so sure about consistency of typing style across every keyboard. Some keyboards buttons are bounced nicely and that made me feel like typing faster. Some aren't that great and frustrated me which in turn slows me down or causes stop-and-go effect on my typing style. Also, different keyboard layout affects the way I type because I need to adjust my fingers (especially my right pinky) to reach certain button/character. I also like to use num-pad to enter numbers rather than the number button on the t

            • I am not so sure about consistency of typing style across every keyboard.

              Perhaps we could perform experiments and gather data on the subject.

              Nah, that's way too science-y for Slashdot. Better to just proclaim that it will never work and earn some karma.

              • Nah, that's way too science-y for Slashdot. Better to just proclaim that it will never work and earn some karma.

                Yes, the talk is easy but the practice is not. I did not say it will never work, but I implied it unlikely works or is effective due to different style of typing regarding different 'hard ware'. Besides the point, you are sicked if you think that other people posting here are looking to earn karma or whatever. Maybe it is you who reply and look for it instead.

            • > Even though one could have similar typing style, I doubt that it is always the same on every keyboard.

              Several numbers can be used to describe "typing style". Some of those numbers are remarkably consistent.
              In other respects, you end up with two profiles, ie John on his iPad" and "John at his desk".
              Those match up with other parameters like OS patch lvel, browser version, plugins, etc. You, on your ipad,
              type in a certain way, on a certain version of the device, using a certain browser with certain plugi

              • I understand that you are talking about certain different range of typing style. I accept that thought. The problem for me is not the idea, but it is the threshold of the range they are looking for. I don't know the criteria they used in identifying style. Also, their sample size of 2000 is extremely small compared to a population in a country. I don't believe it effectively works as they claim, but they put this news out just to get attention from public. I guess they want to test the public reaction, and

                • > Also, their sample size of 2000 is extremely small compared to a population in a country. I don't believe it effectively works as they claim, but they put this news out just to get attention from public.

                  Oh certainly. This about the fourth Slashdot article on it and we've been doing it for years, so it's in no way new. Three years from now they'll announce their chickcaptcha idea, which we launched on 5,000 production sites 18 months ago.

                • by kermidge (2221646)

                  "If the height matches, the weight matches, the skin tone matches, the clothing style matches, the hair length matches, the hair color matches, the hair style (curly, straight, etc.) matches, and she says "hey baby", that's probably your spouse."

                  Or one heckuva stunt double or stand-in. Or one of twins, triplets, etc. Once in motion, tho, I can see that as being quite a bit more distinctive, and a clincher, all else being equal. From what I gather, from the article and what you've said, it's the full combi

        • I expect that my mouse movements and typing styles vary from computer to computer. If the point of an authentication scheme using this sort of method is to be global, I'd end up with either lockouts or with multiple profiles, requiring updating every time I use different equipment. Right now we're up to four without even going into other computers I have casual use of, and I can only see that going up over time.

          Well, there's good and there's bad. Let's look to a completely different industry that uses similiar analytics, but for a very different purpose: Credit card companies. As you know, they track your purchase habits. What you may not know is that they also use this for fraud detection. A very simple example would be making a POS purchase in California, and a half an hour later, making a POS purchase in New York, when only one card was issued to the card holder. This would be a red flag -- we can safely assume

          • by kermidge (2221646)

            Well and good, and mechanically (oops - algorithmically) spoofing someone's login strokes rather than a short reply on /. is a lot easier to deal with. Thing is, tho, that humans don't - cannot, actually - do a thing precisely the same way twice. We can get very, very close for a short, simple something, but it's still not exact. (Van Cliburn comes to mind.)

            So even for the short sequence of matching a login and introducing a wee bit of random variation, that may not match the user's not-quite random vari

      • Well, that's one way to get rid of employees with anger-management problems.
    • by king neckbeard (1801738) on Friday November 22, 2013 @10:12AM (#45490397)
      This would probably be a far more useful application of it. Say that you have a tendency to drunkenly dial/text a certain subset of people. If your phone detects that you are drunk, it prevents you from dialing those numbers and embarrassing yourself.
      • f your phone detects that you are drunk, it prevents you from dialing those numbers and embarrassing yourself.

        Yeah, because drunk people respond so well to people and things telling them 'no'. I'm imagining your phone detecting you're drunk, followed shortly after by your phone detecting it is dying because it was thrown at a wall. then stomped on. Then punched. And then finally drowned in warm beer.

        • by Agent0013 (828350)
          Well, a drowned in warm beer phone will prevent you from dialing the number and embarrassing yourself. So it did work anyway.
    • by Anonymous Coward

      I am hoping that this technology can be used to curb the moron in the next cube here. He is borderline obsessive-compulsive, and hammers his semi-clicky keyboard in a way analogous to machine gun burst. He also has apparently never heard of enhanced document formatting, so the bursts if actual typing are punctuated by the sporatic rattle of the spacebar.

      Hopefully for the security and continued survival of this business, some new feature will soon completely lock him out of the computer.

      • Nah it will just mean that he won't be able to change that entertaining habit or he'll get locked out of his workstation.

    • This has been tried before and the frailty to the model (now as in the past) is people are not consistent.

      We change. Some of us change several times each day, not schizophrenia-like but still distinctly. But not necessarily consistently.

      Not a great authentication method. Sorry kids.

    • by mrhippo3 (2747859)
      And this is a "surprising" result because...? Of course you develop patterns based on how "fast" you type. As a "some fingers" typist, my timing between key presses probably does not vary too much. It is easy to see how the time difference between key presses (based on the prior and following characters) and even some words can be predicted with a reasonable degree of accuracy. Thinking of these patterns like the "stripes" on a DNA scan you can easily do a pattern match to uniquely identify which set of key
      • In WW2 British radio interception staff could recognise individual telegraphists by the rhythm of their dits and dahs - a Morse accent if you like.

        Since some reused their encryption settings this was a help to the codebreakers.

        • And this also played a role in the Pearl Harbor attack. From http://en.wikipedia.org/wiki/Traffic_analysis [wikipedia.org]

          > The Japanese Navy played radio games to inhibit traffic analysis
          > with the attack force after it sailed in late November. Radio operators normally
          > assigned to carriers, with a characteristic Morse Code "fist", transmitted from
          > inland Japanese waters, suggesting the carriers were still near Japan

  • tough luck when... (Score:4, Interesting)

    by harvey the nerd (582806) on Friday November 22, 2013 @09:54AM (#45490223)
    ...your hand gets caught in the car door and your cash/food/alcohol supply shuts down for 3 weeks.
  • Yep, sounds like a great idea in theory. What happens when I'm trying to work through a migraine? That definitely changes my computer use patterns and mouse usage characteristics.

    May apply more to the usage of mobile smartphones to prevent being fraped these days.

    • I don't really get the hate for this stuff.. if you experience an unusual situation where it locks you out, I'm assuming there would be a way to type in your password, and possibly disable the system for the rest of the day.

      I think it sounds like a pretty cool feature for very security conscious users/businesses. I tend to lock my machine manually when I leave my desk, but sometimes I forget. I do have a screensaver which locks the screen, but there is an exploitable window there. Since I'm an admin, anyone

      • I'm assuming there would be a way to type in your password, and possibly disable the system for the rest of the day.

        Wouldn't anyone trying to break in just do that then? So what good is it for security?

        • by Fwipp (1473271)

          If they already know your password...

          From TFS: "The research work has been spun into an application that could continuously authenticate users (PDF), rather than just relying on passwords, and could lock accounts if another person jumped on the computer."

          So, not for initial authentication, but if you forgot to lock your computer.

          • Yes, but the original commenter was wondering what happens if you, say, break your hand and are suddenly not typing the way your normally do. Either the system can't be disabled, which means the legitimate user is locked out whenever they have any sort of minor injury, or it can be disabled, which means it's useless for security because the other person jumping on the computer will just disable it right away.

            • You're not understanding the point of what he's saying. The non-legitimate user in his scenario doesn't have the legitimate user's password. If you require a password to disable this function, then the person who should have access can disable it, while the person who should not cannot.

              • But then how is this system any more effective than just a lockscreen that requires the password?

                • Because that's not the scenario that either of the parent posts (1 [slashdot.org] 2 [slashdot.org]) that you replied to were talking about.

  • 7|-|3Y \/\/||_|_ |\|3\/3|2 (/\7(|-| /\/\3 /\|_|\/3

    There. Identify me now, bastards.

  • News.. (Score:5, Informative)

    by Nimatek (1836530) on Friday November 22, 2013 @09:58AM (#45490261)
    How exactly is that new? https://www.keytrac.net/ [keytrac.net] http://www.intensityanalytics.com/ [intensityanalytics.com] http://www.idcontrol.com/keystrokeid [idcontrol.com] And there is like half a dozen more.
  • This is one of those topics which pops up about once a year in Slashdot.
  • What does that half-percent mean? It's not like our identity can be expressed as a number. Does it mean that it thinks the user is someone else one time in 200, or that for any person in their 2000 user sample set, they matched with 10 of them (both of which would be useful as long as not the only factor we rely on)? Or something else entirely?
    • What does that half-percent mean?

      Or does it mean that 99.5% of the time the sw is sure it's me and let's me keep typing but every page or two, up pops a warning in my Word document and the webcam scan scans my iris to take care of the other .5%?
      Or perhaps a less intrusive way to deal with typing is to munge it up if some yutz suddenly *&^% &^% (* $%^ would work.

    • by gl4ss (559668)

      once in 200 seconds it will lock you out for a second.

      seriously speaking, I guess it depends on the length of the analyzing window and they chose the best stat they had.

      but you wouldn't mind re-typing your password(in exact same manner and delays) evey 3 minutes now would you?

      I seriously doubt the system can guess with 99.5% accuracy which of the users is using the system..

  • I bet it works even better than fingerprint recognition.

  • In the end, all of this becomes silly.

  • by DeathToBill (601486) on Friday November 22, 2013 @10:12AM (#45490409) Journal

    My typing has to match a certain pattern to authenticate me.

  • by Zanadou (1043400)

    That's why I don't type on the internet, I just lurk.

    Oh, shit.

  • Suddenly, you're logged out of every service as soon as you begin browsing with one hand.

  • My computer gets my password authentication in a couple of seconds. It sounds like these typing tests took 90 minutes and it didn't evaluate whether the person's typing patterns remain stable over longer times. In that time the program learns to identify a person, but how long does it take to recognize a known person?

    Do I type the same way when I'm tired? I don't know. Do I type the same way if I'm using a different computer and keyboard? When I'm thinking about what I'm writing carefully, as

    • by mjr167 (2477430)
      How about when you VNC into a remote machine and it takes 5 seconds for the characters to show up on the terminal?
    • by epine (68316)

      Otherwise it's going to be continually asking you to verify your identity which would be very disruptive of your work.

      I've always wanted an authentication system that identifies me by precisely the way I say "oh, fuck off" when something this stupid breaks my train of thought.

      Normally I type from the home position, but sometimes I cross arms (certain combinations of mouse and keyboard operations are easier that way) and sometimes I type with one hand (mainly when I'm eating at my desk) and sometimes I type

    • by PPH (736903)

      but how long does it take to recognize a known person?

      Fast enough to stop the office practical joker from typing
      sudo rm -rf /
      when you get up to take a bathroom break?

  • by Anonymous Coward

    This is an Iowa State University (student?) prototype/proof of concept stage idea. Also note:

    Results from a large scale experiment demonstrated that the Cognitive Typing Rhythm had a 0.7% false
    rejection rate and a 5.5% false acceptance rate

    As everyone has been quick to point out, the concept is so flawed that there is zero chance of successful implementation. This is just a Slashvertisement for a study grant or startup wannabe.

  • I don't think this will work for me as sometimes I go from two hands to operation my computer with just one hand.
  • Swedish Company (Score:5, Informative)

    by Frankie70 (803801) on Friday November 22, 2013 @10:51AM (#45490801)

    This has been done by a Swedish Company - http://www.behaviosec.com/ [behaviosec.com]

    They have a continuous monitoring a system and also a product which can be integrated into a Web Page Post Form for a 2nd Factor of Authentication. I have played around with their Web Product - it's very good to be used as a secondary mechanism.

    They are also working with DARPA - http://www.behaviosec.com/darpa-and-behaviosec-go-beyond-passwords/ [behaviosec.com]

    So I am wondering if the Iowa University project is an extension on this?

    The original Behaviosec product came out of a research project in a Swedish University and the people running the company include students who did the original project.

  • Works great. Until you have a little accident, and end up with a broken arm, or sprained wrist. Then you can't use your computer.

  • An algorithm that recognizes users based on their masturbation movements. Even those with Parkinson.

  • No one slams their mouse and spews slightly racist incoherent obscenities in their favorite forums quite like I do.
  • I'd love to see an authentication method, which could probably be implemented with a kinect, where the computer starts playing some music and demands that you perform a sexy dance. It makes about equally as much sense, but would make work MUCH more funny!
    • by oneiros27 (46144)

      The problem is that it has to be the same or similar every time ... so you'd either have to have a fixed routine that's rather similar every time ... or what I would do, which is sit there and flip the bird at the computer and/or cuss it out for such a stupid request.

      (Of course, some of the answers to the canned 'security questions' that groups try forcing on me are responses such as 'I don't know' 'How should I know?' 'Why would I know that?' and 'I'm an orphan, you bastard'.)

      • by Greyfox (87712)
        It's funny, I just ordered something off Thinkgeek for the first time in years. I wasn't even sure I still had a user ID there, so I entered the password hint request with my E-Mail. The hint, which apparently I'd chosen for myself was "What is your password?" This actually reminded me what my password was at that time. I have no idea how that worked.
    • by The-Ixian (168184)

      or perhaps the truffle shuffle?

  • So your solution to security is to put a key logger on every computer in our building? I don't see that going over well with my security team.

  • by dohzer (867770)
    I'd be really worried about getting locked out while tipsy.
  • We may type very differently throughout the day, especially at night, or close to a deadline. There would appear that you would need to do a significant amount of characterization to have any meaningful results. There are times when we can be really tired, but need to finish something. The last thing anyone needs is to fight your computer in addition to fighting a clock. I would refuse to work or quit any place that would consider using this kind of authentication. This kind of model can never be perfect.
  • So we'll need a program that scrambles all the monitored characteristics, and perhaps inserts some random phrase translations so that you can't be recognized by your vocabulary. Why I would ever want a system to recognize me by these sorts of biometrics (or any sort) is beyond me. On the other hand, I could see why others would want to do so, Facebook, Google, the NSA, Doubleclick, etc. But that doesn't mean at all that I would want this, quite the contrary. When I'm on the computer, it's nobodies busin
  • by knorthern knight (513660) on Friday November 22, 2013 @04:43PM (#45494697)

    I'm surprised nobody has commented on this. If a server can confirm your keyboard/mouse activity profile, what's to stop advertisers from doing so via javascript on the the web? This is scary. Even if you log in to site A as John Smith with Firefox, and site B as Jane Doe with Opera, and with Flash supercookies disabled, they might still be able to match your profiles. This would solve the advertising dilemma, of what ads to show on a shared computer used by multiple family members. This would be worse than Facebook.

    Law enforcement would love this too. Let's say you're a "meek mild-mannered reporter" (or whatever) by day and "super-hacktivist" by night. It wouldn't matter if you're using multiple layers of TOR/ONION or working via a compromised machine in China, a LEA would still be able to match your daytime work profile to your nighttime alter-ego.

    This might start start an arms race. Given websites that analyse user keystrokes, would a random delay inserter work? Also, I assume that doing stuff like typing this comment into a separate text editor, then copy-pasting into the posting submission form might help cover your tracks.

  • by manu0601 (2221348)
    50% is low. People nted it would deny access to a drunk user, which may be good. Sleepy user may be denied as well, so could unusually stressed persons. THe later case could be a real problem if stress is because you need to find something in your computer.

Computers are unreliable, but humans are even more unreliable. Any system which depends on human reliability is unreliable. -- Gilb

Working...