On 07/10/15 17:48, Michael Nelson wrote: > > > >> It is surprising to know that Javascript is fast enough not to have >> an impact on system performance when monitoring the keystroke >> timing! > > Well it does have an impact, but not enough to ruin things. Of > course it's not just js itself, but the browser, which swaps things > in and out to do lots of things whenever it feels like it. > > As requested, here are some details. This is more technical than > political, but may be of interest.
Technical is fine, there are a lot of Political discussions on here but I don't think it's by design, just a side effect :) > This concerns keystroke dynamics > on a phrase known by the auth server, not the general background > stuff. So we are not really talking about the passive > spying/monitoring here, but rather a potential product. So after I > wrote my keystroke dynamics proof-of-concept I discovered that the > statistical technique had been patented 25 years before (the patent > had expired), which validated my approach... Mine had some extra > twizzlers though. > > > At Web browser-based initialization, the user sets a reference > challenge word, say, "foobar". She must then enter some samples. For > each sample, a vector of 12 time values is created, one for each > keyDown and keyUp event. Some subtlety is needed in the programming, > as keyUp on F might occur before keyDown on O on one sample, but > after on the next. We would like to compare apples to apples. > > So we have a sample from the population of vectors as generated by > the human. When authentication is checked, we must measure the > distance of our trial vector, from the population. For this I used > the Mahalanobis distance. Mahalanobis was a well-known Indian > statistician who in the 1930s designed a test in order to help > anthropologists decide whether skull fragments found in caves matched > each other. This test measures the distance between each pair of > entries in a vector. So F-down and F-up are compared, and also > F-down and A-down are compared. Crucially, the distributions for > each pair are normalized. The vectors can have any numerical data in > the components. It can be used in botany with leaf area, weight, > rainfall, etc. It works beautifully for typing patterns. Notice > that we don't need to extract "dwell" times for keys, but all the > same info is there in the more primitive array. > > I set a configurable threshold of 20 for the distance triggering > secondary authentication. If I typed with proper focus, I would get > distance of say around 4. If someone else typed they would get say > 70 or 150. These are just typical examples. It worked fine. Here > are some things I learned. > > 1. It's very hard to test objectively to make a business case. Why? > Well if you go around the cubicles asking people to try it, you might > get some people testing it on a laptop they don't normally use, or > using some sort of random typing, on a string that they don't have an > established pattern for. I realized that KD is not magic. Just as > you would not expect to type a normal password "123456" by mashing > the keys randomly, you have to consciously type in your official > pattern for KD to work. It is well-known that the best words for KD > are things like your own name, for which you have a well-established > pattern. Now you see one of the reasons that this stuff has not > taken off. You might assiduously set the samples (or have passive > background capturing working) on your usual desktop. Then it will > fail when you hunt-and-peck on your laptop. > > 2. I had a mobile developer add in touchscreen events for an iPhone > test. This uses character and time, and also x and y co-ordinates > for both press and release (there is some drag). The future will > bring force. The beauty of Mahalanobis is that these just go right > in and work immediately. Well, the stats does. Dealing with these > big fat vectors is not trivial. I proved that it would work > (actually it could not fail), but did not complete the mobile > version. > > > 3. I hacked the stats out in C. Interestingly, for me it was harder > getting the online demo going with the Web page, jQuery, PHP, and > MySQL, than implementing the actual Mahalanobis test. Maybe I should > set the demo up for folks to try. > > 4. Twizzlers. One is that I allowed arbitrary shifty characters in > my phrase. So in fact our user could simply tap her favorite rhythm > on the Ctrl key, for her authentication factor. Worked fine. > > 5. Hope the above was of interest... > Definitely, thanks for writing it up. > > > mn >
signature.asc
Description: OpenPGP digital signature
