I don't understand. Why can't they just hand you the terminal and say, "log in or we'll shoot you"? Why the roundabout process with recording the sequence and having a failed login and all that?
Doing something with a gun at your head is, I imagine, pretty hard. Imagine something you do with muscle memory every day - maybe typing fast or editor keyboard shortcuts or somesuch. Now deprive you of sleep, and food, and make you anxious, and then have someone with a gun at your head. Are you still going to be typing as fast? With the same error rate? Are you going to be making the same keyboard shortcuts?
Having said all that, I agree it's a valid risk.
But it's extreme. Other risks are interesting to look at.
The game produces one stream of output mixed from one unique (to each player) log in sequence and some random data. So recording many streams would seem to make the real sequence available, and now you just need to simulate the player response to that input. Analysis of sound is an established technology now, having had considerable investment and research because of its military technology. Recording the sound of keystrokes (of type writers, some printers, computer keyboards) can produce accurate transcripts of what has been written.
Having said all that, I am glad that there are people researching this stuff. It's a bizarrely under-researched gap in security.
And the underlying idea seems reasonable enough. I have a few passwords that I can enter if I'm in front of my keyboard, but give me a different keyboard and I'd struggle.
Sorry for the late reply. This system isn't designed to be used on a terminal over the net. From the original paper:
The proposed system is designed to be
used as a local password mechanism requiring physical
presence. That is, we consider authentication at the
entrance to a secure location where a guard can ensure
that a real person is taking the test without the aid of
any electronics.
And . . .
We note that physical presence is necessary in
authentication systems designed to resist coercion
attacks. If the system supported remote authentication
then an attacker could coerce a trained user to
authenticate to a remote server and then hijack the
session.
If you're allowed remote attempts and multiple failures, the system is insecure in several ways. It's designed to work in a scenario where you get ONE attempt, and there's an armed guard who doesn't take kindly to it if you fail.
If the attacker has long-term control (e.g. hostage, blackmail, etc.) this is useless.
If the attacker does not, you'll simply ask for help as soon as you're there.
If the attacker wants to impersonate you, a photo check will work as well and is much faster
The authors and the news coverage claim this offers some sort of rubber-hose defense but the only scenarios described are either contrived or duplicate more proven techniques (e.g. duress codes, biometrics)
