Authentication using the way you type

[nsane.forums]

In DARPA’s vision of the future, you won’t be typing passwords anymore—because typing is the password.

The Defense Advanced Research Projects Agency is investigating the feasibility of developing software that can identify a user based purely on the style and speed of his or her typing.

“What I’d like to do,” explained Richard Guidorizzi, DARPA product manager, in a talk last year, “is move to a world where you sit down at a console, you identify yourself, and you just start working, and the authentication happens in the background, invisible to you, while you continue to do your work without interruptions.”

The problem with traditional passwords, explained Mr. Guidorizzi, is that we tend to prefer patterns that make remembering passwords more manageable. These passwords are good for humans, but bad for security. It’s hard to strike a balance between memorable and secure.

That’s part of the reason why Roy Maxion, a research professor of computer science at Carnegie Mellon University, believes it could be possible to simply do away with passwords altogether. By studying a user’s unique keystroke dynamics—the length of time a key is pressed, for example, or the speed with which a user types—Professor Maxion has had considerable success identifying test subjects based purely on the way they type.

In fact, similar software being developed at Pace University can apparently identify a user based on keyboard pressure with 99.5 percent accuracy (PDF).

And because typing is an act of motor control—something we don’t do consciously—“mimicking keystroke dynamics is physiologically improbable,” explains Professor Maxion, making impersonation or fraud nigh impossible. A similar identity model could potentially be constructed from a user’s mouse movements too.

The downside, of course, is that unlike traditional password-based logins which only require initial authentication, a behavioral system based on typing style would require constant monitoring. Otherwise, there would be no way to verify that the same user remained in control of a given machine, DARPA says.

A small price to pay, perhaps, for never having to worry about password strength or security again.

Further reading

• Bypassing the password (nytimes.com)

View: Original Article