Nobody types quite like you
Speaker's Corner Mavis Beacon strikes again
PASSWORDS ARE TROUBLE, we know this. Users lose them, forget them, choose bad ones, and – as Societe Generale found to its chagrin in January – share them. How can you be sure that the person typing in the password that unlocks the gateway to losing £7 billion in rogue trades is the person who's meant to have that password?
You might say, "Fingerprints?", but Peter Horadan, senior vice president of engineering and client services for Seattle-based Biopassword, points out the flaws in that idea. They have error rates, for one thing, and they can be fooled – as a season four episode of Mythbusters proved. An even bigger problem is that fingerprint readers have to be deployed everywhere. "The hardware breaks," says Horadan, "and people don't like it. Traders might be willing to be fingerprinted, but consumers don't want to be fingerprinted just to get into their online banking account." Plus, if the system gets hacked into, you can't get new fingers.
Biopassword's solution is a system that takes advantage of the fact that no two people type quite the same way. Enrolling in Biopassword's system involves creating a template from five samples, against which future login attempts are tested. The system runs on the owning organisation's server, and the owner can tune how tolerant it should be of imperfect matches. Too perfect, and the system can kick it out as a replay attack; too variant from the template, and the system can reject the user or ask a backup security question. From the user's point of view, very little is different.
Obviously, there are complexities to this. People's timing changes over time, and different keyboards have different technical characteristics to which the system must adapt.
"I think we've achieved some pretty great accuracy here," says Horadan, "but the focus of the last two years has been math. A lot has been invented here through trial and error. We built an engine with a library of tests so you can create a new idea for the math, then push a button and run it through all the test programs and they will show how the idea performed." The company runs internal contests where employees come up with "any crazy idea you can think of. It's almost like genetic selection."
Such brainstorming helped Biopassword's team identify 43 factors that characterise typing patterns and work out an algorithm to compare sets. There were, Horadan says, many design challenges and interesting problems to solve.
"Some typers are more consistent than other typers," he says. "How do you weight for that?" Or, he says, "How do you determine that there are multiple people on an account? We've built clustering algorithms that take the samples provided and find a way to measure the distance between them." Account sharing is an issue in, for example, financial trading, where companies want non-repudiability.
Horadan says his career has always been about "making things easier for people". He spent eight years at Microsoft working on the online banking part of Money. "Instead of having to read paper statements – see them online without doing any work." At BEA, he created Web Logic Workshop to make it easier to write programs for J2EE.
Biopassword grabbed his attention with a demonstration. "It's one of those things that just sells you," he says. "You don't really believe it when you first hear it. It sounds like magic. Then you get a demonstration and you become a believer. It's astonishing how well it works."
The company hired Tolly Group to do an accuracy study. In it, they gave 100 users 100 user names and passwords to type in batches of ten on different workstations. To test for false acceptances, 99 testers try to break into the remaining user's IDs and passwords. To test for false rejections, each user creates a template from his first five samples and then tries to log in with each of the other 95. The study found a 99 percent accuracy on acceptances and 98 percent on rejections.
Horadan believes that making security easier for users is of key importance . "Security is very challenging for users," he says, "carrying tokens, memorising passwords." µ
Comments
Of course it works
It works because it's brand new and no clever hackers have even seen it yet.But as we all know, it won't be long after this tech's debut that it will be cracked wide open somehow by somebody, and those selling this tech will inevitably be forced to change it to defeat the crack, which will make it more inconvienient for the end users.
This whole cycle is getting tiresome and benefits the common computer user in no way. We need a whole paradigm change to fix everything. Not that I can do that myself, but I hope someone else comes up with something.
Tolly
Did the company pay for the Tolly group? That is bogus.:)
sounds great if they actually got it perfectTyping changes over time - hour by hour
Have these people never got up in the middle of the night due to the dodgy curry they had last evening and started to type on the computer - quite possibly by the light of a torch held in the mouth to see the keyboard, or by the faint glimmer of the murky screen?Or perhaps were they have never been on the phone and typing with one hand while cradling the phone in the other? Or simply eating lunch and cruising to the bank account?
Or maybe their missus is trying to log in onto the shared account - and they have try to explain to 'she who must be obeyed' why they can't log into 'their' email account!
Even for what passes for normal times for me I change the pace and keyboard style pretty constantly. It depends if I am thinking about something or simply reading a password or equivalent off a notepad.
Bull...
Imaginea hang over = Reject
a damage from the last football game = Reject!
a change of keyboard = Reject!
a nagging wife = Reject
limited time to login = Reject!
and even worse - imagine that you can't login. What do you do?
You try again and again and again and finally you get that frustrated so you'll never again use this crap and change your bank to a bank grasping the revenue key called - user friendliness. Crap!
Rubbish!
My comment was refused. It this a medium for sales of the technique or are you just stake holders in the company in respect and want them to raise of this articel with cheering comments, only?Trying once again.
----------
Imagine
a hang over = Reject
a damage from the last football game = Reject!
a change of keyboard = Reject!
a nagging wife = Reject
limited time to login = Reject!
and even worse - imagine that you can't login. What do you do?
You try again and again and again and finally you get that frustrated so you'll never again use this crap and change your bank to a bank grasping the revenue key called - user friendliness. Crap!