VSJ – June 2008 – Sounding Board

Robin Jones muses on authentication mechanisms and their foibles.

There’s general agreement that passwords aren’t up to the security job with which they are still largely entrusted. Biometrics and multi-factor identification are the current great white hopes. But there aren’t really that many options. You can be something (a biometric), you can know something (a password) or you can posses something (a dongle).

I’ve been using fingerprint recognition for some time. It’s made me think hard about what techniques might work best to identify users in particular situations. You see, my fingerprint reader is OK but it has to be coaxed into recognising me if my hands are dirty. And I don’t mean covered in engine oil. I mean not having had a shower in the last half-hour. Sometimes that’s five or six swipes, interspersed with a reset because the software sulks after three failed attempts. Then, of course, the reader itself gets dirty and needs regular attention. Now imagine this system being used in a busy hospital ward, for instance. Users aren’t going to be delighted at the prospect of spending a minute or more convincing a terminal of their legitimacy. So they’ll log on at the beginning of a shift and won’t log off until the end (if they remember), making the security mechanism virtually worthless.

Now having been drug up as an engineer with the mantra “An engineer can do for a dollar what any fool can do for ten”, I like solutions that are as cheap as possible. Reading a book on code breaking the other day, I was reminded of the fact that Morse telegraphy operators could be recognised by their characteristic ‘signature’ – their rhythm, if you like. Couldn’t the same be done with typing, I wondered, to give a biometric needing no additional hardware? Well, yes it can and I’m not going to make my fortune at it (which is why I’m telling you) because a quick Web search showed up two companies with current products. These are Psylock (www.psylock.com) and Biopassword (www.biopassword.com). Both seem to work much the same way. They measure the time a user dwells on each key and the ‘flight’ time between successive key depressions. The latter varies with each possible key pair, so a huge amount of data can be harvested from relatively few key depressions, giving good discrimination. Better yet, a simple key log copy can’t be used to fool the system because two absolutely identical sets of timings would be suspicious and so will be rejected.

However, I think both companies have missed a trick here. They seem to see their products as sentinels – direct equivalents of passwords. That is, once you’re past them, you’re in for as long as you want. But these systems are potentially much more powerful than that. Using their metrics, you announce your identity just by using the keyboard. So a terminal could log you out automatically whenever it detects a different keyboard signature. Couple this with, say, a Bluetooth dongle to act as a hardware user-proximity detector and you have two-factor continuous authentication requiring almost no explicit user action, beyond remembering to keep the dongle about you. That seems to me like pretty good security for almost no effort. And if users aren’t asked to do much, they’ll be less likely to try to subvert the system, so making it still more robust.

[Something you’d like to get off your chest? Email me (Robin Jones) at eo@iap.org.uk.]

Comments are closed.