Bypassing the Password

Imagine sitting down at your work keyboard, typing in your user name and starting work right away — no password needed.

That’s a vision that the Defense Advanced Research Projects Agency, part of the Defense Department, wants to turn into a reality. It will distribute research funds to develop software that determines, just by the way you type, that you are indeed the person you say you are.

Richard Guidorizzi, program manager at DARPA, said, “What I’d like to do is move to a world where you sit down at a console, you identify yourself, and you just start working, and the authentication happens in the background, invisible to you, while you continue to do your work without interruptions.”

No biometric sensors, like thumbprint or iris scanners, would be used. Instead, he is seeking technology that relies solely on an individual’s distinct behavioral characteristics, which he calls the cognitive fingerprint.

Roy Maxion, a research professor of computer science at Carnegie Mellon University, oversees research on “keystroke dynamics,” including the length of time a user holds down a given key and moves from one particular key to another.

Motions that we’ve performed countless times, Professor Maxion says, are governed by motor control, not deliberate thought. “That is why successfully mimicking keystroke dynamics is physiologically improbable,” he says.

He gives this example: A computer user holds down a key for an average of 100 milliseconds. Suppose that a fraudster is trying to mimic a person who is slightly faster than average — typically holding the key down for 90 milliseconds. “Then the spoofer is in the dubious position of having to consciously shorten a key-press action by 10 milliseconds,” Professor Maxion says. Having such control doesn’t seem realistic, he says, when one considers that “a voluntary eye-blink takes 275 milliseconds.”

Continuous monitoring of a user’s behavior is an essential element of Darpa’s requirements. Because of the conventional password-based systems used today, the agency says, there is now no way “to verify that the user originally authenticated is the user still in control of the keyboard.”

Research done by Professor Maxion of Carnegie Mellon suggests that just a few key taps may be needed for continuous authentication. Test subjects were invited to mimic the keystroke timing of another person they were observing, and were permitted to practice that person’s 10-character password 100 times. He said no one succeeded in mimicking the target.

Professor Maxion has worked on another behavioral biometric for user verification: mouse dynamics. He explains that “everyone has an idiosyncratic way of using a mouse, such as the speed with which you move the cursor across the screen; the path — straight line, convex or concave arc; and the presence or absence of jitter.”

Article

Related Video