Computers

Verifying passwords by the way they're typed

Verifying passwords by the way they're typed
Researchers in Beirut are working to improve upon past attempts at linking password authentication to the the speed and rhythm of the user's keystrokes
Researchers in Beirut are working to improve upon past attempts at linking password authentication to the the speed and rhythm of the user's keystrokes
View 2 Images
Researchers in Beirut are working to improve upon past attempts at linking password authentication to the the speed and rhythm of the user's keystrokes
1/2
Researchers in Beirut are working to improve upon past attempts at linking password authentication to the the speed and rhythm of the user's keystrokes
2/2

There are good passwords and bad passwords, but none of them are totally secure. Researchers at the American University of Beirut, Lebanon, are working on strengthening an approach to password security that's not just about what you type, but how you type it.

Ravel Jabbour, Wes Masri and Ali El-Hajj of the American University of Beirut have developed software that aims to improve upon past attempts at linking password authentication to the the speed and rhythm of the user's keystrokes, a method called key-pattern analysis (KPA).

Instead of just measuring the time-lapse between keystrokes, the researchers also measure how long each key remains depressed. They argue that this extra parameter of "intra" timing significantly boosts reliable authentication and improves the overall KPA approach.

Modified keyboards that measure keystroke pressure represent another avenue for, but this approach works on a standard keyboard. It would work like this:

  • the user enters their password multiple times to set-up a log-in;
  • the program creates a user profile based on intra and inter timing and other parameters like the relationships between two keys (digraph) and three keys (trigraph);
  • this profile is stored for comparison when the user logs-in again.
  • It's a bit of a double-edged sword because the longer and more complex the password, the harder it is to repeatedly type it in with the same rhythm. The researchers acknowledge the trade-off - it's a matter of finding a "sweet spot" between length and reliable typing. I know that if I had a choice between a longer password and a system that stopped someone with my password written down in front of them from gaining access, I'd choose the latter.

    The researchers say they have also integrated secure "group" functionality into the system to cater for another possible drawback - the ability to share passwords when you do want someone else to have log-in access.

    The Paper "Optimising password security through key-pattern analysis" is published in the International Journal of Internet Technology and Secured Transactions.

    8 comments
    8 comments
    Miha Feuš
    Although it sounds promising at first I don\'t find much advantage in such extra security. Because if the authentication program can measure this, so can a key-logger.
    Rocky Stefano
    Several companies have tried this in the past. Always ends up failing due to keystroke logging enhancements
    Taryn East
    Interesting idea, but will become painfully annoying the moment I want to drink my coffee and type my password with one hand. Or I cut my finger and the timing for that finger changes. Or my fingers are cold and respond slower.... etc etc
    David Elliott
    There was a company called Biopassword that implemented such a system about 6 or 7 years ago.
    Slowburn
    I would prefer a stealth multilayered with rotating passwords.
    Gordon Ross
    This is not NEW stuff. I have worked on this technology since 1989. The intial product measured pressure along with other variables and was 98.4% effective. Far better than fingerprints and virtually incapable of spoofing. Others today are marketing this technology. Unfortunately most of them have not been able to obtain the effectiveness of what I originally worked on and developed. Many reasons for this, but most have failed because they decided their algorithms were better. Unfortunately they are not... This technology, when designed and implemented correctly is the most cost effective method of using a biometric.

    KEYSTROKE LOGGERS are unable to duplicate the signature of the individual... True, if you cut your hand, are impaired , you may not get on, but there are always overides that an individual can produce, if they are so inclined.
    Wombat56
    Most of my logins are Autotyped from KeePass. Good luck getting biometric data from that.
    Also I think you\'d need a custom keyboard to extract the information and report it to the main application. It looks like this would only be used inside high cost, high security installations.
    Matt Rings
    And what\'s wrong with just using a fingerprint reader regular password.... ?