Didn't I read about this last year - banks using bracelets or something...
Here it is...
OK, not mouse tracking - but pretty close...
The US's mad-tech military boffin unit is developing a form of biometric measurement based on how user handles a mouse. Behaviour-based biometrics, for example how a computer user handles their mouse or crafts an email, would add to the existing repertoire of authentication techniques. Existing authentication techniques …
I get it, and I think they have something there, but in practice I bet inconsistency in style would leave a lot of people locked out.
Being in a hurry to do something important might be enough to change someone's style sufficiently to fail the test.
My suspicious nature leads me to think it might be more about monitoring who is/was on a machine.
Being in a hurry to do something important might be enough to change someone's style sufficiently to fail the test.
... or if the person got sick, or had a sports injury, or was hungover, or... This will obviously take quite a bit of testing before it is widely accepted simply because it is a different way of handling authentication than most are used to and moreso because it involved basic security contorls. It would seem to me to be appropriate for tracking who happens to be using a system at a given time, but I do not think it will be good enough to provide initial authentication. Given that it is little more than vaporware at this time, I am willing to admit that I may be wrong, but it will be a long time before this has a chance for widespread adoption.
"My suspicious nature leads me to think it might be more about monitoring who is/was on a machine."
Even if the research wasn't carried with this in mind, it's a fair bet it's going to be used for this purpose. Given the news that the UK police have been quietly squirrelling away 18m photos on their national database, how long before they pick up on this new means of suspect identification?
PC: Right, that’s your fingerprints and mugshot taken...
SUSPECT: Is that all then?
PC: No, no. Now you sit in front of this computer and play minesweeper.
PC: You heard! Get clicking and find those little bombs …
SUSPECT: (MUTTERS) Minesweeper? Who plays that these days?
PC: I heard that!
I don't see this as a problem, it could be one of multiple methods of user identification. See how he handles his mouse, his typing cadence, how often he switches windows/tasks, and so forth.
If something is 'off' about these measurements there are multiple options that don't involve "lock yoiu out from your PC", from asking for the user to re-authenticate or provide additional authentication to having someone in security physically visit his office and verify it is him.
These things always start with an assumption which is unproven, and likely wrong.
. . . requires humans to do something that is inherently unnatural: create, remember, and manage long, complex passwords.
As far as I'm aware, people have created, remembered, and managed, long and complex strings of letters and numbers for a very long time. To say it is inherently unnatural is simply not defensible. Actors routinely memorize accurately a whole script for a play. Singers sing long songs. Etc., etc.
I'm not saying they aren't likely to produce something interesting, but I think they would have more credence if they left off the opening assumption and simply said they wanted to explore something.
"As far as I'm aware, people have created, remembered, and managed, long and complex strings of letters and numbers for a very long time. To say it is inherently unnatural is simply not defensible. Actors routinely memorize accurately a whole script for a play. Singers sing long songs. Etc., etc."
Ah, but memorizing King Lear is vastly different to a few ten-character randomly generated passwords. Here's two reasons:
1) Assignment. I know roughly what King Lear is about, and so if someone asks me for it, it's easy to go through my brain and start with that one, rather than start with Julius Caesar or HMS Pinafore. However, I have four bank cards with four different PINs, and there's no context to relate one to another, I just have to know which is which.
2) Transition between pieces. Although a ten-character password has less information than an entire script, it isn't organized in a way that our brains appear to be used to. Our brains seem to use something like Markov chains to store information, associating one word from the next. There will be significant events to hang words on, a general order, and other people around who also know the script helping you along (I don't mean prompting, but a given character has at most half the words in a script, in most cases). Compared with that, a12hrnf89bkj%DJ& is not something that humans seem to memorize easily, since starting at a12 gives no real information as to why hrnf comes next, whereas from Julius Caesar, "He reads much, he is a great observer" has information content and so the transition to "and he looks quite through the deeds of men" is much easier.
There's also the fact that King Lear doesn't need to be changed every six months, but anyway.
"Although a ten-character password has less information than an entire script, it isn't organized in a way that our brains appear to be used to."
Futhermore, something that random is hard to MAKE a mnemonic against, so not even "memory theater" works well with it. Passphrases at least can employ memory theater, which is why they're easier to remember, but then you run into the sheer number of passwords problem, and when you get to double memory theater (one to know which site and the other to recall the passphrase), we start to trip up. And let's not start with people who just plain have bad memories...
It is not so much remembering my passwords I have difficulty with but remembering which password goes with what.
I also have my head cluttered with remembered passwords which I no longer use which makes it even harder.
And, of course, there are loads of passwords I should remember but have forgotten because I don't use them often enough to reinforce those memories. Luckily someone invented the sticky label.
Probably, but I have the feeling analysis can only be reliable when the user is already logged on. Using it for the ultra-short time required to validate credentials which constrain the possibilities because set actions are required will likely not produce a valid recognition. Kinda voids the premise, in that case.
But it allows ongoing authentication - so you log in yusing your "less than ideally secure" password, and then this continues to ensure that you are using the machine.
And that if you get clouted round the head and someone takes over the console - it locks them out.
Great, but all touch typists will have the same profile - no mouse movement, once your fingers are in place then keyboard shorthcuts are just that - "short", and therefore prefereable to grabbing the mouse and finding the cursor and moving it to the right place (usually not allowing an edge pixel) and then clicking....
But even with keyboards you can pick up patterns: unique rhythms of key pace and so on. How much time between keys do you take? How often and for how long do you hesitate between bursts? How quickly do you use the backspace to correct mistakes? And so on...
Wouldn't this be fooled by recording of mouse movements. I can imagine the following data points without specialist mouse hardware.
* the rate of acceleration and deceleration as you move from the original cursor point to the target.
* the angle of the arc of movement between the two points.
* the delay between movement ceasing and clicking
* double click profile (time between each click and how still you can keep the mouse)
OK, so plug those into some algorithm and give a score as to how likely it is the same user.
Now do all that again and imagine some malware software is recording your mouse movement profile (could even be embedded in a freebee mouse). A vnc style piece of software could after not too much time now allow you to perform an action but instead emulate the recorded profile in those actions.
Not as trivial as a rainbow table, but if these techniques take off you can bet such tools will become available.
But the malware would also have to recognize the target of each click, particularly if these targets shift and move. How would a pattern recognizer differentiate between one type of stroke-and-click action and another? Are you trying for the File menu, the Edit Menu, the close box or the minimize box? Are you highlighting or resizing?
A good point. This sort of authentication is not designed to be a primary authentication because you really couldn't tell whether to let them use the computer until after a length of time. Generally speaking, you want someone to authenticate before they start using it, so I see this more like a mechanism to protect workstations where the user has wandered off without locking it. As a secondary measure, it would most likely be quite forgiving to minimise the false positive rates, or could work with tertiary measures like activating the webcam for facial recognition when it has a doubt.
The point about the arc refers to the fact that it is very difficult to move your mouse in an absolutely straight fashion due to how people usually hold their mouse. The size of that arc would depend on a number of factors, such as how you grip the mouse, your usual posture and what part of your wrist is still in contact with the desk, the size of your hands etc. Also, the basic direction you move would influence the extremeness of the arc (which would go back to whether you hold it square on or at an angle).
As a result, (in answer to your question) a relatively simple calculation could create a believable profile for pressing minimise or close. The end point and clicks would be chosen by the attacker, but the mouse movements would not raise any alarms because they emulate the speed and direction such a user is likely to take. The easiest attack vector I can think of is to send some exec a "free mouse" and embed the attack code within it.
I bet that tech already exists for keyboard usage patterns that helps with authentication. You type in a certain way, and that can augment your password. Did you type it, or did someone else? Forced to reveal your password? That's okay, just type it differently and get a different set of data.
I feel like every time I read an article like this, I can understand it better by mentally replacing "authentication" with "privacy invading government/corporate management tracking".
Actual authentication, for real purposes of security, shouldn't depend on the analysis of biometric factors that are not under voluntary control, being constantly broadcast to the world at large, and highly difficult for an individual to alter. However, these are great traits for tracking someone everywhere they go without their knowledge and consent!
But if you don't depend on something that's not intuitive, then you run into two problems: they can be forgotten and they can be copied. Depending on the body makes it hard to copy, and depending on habits makes it even harder to copy (and nigh-impossible to steal since habit relies on experience-based muscle memory which is unique to each person), plus since it's intuitive, you don't even have to think about it to do it, making it suitable even for people with bad memories. Not to mention duress also makes it likely you'll reflexively deliver a negative response. It's the closest thing I can think of to an always-unique identifier that can't be stolen or copied.
I've actually talked with Novetta, they may become an affiliate. The Kaje Picture Password SAAS (http://ka.je) and follow on products brings two things - cognitive testing and separation of password information from identity. The SAAS can support almost any type of Proof of Knowledge, and could support this biometric method as well.
Well a little too late BioSig-ID has had this technology running for over 5 years and they have 2 issued patents including independent testing. They were also selected and funded by NSTIC as one of 5 pilots. It works with a 98% positive response rate from 1st time users. Multiple use cases.
Because a behavioral biometric like BioSig-ID is susceptible to various stresses that can affect motor skills (i.e. spouse, dog, caffeine, injury) they built in a random displacement method that changes alongside how a person's "signature" changes. In this case the signature is not a cursive signature, rather a series of 4 characters letters or numbers. Consider your paper signature is changing slightly almost daily so in a year it has little resemblance to the original. Either you keep asking users to change their profile at regular intervals or use a method that automatically updates like what they did.
"You know that "crazy mouse" thing that happens sometimes - your mouse cursor suddenly runs around the screen a bit?"
Or it could just be the IT department being directed by the boss or whomever to take a quick peek. I know plenty of places that allow a transparent login like this.
Biting the hand that feeds IT © 1998–2019