
Darpa seeks to free the world from passwords - evo_9
http://www.extremetech.com/computing/122823-darpa-seeking-to-free-the-world-from-passwords
======
gsoltis
Also, this suffers from the same issue as many (all?) biometric authentication
systems: revocation support.

Say someone hacks the db where my particular typing style signature is stored.
Now they can skip the typing and send the signal my keyboard would have sent
and authenticate as me to whatever service was using that db.

You can push the problem into hardware (authenticate the keyboard as well) but
that's just making the same mistake twice (once the keyboard gets hacked...).

Part of a good authentication system is being able to change the locks on the
door when someone loses a key, which is why biometric data is particularly
unsuited for the purpose.

~~~
simonbrown
Or, what if the attacker set up a website (say, a forum) and enticed someone
to visit it and type something, and the site used javascript to log their
typing patterns?

Perhaps if it relied on strength of hitting the keys, this would be harder,
though some of this data might be retrievable from an accelerometre.

~~~
wlesieutre
I wonder if that could handle changes in typing style. I've had finger
injuries where I was deliberately typing softly with one or more fingers.
Would I still be able to log in?

------
glimcat
The article really doesn't say anything more than the headline already did
(then gets into "high-entropy random character strings are hard to remember"
--> solution: "read xkcd, use passphrases"). Also, the DARPA program is more
involved than this implies.

They do link to the DARPA Active Authentication program:

[http://www.darpa.mil/Our_Work/I2O/Programs/Active_Authentica...](http://www.darpa.mil/Our_Work/I2O/Programs/Active_Authentication.aspx)

The thrust of which is that they want a better way to establish that the
expected user is in fact the one at the keyboard, including ongoing
verification of whether they are still the person at the keyboard.

They'd also be extra happy if it works with existing hardware, so they'd like
the answer to be things like analyzing the way the keyboard or mouse is used,
or analyzing patterns in how you write (IMO probably more trouble than it's
worth!). "Implant RFID chips in the hands of all DOD personnel" is off the
menu for the moment.

~~~
rprospero
As a beneficial side effect, it also helps ensure that the person at the
keyboard is the expected user at their expected level of sobriety.

------
corin_
An extremely interesting idea, but consider me a sceptic until proven wrong. I
strongly suspect this is something that might see a few "Show HN: I made..."
type posts (not neccesarily on HN), which receive feedback that can be
summarised as "nice POC, nice code, not suitable for real use because x, y and
z".

~~~
AndrewHampton
I agree. Maybe this would be harder than I'd expect, but it seems that if an
attacker knows what criteria are used for identification, they could simulate
a a given user's typing patterns. And to collect data on how you type, they
could collect it when you're typing into your text editor, IDE, website forms,
or anywhere else.

It seems there would also be a problem when the same person is signing in on a
computer with a keyboard vs on their phone/tablet.

------
alenlpeacock
I did research in this area last decade, and I'm one of the authors of a
survey paper that you might find useful if this subject is interesting to you:
[http://utopia.csis.pace.edu/dps/2007/jkile/content/2005-fall...](http://utopia.csis.pace.edu/dps/2007/jkile/content/2005-fall/DCS860A/Extra%20Credit/Original%20papers/j5040.pdf)

There is research stretching back 30 years in this area. Some of the results
are very promising, but the field is severely encumbered with patents. I was
even threatened with a cease-and-desist while doing a research project in this
area for a graduate class.

------
dhx
HN thread from a few days ago: <https://news.ycombinator.com/item?id=3719200>

------
vdondeti
Admit One Security already does this as a part of their keystroke dynamics
tool. One interesting thing they do with it is to use key strokes to see if
users are sharing passwords for subscription services.
[http://admitonesecurity.com/keystroke_dynamics_advantages.as...](http://admitonesecurity.com/keystroke_dynamics_advantages.asp)

------
ttt_
It all sounds interesting, though wouldn't it be incredibly hard to identify
the same person typing in a keyboard with a different layout or a different
device?

~~~
xymostech
I think the original idea (or at least the one that DARPA is researching) is
that this tech will be only used on government computers, so, assuming they
all use the same computer, that should eliminate some of the problem.

For other uses, you're right, this would be impractical, because typing on a
physical keyboard is obviously different than a touch-screen phone keyboard.

