The combination of a username and password seems like an inextricable part of using a secured computer. Sure, you can use biometrics, but username and password just seems like the most natural way to identify and authorize users without the bulk of extra, expensive, and specialized equipment. That being the case, it has become second nature to most of us, but is it really natural at all? Memorizing passwords, especially “strong” ones, involves remembering long, arbitrary strings of seemingly random numbers and characters, hardly natural. That’s why DARPA has undertaken an initiative to eliminate passwords altogether and instead identify users in the background, as they work, by paying very close attention to the idiosyncratic way they type.
DARPA product manager Richard Guidorizzi proposes this idyllic future:
“What I’d like to do is move to a world where you sit down at a console, you identify yourself, and you just start working, and the authentication happens in the background, invisible to you, while you continue to do your work without interruptions.”
This fantasy is based on that fact that the way you type — and the way you use a computer in general — is actually very specific and consistent. Not so much in browsing habits or your taste in software, but in a very low level way, like how many milliseconds you tend to hold down your keys or the path your cursor takes when moving from icon to icon. These variables, which are largely a matter of muscle memory, can identify a user with 99.5% accuracy, according a study at Pace University. And because they’re so specific and subconscious, they’d be nearly impossible to fake. Adding 10 milliseconds to your keypresses would be just about as hard as adopting someone else’s pulse.
On top of that, passwords have yet another security issue that typing style identification could solve; passwords are a one-and-done deal. Once a password is entered, authorization is granted for whole session. Sure, you can have your computer re-ask, or lock down in certain circumstances, but if someone can guess your password, that’s all they need. Typing-style identification on the other hand, would provide continuous authorization. Each and every keystroke could confirm the user is who they say they are, and impostors could be thwarted in just a few strokes.
Of course, there are plenty of kinks that’d have to be worked out in the meantime. How do you prevent a user from accessing things before they’re verfied, but still giving them an opportunity to type some things? Replacing a password with a “type some random things bar” doesn’t really give you a seamless log in experience. Could the monitoring be intelligent enough to detect — and disregard — typing one-handed while drinking a coffee or typing with sticky fingers? And what about times when there’s no input at all, like watching a video, or reading a sensitive document. Then again, if a computer is unsecured in the forest and no one is around to use it, is it really unsecured?
Obviously there are a lot of issues to be ironed out, but typing-style identification is in its infancy, the planning stages. It’s a tantalizing fantasy though, a future where you no longer have to type in a password and username and your data is actually more secure for it. Considering all the other crazy stuff DARPA has tried its hand at, this doesn’t actually seem too far out. It’s probably still a way off, however, so keep practicing your memorization skills. Not like you have a choice.
(via Ars Technica)