

Bypassing the Password: Seeking Ways to Make the Computer Password Obsolete - dfc
http://www.nytimes.com/2012/03/18/business/seeking-ways-to-make-computer-passwords-unnecessary.html

======
lsiebert
I think it's helpful to think of two components to any sort of authentication,
external and internal characteristics of identity.

External identity in that the individual attempting to log in has
characteristics that are limited to the individual who was granted access.
This is not provided by the login name, to be clear, but by the authentication
means (biometric etc). Unfortunately biometrics can be copied... and if
copied, generally can't be changed. So external identity authentication is
brittle.

Internal identity in that the individual intending to log in demonstrates
behavior consistent with the knowledge or mental state of the individual who
was granted access. When the person enters in something they uniquely know,
they are demonstrating something more then having a characteristic associated
with their identity like a fingerprint. This is better, but still faces risks,
especially when the internal identity authentication method is based on
something which is outside the user's choice.

Biometrics prove external identity, but not internal identity, which can be
problematic, in that fingerprints can be copied much easier then things in
people's head. There are others issues with external identity, in that
characteristics change. If I'm a DEA agent and get shot in the throat while
undercover, even if I recover my voiceprint may be entirely different. If I
get a papercut, my fingerprint might not scan. And so on.

As I said, there can be faulures in internal identity too. Asking set security
questions means that the mental state can become known to attackers. If every
website asks about favorite teachers, pet names, mother's maiden names etc.
Then a User who fills out the security questions at a seemingly legit website
is compromising their internal identity authentication. Or a user who is doing
something different, or whatever may fall afoul of an automated program that
analyzes their typing. Switching to Dvorak could mean losing access to your
account.

That's why passwords/pass phrases are in many ways better then any alternative
I've seen so far. Because they are chosen by the user to be something secret,
security conscious people know not to use their birthday or other dates of
importance to them. Passwords/phrases are either known or unknown... you
simply compare them, or more likely their hash, to what's stored in your
shadow file, password database. It's pretty hard to have one's passphrase
learned surreptitiously by recording the user's voice, or stealing a glass
with their fingerprint to rub gummyworms on.

This keystroke analysis though... it ignores two possibilities. 1. is that
some incident effects keystroke length like an injury. 2. Is that the
individual's keystroke method could be learned from their activity elsewhere,
like their security question answers can be learned, and an intermediate
device used to change the unauthorized user's keystrokes into those that match
the authorized user.

I wish I had an alternative suggestion that was awesome and fixed such issues.
About the only thing I can think to improve security is to combine methods. I
like sci fi, and maybe at some point centuries from now people will be able to
do PGP mentally with nanotechnology or something fanciful like that. But by
then I expect that there will be possible attacks to counter such
authentication.

~~~
DanBC
> _This keystroke analysis though... it ignores two possibilities. 1. is that
> some incident effects keystroke length like an injury._

But it's a suggestion that something might be wrong, and that extra checks are
needed. The article mentions using a webcam or sending a security guard around
to check. (Obviously, this only works for internal office security and is
hopeless for people working from home)

> _2\. Is that the individual's keystroke method could be learned from their
> activity elsewhere, like their security question answers can be learned, and
> an intermediate device used to change the unauthorized user's keystrokes
> into those that match the authorized user._

I'd be interested to know how much data someone would need to build a
successful keystroke-impersonator. And then where would they capture that
data?

And there are really big problems with passwords; they're asked for in all
sorts of places, and people don't bother using secure passwords even in the
important places.

There's not that much research about passwords, especially considering how
much money is controlled with them.

~~~
magic_haze
A standard keylogger would do the trick, I guess: just store the timestamp
along with the key pressed, register yourself to the OS as a keyboard device
and then replay the keys back. How hard could that be? The only plausible
response I can think of is to go the HDMI route and force keyboard
manufacturers (and the OS) to only recognize cryptographically sound
connections.

------
dhx
The interesting aspect of this research is intrusion detection, not
authentication.

After a user has authenticated with a system (either legitimately or
otherwise), analysis of keystroke or mouse movement timing patterns could
raise an alarm when the patterns don't match those learnt from the real
account holder.

Intruder use of unlocked terminals, stolen smart cards, latex-coated gummy
bear fingers, wax models or other movie favourites could be detected minutes
later when usage patterns of the terminal don't match the learnt patterns.
With appropriate physical security measures in place, it'd be as simple as
sending around a security guard or remotely viewing security camera footage
and real-time desktop usage/network traffic.

~~~
harshreality
I don't think it's good for either authentication or intrusion detection.

There's some critical deadline with a lot of stress attached. I have a few
moments to log in and do something important. Will the stress and different
behavior prevent me from being authenticated? Will I be authenticated but
kicked out when my behavior does not match the norm?

If the timing detection or other behavior checking is made flexible enough to
reliably cope with those situations, how much security is it really providing?

~~~
dhx
I thoroughly agree with these points.

Some further reasons why I still believe this research could prove very useful
even with the problems you mentioned:

1\. Perhaps multiple usage profiles can be generated based on the emotional
state of the user? So perhaps there is a distinct difference between stressed
Alice, angry Alice, bored Alice, "just started work and half sleeping" Alice
and the usage patterns of other users in other emotional states (including
Mallory the attacker). This would have the added benefit of being able to
provide information about the emotional state of yourself/employees over time.
This is not to say that ethical/privacy issues don't exist in this scenario.

2\. Plenty of other metrics exist other than just keyboard or mouse timing. At
what frequency (and timing) does a user click buttons in a user interface? How
often does the user switch between applications? Did they use keyboard
shortcuts to switch? How fast does the user read and navigate through a
directory list? Do they use keyboard shortcuts to open or delete a file?
Mallory the expert attacker is unlikely to stumble around menus at all or in
the same way Alice the novice computer user does.

3\. With other measures in place, dependent on the size of the user base, it
may be OK to have a high false positive ratio (<99.9%). Perhaps the
organisation doesn't mind receiving 2 or 3 false alerts a day amongst 1,000
users. For point of sale systems (another potential application for this
technology), a very high FP ratio may be adequate as a filter to narrow down
thousands of hours of security camera footage looking for fraud (use of an
unlocked terminal).

~~~
harshreality
I agree that it works for security-sensitive institutions with their own
IT/security staff who can re-enable accounts if there's been a mistake. In
contrast, what do I do if I get locked out of my personal computer? Either
it's time-based and I have to wait 15 minutes to log in again, which is
unacceptable, or I have to call my OS vendor, which is impossible. Even for
ordinary employees at ordinary companies, the IT burden from false positives
would be prohibitive.

In an organization with sensitive or classified data, false positives when
someone is unusually stressed or acting abnormally could be a _benefit_. The
government would want to know about someone exhibiting unusual behavior when
accessing classified information, even if they're not an impersonator.

The problem with multiple factors (other than real biometrics) is that they're
not independent. If I'm stressed or mad or tired, my behavior is likely to
fall outside of the parameters for most of the checks -- keyboard timing,
mouse behavior, window switching or menu navigation -- not just one of them.

Even something as simple as the article's suggested creditcard.txt honeytrap
won't work reliably. If I access it, maybe I'm Mallory, or maybe it's been 3
years since I set it up and I forgot it was a honeytrap.

It wouldn't work inside a VM, either. You can't lock someone out when they
have the ability to snapshot the entire OS below the level of the
authentication system.

Finally, there would be no way to help someone else with a computer problem,
because they'd almost certainly get locked out.

------
tazzy531
Yet another reminder to enable 2 factor authentication on your Google account.
[1]

[1] [http://googleblog.blogspot.com/2011/02/advanced-sign-in-
secu...](http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-
your.html)

------
twiceaday
This problem has long been solved by public-key cryptography. The real problem
is coming up with a solution that computer illiterate people can use.

~~~
justjohn
public-key cryptography only solves computer-computer interactions. It does
nothing to help me authenticate with my computer.

~~~
dhx
Physical security is the primary means of achieving human-computer
authentication. Terminals in high-traffic locations, use of something along
the lines of Common Access Card[1] and many other techniques can provide this
level of authentication.

[1] <https://en.wikipedia.org/wiki/Common_Access_Card>

------
helen842000
As we know, there are 3 types of authentication

Something you know (dob, password) Something you have (bank card, key)
Something you are (biometric measurement ie fingerprint)

Surely a biometric measurement on it's own is secure enough? Its also the
simplest.

Something I've noticed from working in banking security is that asking fixed
answer questions (something that doesn't change) quickly detects possible
unauthorised access attempts. e.g it's deeply suspicious if someone forgets
their dob.

Asking questions that have flexible answers results in lots of incorrect
answers by genuine account holders & resets are required frequently. Questions
like favourite place, first school, age (yes, believe it or not blackberry
uses a fixed age not dob!) should not be used.

------
justahacker
You know what...

Make it a brainwave pattern identifier already...

Alpha, Beta, Delta...

That's unique, right?

neural interface authentication

Makes me cringe @ what you'd have to do to crack that...

:-\

~~~
sp332
Record someone's brainwaves as they walk by and replay them on a tiny
electromagnet later? That's even less secure than a fingerprint.

------
ams6110
With some refinement, this sounds all well and good for something like logging
into your computer at work. But how do you access keystroke duration on an ssh
login... or a web app?

What if I'm logging in from my tablet or smart phone? Is there such a thing as
"duration" of a keypress on virtual keyboard? Clearly my keyboarding style
using two thumbs is going to be different than when I'm using 10 fingers on a
full size keyboard.

Passwords/phrases have a usability and cross-platform utility that is hard to
replicate with other approaches.

------
benohear
As long as you can boot / wake up your machine with it, fingerprint scanning
feels pretty much like not having a password, since it's about the same effort
as pressing the on button

~~~
joering2
yes but do I want to be leaving digital copy of my fingerprints somewhere,
anywhere?

they asked me that on the gym. I said no thank you. In very unlikely
situation, what stops them from stealing your computer, obtaining your
fingerprint file (given it wasnt encrypted properly) and printing it out and
using in a crime, just to frame you for example.

~~~
zck
The larger risk for someone stealing your fingerprints at the gym is them
taking a print off a door handle.

------
gall
In the United States, an authentication scheme that doesn't rely on mental
contents wouldn't be subject to self-incrimination protections against
compulsory decryption.

------
goatslacker
Your password doesn't have to be "6tFcVbNh^TfCvBn" but it can be something
like "The quick fox jumps over the lazy brown dog." and still be strong with
the added benefit that it's more memorable.

Password-less authentication will be great once the machine can recognize my
face and voice and know it's me.

~~~
DanBC
> _"The quick fox jumps over the lazy brown dog."_

I honestly can't tell if you're joking. Just in case you're not: that's a
horribly insecure passphrase.

~~~
larholm
That specific example might be flawed, but the principle is sound; a keyphrase
is easy to remember and has plenty of entropy.

"I used to smoke Kings cigarettes under the bridge" suits me a lot better than
"3D5g!§x&".

~~~
FuzzyDunlop
[http://arstechnica.com/business/news/2012/03/passphrases-
onl...](http://arstechnica.com/business/news/2012/03/passphrases-only-
marginally-more-secure-than-passwords-because-of-poor-choices.ars)

It's sound if it's a phrase that is isn't common or well known.

~~~
larholm
We definitely agree there.

Uncommon phrases are not that difficult to think of though; my own example is
the only hit on google for that phrase.

------
dubya
My weird biometric tick is that I will hit the shift key twice rapidly
sometimes. Usually this is a no-op, but does something funny on the nytimes
site. It's also super annoying in Windows since hitting shift 5 times brings
up an accessiblity dialog.

------
hastur
There's one solution to password headaches:

Use one password everywhere and make it easy to remember.

For instance, I use "p4ssw0rd" on all my accounts, including my e-mail and
bank account.

(You can post yours in response to this comment. I promise I won't tell
anyone.)

~~~
JBiserkov
My password is * * * * * * * * * * * _

