Cenzic 232 Patent
Paid Advertising
web application security lab

BioPassword Biometric Password Timing

I’ve heard this technique dozens of times, but each time I hear it I really think it’s the unfortunate reality that someone probably got money selling the idea to someone who didn’t know better before realizing it themselves that it’s really not a great idea and now they have the unfortunate task of selling it to people who do. BioPassword (not to single them out because there are others who have come up with this same concept too) attempts to test the time and the pattern that people use to type in their passwords in an effort to stop password theft and replay. Where to start?

Firstly, we have to ignore the obvious problems, like getting a paper cut and making you type weird, or being drunk, or eating a sandwich and typing your password in with one hand. And I thought fingerprint biometrics were annoying! Of course you can bypass this by having it ask you more questions. There’s a good idea - let’s train people to give up their secret questions after typing a valid password.

But really, the adoption of this technology is almost non-existent, and if it ever was widely adopted all a bad guy would have to do is watch the timing of keystrokes in JavaScript space and replay them in the same way. This isn’t exactly rocket science to defeat. It’s an interest take, and I’m glad people are thinking about it, but this isn’t going to solving the problem it was intended to.

12 Responses to “BioPassword Biometric Password Timing”

  1. eastwind Says:

    Here are some more ideas:

    1) Remember back in the 80’s when they had hypercolor t-shirts and heat sensitive cards you could use to check your biorythms?

    The biorythms concept claims that we have unique physical, emotional, and intellectual cycles. If that’s true, and sensor technology has advanced in the past 20 years past t-shirts and heat sensitive credit card strips, it might be possible to quickly gather measurements that follow cyclical patterns. The values of the various measurements would be constantly changing but if they follow a cycle pattern you could algorithmically verify that they fell in that individual’s range. More of a bio checksum than a bio password. But maybe harder to trade on IRC.

    2) Alternatively, we could turn the table on identity thieves as follows. Set up an identity check that requires users to perform a special bio skill they have ahead of time. For example, curling your tongue, flipping your eyelids backwards, or drinking milk and then spewing it out of your nose (this is one I heard on the radio yesterday, sorry). For the less adventurous it could be stances from a preselected martial art, stretching exercises, etc. Anyway, it’s presented in the form of a two way captcha. The server tells the user what to do (from a preselected set the user has authorized) in the form of a captcha. The user then performs this skill in front of a web cam. The web cam video of the user performing the feat of bioskill is then streamed to an online multiplayer online game system. Players of the game, get a good feeling because they are helping other people protect their identity and are helping the server solve a captcha (instead of the client solving it) in exchange for a few laughs. At the same time it could also have a ‘public key’ type of picture that they compare to. Kind of like how you check picture ID on your driver’s license. Participating gamers don’t see names though, just faces. If someone steal your identity, you go back to the video they used to steal your identity and then you at least have video of the thief or accomplice along with IP address information that you can send to a prosecutor.

    I’m not serious. But BioPassword is? Come on. It’s not 1997.

  2. Chavela Says:

    Anything that disallows eating at the keyboard is a non-starter. Thanks for pointing out this obvious usability flaw.

  3. RSnake Says:

    Hahaha!

  4. kurt wismer Says:

    “But really, the adoption of this technology is almost non-existent, and if it ever was widely adopted all a bad guy would have to do is watch the timing of keystrokes in JavaScript space and replay them in the same way.”

    all biometrics fail in the absence of a trusted path between biometric sample acquisition and verification… a trusted path is hard enough to come by on the endpoint alone, never mind across the internet…

  5. kuza55 Says:

    I personally stopped considering biometrics a viable solution when someone pointed out that there is no way to change biometric facts about ourselves - if our retinal data is compromised, it is compromised indefinitely, we can’t change it like a password. I think we can all see the problem here.

    Of course, this is more a behavioural pattern check than a biometric check, since its not what you are, but how you act, and since we type different words differently, the patterns will be different for different passwords, but as the article itself says, the words you type more frequently have much more distinct patterns, than those you don’t. This really relies on either you using an old password, or running into a brick wall where your typing has changed enough that the system doesn’t recognise it, but you didn’t notice the change, and therefore cannot create the same pattern as before since it was a subconscious change.

    Oh, and as kurt wimser said, this doesn’t really do anything about network replay attacks, so the only thing this could possibly defend users against is an unsophisticated keylogger.

  6. ChrisP Says:

    Look at it from a different angle: is it any less secure than your current password-based verification? No. Does it add an extra layer of protection? In some cases yes. (particularly where you’re not eating a sandwich with a hand lacerated by paper cuts.) Is it easier to defeat than today’s model? No.

    Besides, wasn’t the 6-million dollar man loaded with BioStuff?

  7. Elphaba Says:

    Sure, it isn’t any less secure than today’s password-based verification, but does it offer significant advances in security?

    obvious issues in addition to those already mentioned:

    user lockout if they are so mental about the first entry of the pw and doing it ‘right’ that they do it abnormally under stress and can’t replicate it

    users becoming complacent about security and think they are safe now because they have this technology. HID anyone?

    Its not all bad though. As long as you set the password sober, it will save you from sending drunken emails to your boss at 2 in the morning when you get home from the bar.

  8. Steven Bender Says:

    It is interesting to see comments like these. You obviously have not bothered to do much checking before opining. Recognition by typing patterns, today, is very real. Yes, many people have tried to do this in the past and failed. That was then. The science has come a long way. It works. And it is being used … a lot.

    In addition to BioPassword (a good company), my company iMagic Software is a major player in this business, and was just granted a (fundamental) patent for our science. Our product, Trustable Passwords, is in use by numerous major enterprises and is securing every logon, by every person, every day, everywhere - tens of thousands of people under real conditions and stresses in the real workplace. In addition to enhanced security, users get enhanced convenience by the elimination of password churning, and many other benefits.

    If you are interested, our website - www.imagicsoftware.com - has lots of detailed information — including answers to to sorts of questions/objections listed here. If you take the time, you will learn quite a bit. We hope you find it valuable.

    BTW — today we only sell to major enterprises … +1,000 users is minimum.

    Best regards,

    Steven
    CEO

  9. RSnake Says:

    Hi, Steven, I appreciate you have technology you are proud of, but I fail to see how it at all deals with any of the problems I’ve suggested of someone else’s technology. I’m surprised to hear derogatory statements made about my assessment of a competitor. So sure, I spent a few minutes looking for the answers to above statements on your site and I found them:

    * “Our proofs are beyond question and compelling. We have lots of data.” - uhm… okay? I don’t see how that is true now that I am questioning it and am not compelled. :)

    * “We find that on average our users throw bulls-eyes more than 80% of the time, and as alluded above, the number of times they “miss the dartboard” altogether is less than the number of times they fat-finger a typo.” - so what you are saying is that it should be pretty easy for someone sniffing the data to hit that dartboard too. If they vary the time at all, that will throw off any heuristics you want to build into it to protect from replay. Fantastic.

    * “What if I’ve had a couple drinks? Depends on how many is a couple. Unless someone overdoes it, there won’t be a problem.” - so there will be a problem if I drink a lot? This proves the point above.

    * “Of course, some injuries are serious enough to make normal typing impossible. Trustable Passwords has administrative systems to make dealing with problems like this easy.” - So there has to be an out of band function for people who are injured or drunk. So far proving all my above comments.

    I don’t doubt you have lots of customers and your developers invested lots of time and thought into it. However, unless you can point to specific answers to how I am wrong about Biopassword (given that is the technology I was talking about) I’m going to have to remain highly skeptical of it. Also, I think you are reading this site out of context - this isn’t about corporate security, where things like this make more sense, as much as it is about Internet security. Using your technology would be an administrative nightmare for e-commerce sites (as is all second factor auth type software - I know, I’ve been involved in the largest implementation of such ever undertaken).

    The costs for an inbound call to a customer service rep are extraordinarily high, and there is no way to offset the cost, given that an even vaguely savvy attacker can simply do their own assessment of the timing in a phishing attack if it were ever worth their while. Sorry, Steven, no sale.

  10. BG Says:

    who takes a bite off their sandwich while in the middle of typing a password? do yourself a favor, set up a camera watching your behavior. I think you’ll find that while yes, you eat while typing, you don’t eat/drink/smoke/or typically take deep breaths while you type a password. this is human behavior & part of why a technique like this works. is it perfect? no, but it sure beats fingerprints or easily lost pin/usb devices. keystroke mapping works. deal with it. don’t believe it? try it & try to break it. don’t just assume based on reading something. that only leads to fanatics.

  11. RSnake Says:

    Hi, BG! I didn’t say “in the middle” I said they have a sandwich in their hand and typed it with the other. And yes, I have definitely done that. Hell, I’ve tried to type my passwords with my feet before! Not super successfully, mind you, but there you have it. I don’t need a camera, I do weird things regularly because I use computers so much (laptops allow me to find myself in strange places doing strange things) that I often find myself in awkward circumstances needing to type passwords in, holding down shift keys with my elbows and all kinds of other craziness.

    I also didn’t say it’s better or worse than any other biometric devices (personally I think all of them have flaws). I’m not sure why you even mentioned that - this wasn’t a comparison of technology. Keystroke mapping only works in certain circumstances and is also beaten using phishing that detects the timing and then vary said timing slightly each time as to beat any anti-auto-replay technology. BioPassword does raise the bar slightly, but it also creates lots of problems, customer support calls, required client technology and a whole host of other problems that I’m not in love with from an implementation standpoint. Again, no sale.

  12. PaulE Says:

    As with any technology THERE ARE FLAWS. It’s part of the human condition. Once we get USERS to UNDERSTAND that a login and password are NOT to be taped to the bottom of a key board or sticky noted to a monitor, or passed to a friend, hell sometime a stranger, we….will have come a long way in security. Dual category authentication is to gaurds against idiots, but unfortunately security must be thoughtfully brought to bear in layers. Layers and layers. If you really want to gaurd it, better lock it up very tight behind layers and layers, and pay attention to the suttle details. trust me most of you will miss it. Just no other way around it. Biorythms…like drinking coffe and eating a pastry.