
Can a person be identified by just the way they type?  - ColinWright
http://blog.wolfram.com/2012/06/14/how-do-you-type-wolfram-analyzing-your-typing-style-using-mathematica/
======
paulsutter
Yes. A friend of mine has a patent on a gun that fires only for one person.
The gun has been extensively tested and works great. The fire/no-fire decision
is based on the way the trigger is pulled.

Gun manufacturers hate it because it has scary gun control implications. But
if/when it does become available New Jersey police will all use it.

Keystrokes should be way more distinctive than a trigger pull.

EDIT: Michael Recce is his name, <http://www.njit.edu/news/2003/2003-125.php>

~~~
defen
That's fascinating. Can you share more detail? How do they key it to the
individual? Do people really not pull the trigger differently in high-stress
situations vs at the firing range?

~~~
3pt14159
I bet it works on a combination of force, centroid of pressure, time, and
shake.

~~~
simcop2387
Could also be measuring the galvanic skin response and the like to try to
further narrow it down. But I don't know how well that works for reliability
since stress can change it i think.

~~~
icegreentea
And gloves. It seems likely that gloves may be involved with guns. Best not to
rely on it.

------
Zimahl
I built some network security software in the early part of the 2000s. Around
2005, a local guy built a keystroke pattern recognizer utilizing neural
networks to learn your keystrokes and was able to correctly identify who you
were after a minimal amount of learning (typing). He brought it buy to see if
we were interested in licensing it and using it in our product.

While somewhat of a black box demo, we were able to play with the technology.
We tried a ton of stuff to fool the system (physical only, we didn't use
keystroke macros or anything like that) and it would correctly identify us
every time. It was showing us the probabilities as they'd change and it was
uncanny how it would immediately know that I started typing instead of a
coworker.

So, it's not only probable/possible/exists, it's only drawback is the lack of
necessity. Outside of the the highly paranoid using it to prevent outside
intrusions (government mostly), not many systems need it due to lower-end
attacks that are much easier to do and typically successful enough.

~~~
mistercow
How many people were there? Did he have any way of estimating the entropy of
the signatures? Did you try the demo over multiple days, and at different
times of day, to see if it continued to identify you correctly?

>it's only drawback is the lack of necessity

No, that's not the only drawback. Be very careful when talking about
cryptography and security never to assume that you are aware of all of the
weaknesses unless you've got a formal proof.

One very big drawback I can think of off the top of my head is that it would
essentially be like having the same password everywhere, and being completely
unable to change that password. If someone records your typing style once,
they will be able to get to absolutely everything that identifies you based on
typing style. At least with retina scans and fingerprints, there are
mechanical obstacles to producing a facsimile.

~~~
Zimahl
We had 5 or so people playing with it over a couple days. We didn't have any
insight into the code - how often it polled, how much it changed, the window
of valid keystrokes, etc. - just the ability to use the demo software and see
various metrics.

You're right, it's not the only drawback. I just meant that there are many
vectors of attack when it comes to network security and so many fail at those
that this might be less gain than one might assume at first thought.

~~~
pbhjpbhj
Perhaps he was a conman operating a switch in his shoe. The stats were
randomised generic averages ...

~~~
mistercow
Oh, good catch. I'm embarrassed that it didn't occur to me to point that out.

------
colanderman
The major problem with this scheme is that if I type it "wrong", I have no
conscious way of recalling how to type it correctly. In fact, my natural
cadence will likely be thrown off even more by the stress of not being able to
log in. I would quite literally have to walk away from the computer, do
something relaxing for a few hours, and then walk back hoping that I type
naturally again.

~~~
mertd
I think gatekeeping example serves just as a proof of concept. It could be
more useful for continuous monitoring. For example to tell you that somebody
else may be using the computer that you are still logged in to.

~~~
ChuckMcM
This is the more compelling case for me. Train it across an organization and
then you can monitor who typed what. In operations, this is my killer use
case.

The problem is that we have 'server' machines and a system which requires
'root' access to do certain things. We'd love to know who on the operations
staff did something on the server (a workaround is to set an environment
variable but which works in the 'normal' case but fails if someone is being a
bad actor). So you train it up across the org, and then when ever you have a
session where the signal from the type sig doesn't match the logged in UID,
you alert it (or log it). SO instead of 'root just changed the date to last
year' you get 'Chuck just changed the date to last year'. That would be a very
very very useful tool to have in one's toolbox.

~~~
shabble
if someone is misbehaving (and is aware of the system), I would imagine with a
certain discipline (say, rotate the keyboard 180degrees and try to touch-type,
or just hunt-n-peck with some significant random variation) it would be
reasonably easy to 'fool'. That is, it would be unable to classify it as any
of the known users.

I'd think it could be more robust than the 'remember to set env X=y before
doing stuff' especially for real-time oh shit fix everything moments, as a
sort of passive identification, but couldn't hope to stand against a
determined adversary.

~~~
dwerthen
Isn't the point that it would be rather difficult to impersonate someone else?
I mean, the system would realize that "someone" is misbehaving and can
flag/log the actions appropriately or even disallow them entirely.

------
melvinmt
> To view this content, please install Wolfram CDF Player. This will take
> 538.4 MB of space on your computer.

Erh.. no thank you.

~~~
vnorby
It seems like this could be built in Javascript. Might not be as precise but
at least it would be demoable.

~~~
qq66
The major purpose of this post is to get you to install the plugin, so I doubt
that would achieve what they want it to.

------
golovast
I've once evaluated a product like this pretty extensively. This was about 5
years back and I think the company is now called Admit One Security.

Surprisingly enough, that company's userbase absolutely hated carrying tokens
and they wanted to bend over backwards to accommodate them. The entire point
was to provide an alternative way of doing 2-factor authentication.

The bottom line is that it mostly did work as advertised. The place where it
struggled were poor typers of the hunt and peck variety. They just didn't have
a good enough pattern and the failure rate was fairly high.

Another weak point would be any type of hand injury or even being under the
influence would throw it off completely.

I liked the approach a lot, but ultimately, when it does fail, its extremely
frustrating to the end user, since they don't really understand what they did
wrong.

------
pavel_lishin
My first thought is that this can trivially be spoofed by installing a
keylogger with playback functionality, but at that point a password wouldn't
save you, either.

~~~
JoeAltmaier
Could you keylog/model a user when using another machine i.e. a public library
computer, then use that model to simulate the user (playback) elsewhere? Do
you have to capture them typing the 'passphrase'?

~~~
cristianocd
No only a keylogger, but a "soundlogger" would also work.

Checking long posts on news sites or blogs just to make sure it is the writer
would be interesting, but boring and not worth it.

~~~
shabble
For interesting research here, see: _Keyboard Acoustic Emanations Revisited_ ,
Li Zhuang, Feng Zhou, J. D. Tygar

<http://www.cs.berkeley.edu/~tygar/keyboard.htm>

    
    
        "We examine the problem of keyboard acoustic emanations.
        We present a novel attack taking as input a 10-minute sound recording of a user
        typing English text using a keyboard, and then recover- ing up to 96% of typed
        characters. There is no need for a labeled training recording. Moreover the
        recognizer bootstrapped this way can even recognize random text such as
        passwords: In our experi- ments, 90% of 5-character random passwords using only
        letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-
        character passwords can be generated in fewer than 75 attempts.

------
ctdonath
According to a recent meme going around, the answer is "no" because the
question is a headline.

~~~
sirclueless

        So the ability of this method to identify you based
        on your typing style would require a certain amount
        of consistency in the way you type.
    

Well done, you found the answer. A lot of people can't be positively
identified, and the whole thing is error prone.

------
Terretta
The late Michael Crichton wrote an Apple II program in the mid 80's using
intra-letter timings to check if the person typing a password in was the
person who set it. Worked pretty well; better if improved to sample multiple
times, use long phrases, and adjust tolerance.

~~~
marquis
That's an interesting idea for 2-factor auth. I know how to enter my computer
password blindingly fast, it's pure physical memory.

~~~
ceejayoz
Wouldn't be much fun when you change it, though.

~~~
batista
Why? The algorithm could acknowledge and adapt to a changed password, and try
to learn the timings anew, instead of expecting the same speed as with the
older one.

------
paulhodge
This idea has some history to it, I remember reading that they tried to use
this same analysis in the trials against Kevin Mitnick. Some clever sysadmin
had recorded Mitnick's telnet activity (as it went across some crappy modem)
and claimed to be able to identify him based on the timing of different keys.
The judge threw it out as not being reliable evidence.

Wish I could remember where I read that; it was some book about hackers in
general.

------
hippich
yes. i did it back in 6th grade (i.e. somewhere in 1997 probably) using Turbo
Pascal without all this fancy/shmancy neural stuff. just 3 dimensional array,
one plane for each user and get average time between key strokes. It was good
enough to detect me, my mom, father and my friend.

It also have downside - your patter will change overtime and if this is sole
authentication measure - it will fail eventually. I would use it as fuzzy
monitoring to detect stolen credentials instead.

------
mistercow
The biggest problem with this is that it requires uniqueness to be traded for
error tolerance. People are going to have different typing styles depending on
their mental and physical state, and their typing styles will change over
time. In addition, while the space of _possible_ typing signatures is very
large, the space of _actual_ typing signatures is much smaller. So we
simultaneously have to assign each person a blob of signature space which is
big enough that it can positively identify them regardless of whether they've
had their morning coffee (or, god help them, they cut their finger or break
their arm), and small enough that we don't have so much signature overlap as
to make the system useless.

In either case everybody will have to have a fallback password in case their
stride is off one day. If the system works well, then that password will be
rarely used. A rarely used password is harder to remember than a regularly
used one, so people will choose weak passwords for the fallback.

So the only way that this system has _any_ chance of working without grossly
compromising everyone's security, is if it barely ever positively identifies
anyone.

Of course, even if it did work perfectly, it would be the equivalent of having
the same password everywhere. In that case, why not just memorize one strong
password?

------
sbornia
I'm sure the way I type is quite different when I type on another computer's
keyboard... I don't see the point of this...

~~~
ColinWright
It's sometimes said that if you aren't embarrassed by your product at launch
then you've waited too long. It's important to get early feedback, and build
on early reactions and responses.

Likewise, by making ideas like this, along with an early investigation,
perhaps someone can build on it, or throw out another idea, and perhaps people
can work together to find a good solution to the mess that is current user
identification.

Or would you rather people beavered away in secret, never sharing ideas, never
sharing their results, and never working together?

------
1123581321
I'd love to see this analysis broken down by qwerty, Dvorak and Colemak.

------
devs1010
I worked for a company that makes test taking / proctoring software that
attempts to do this, I didn't work on the product myself but it seemed a bit
of a trainwreck as they would always be having to do overrides for people who
couldn't make it past the typing authentication (which was based on a previous
sample of their typing), it measured pace, speed, etc.. the company itself
wasn't that great so not surprising their implementation of this wasn't
optimal, however its an interesting concept.

------
inportb
[http://hackaday.com/2009/10/09/safelock-biometric-typing-
sec...](http://hackaday.com/2009/10/09/safelock-biometric-typing-security/)

I experimented with this a couple of years ago when I saw that video, by
implementing an ajaxy authentication system that timed keystrokes. Ignoring
the fact that you could probably keylog the heck out of it, I found that a
single user's typing patterns varied substantially, depending on typing skill,
input device, and so on. Oh, well.

------
davidwparker
Interesting... until I have an injury or someone with disabilities has to use
it and are not consistent typists anymore.

------
zafriedman
Counter question. Can a person be identified by just what it takes to get them
to download the Wolfram CDF player?

------
holri
I once wrote a simple keystroke analyzer for a login page. It was based just
on the duration and pauses of your keystrokes. Worked great but had little
practical usefulness. The advantage and disadvantage is you cannot simply
write down the password.

------
jeremyarussell
So for authentication this doesn't seem like it could completely replace the
password. That said wouldn't it be interesting as a way to tell when someone
is stressed out or tired. For instance I know when I'm super mad my spelling
goes down the pot.

~~~
eliasmacpherson
Remember gmail's arithmetic questions after watershed to prevent drunken users
writing 'regrettable' emails? This could be another angle to provide the same
functionality.

------
ThomPete
So basically you could create a service where:

1\. You ask a user to type in a couple of words. 2\. Create a profile for
them.

so that when you sign up for something you:

3\. verify they are who they say they are as they fill out the form. 4\. can
skip captcha? (i.e. the form filling is the captcha)

?

~~~
riobard
No I don't want to fill the form by hand. I'd like the browser to autofill it
for me the next time.

~~~
ThomPete
So you just make sure that the autofill is your profile :)

~~~
riobard
Autofill profile will be the same for everyone, no?

~~~
ThomPete
You have to fill it out once and thus your keystrokes kan be profiled.

~~~
riobard
OK, I see your point. But I doubt browsers will support this by default...

------
jacobr
Could this be used to combat some types of spam? There are of course
legitimate uses of copy/paste, but you could for instance get a captcha if
your typing patterns do not match a human's when writing a blog post.

------
derrida
Your writing style can identify you. 'Jstylo' is a tool that detects
authorship. 'Anonymouth' is a tool that spoofs authorship (ever wanted to
write HN replies as if you were JK Rowling? You can do it.)

------
zserge
OK, that may work with a hardware keyboard, but what about a manner of typing
on on-screen keyboards? Will I be able to log in from the tablet or phone?

------
brey
<http://en.wikipedia.org/wiki/Betteridges_Law_of_Headlines>

I'm going with "no" ;-)

------
mdanger
Wasn't this true back in the telegraph days? I seem to recall reading that
operators could identify each other just listening to transmissions.

------
horsehead
Couldn't it also be beaten by, say, a professional drummer who cadences each
keystroke perfectly?

------
xtractinator
The way I type changes dramatically from day to day, depending on my emotion.
Sometimes I top very choppily at 35wpm, and sometimes I type like a waterfall
flowing over rocks in waves at 120wpm. There's no way that this method would
work reliably for me.

