

Firm uses typing cadence to finger unauthorized users - nswanberg
http://arstechnica.com/tech-policy/news/2010/02/firm-uses-typing-cadence-to-finger-unauthorized-users.ars

======
Terretta
In an early 80s programming article, Michael Crichton published a discussion
and example of a keystroke intervalometer to verify identity. (He referenced
the idea again in his recent book Prey.)

His BASIC implementation was sufficiently accurate that when a full pass
phrase was used, loose matching could still distinguish the original typist
from others who knew the phrase.

The breathless <http://www.physorg.com/news67710818.html> raves about the
"inventors" behind a patent granted 16 years ago for the concept, well after
Crichton's idea and working example was published.

More recently, <http://jdadesign.net/safelock/> was named SMU's 2009 "best
implementation", perhaps for also including pressure and hold time.

------
elliottkember
This reminds me of Morse operators, who are recognisable by their "fist", or
transmission style. I guess it's like recognising anything if you do it
enough.

------
ZeroGravitas
I love how this appears next to an article about "DRM from Hell" and here's
what amounts to a free advertisment for a DRM enforcement company that is
generating dubious piracy statistics and offering a service that will reset
your password in an attempt to _"irritate them into submission"_ every time
you type one handed while eating a sandwich, get a sticky key on your
keyboard, or use a phone or tablet device to access it.

The actual technology is cool, but these guys didn't invent it, they just
found a really annoying use for it.

------
Tichy
If it's only the login being monitored, copy+paste might be a workaround.

~~~
nswanberg
That's true, especially if users keep their shared passwords in a password
safe.

And if the copy-pasting raises some red flags, the account owner could also
record keystrokes and replay them, with a bit of randomness added to the
timing, with software or a hardware attachment
([http://www.practicalarduino.com/projects/virtual-usb-
keyboar...](http://www.practicalarduino.com/projects/virtual-usb-keyboard)).

This is the sort of countermeasure that attempts to cut down on casual account
sharing, not a determined cheapskate.

I thought from the headline that this software was recording all keystroke
timing, not just the password, and would detect intruders, not account
sharers. That might be another application, or privacy invasion, depending on
one's perspective.

