back to article Biometric behavioural profiling: Fighting that password you simply can't change

Security researchers have developed a browser extension that supposedly defeats biometrics based on typing patterns, with the exercise designed, in part, to promote greater awareness about the emerging technology and the privacy risk it might pose. Biometric behavioural profiling allows a site to collect metadata about how a …

  1. Andy Non Silver badge
    Meh

    Sounds too hit and miss.

    I can just imagine being prompted to enter my username and password again "using my usual keyboard technique and speed". Duh, nothing more likely to put me off my stroke.

    On the subject of security; yesterday I tried to contact the El Reg newsroom about the Android MMS security problem several hours before you posted an article about it. However, your security (Cloudflare) refused to give me the email address of the newsroom. Duh. So I thought to myself "f**k it then".

    Well thought out security is all well and good; anything else just gets in the way and causes problems.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sounds too hit and miss.

      My "usual keyboard technique and speed" might also be dependent upon which keyboard I am using too.

      1. Michael Wojcik Silver badge

        Re: Sounds too hit and miss.

        My "usual keyboard technique and speed" might also be dependent upon which keyboard I am using too.

        Sure. And whether the laptop is sitting on a table or on my lap. And in the latter case, what sort of chair I'm sitting in (my recliner has padded arms that push my elbows up and change my wrist angle). And whether my day's just started (and I haven't warmed up yet), or late evening (and my hands are tired). And whether I happened to do any heavy work on the house that day and my hands are swollen or sore.

        And, as no doubt a dozen people have pointed out below, an injury to a hand or finger will throw touch-typists far off.

        The typing-style biometric is a great example of all of the things that are wrong with biometrics. As a spying tool it has some value (however vile); as an authenticator it's crap.

  2. SuperNintendoChalmers

    Password managers

    What does it profile when I don't type my password or username?

    1. Anonymous Coward
      Anonymous Coward

      Re: Password managers

      I was going to say the same thing. My banking password is long, complicated and a bitch to type, so I never type it. Can this method identify my computer/OS because I cut and paste the password?

  3. Elmer Phud

    But . . .

    I have rather clumsy fingers and a touch of Dys-something or other -- And a keyboard that often double triggers due to my tendency to having the delicate touch of an Acme anvil.

    I'm constantly buggering up passwords, having a few goes at them.

    I just wonder how much analysis would be needed to find a pattern that wouldn't go 'wtf?'

    I do have a physical pattern for two passwords but I doubt if the analysis could tell which fingers I'm using.

    No, I won't use one of them password keepers as companies have a tendency to fail or be bought out.

    1. Little Mouse

      Re: But . . .

      You could be onto something there. A system that can recognise you by your mis-types.

      "You've entered your password incorrectly 3 times. Hi Elmer"

    2. mythicalduck

      Re: But . . .

      >No, I won't use one of them password keepers as companies have a tendency to fail or be bought out

      You could just use offline ones, like KeePass? Then all you need to do is copy/pasta

      1. VinceH
        Facepalm

        Re: But . . .

        "You could just use offline ones"

        This was pointed out to Elmer a few days ago.

  4. Cynical Observer
    Thumb Down

    As Mr Scott said....

    ....The more they overthink the plumbing, the easier it is to stop up the drain.

    Anyone else think that this is a really bad idea - what about those who have just walked into the office in winter, hands cold. Anyone who sustained an injury playing sport over a week end.

    Even an ouchy paper cut.

    Anything that changes your standard typing practice - an interruption to your train of thought in the middle of typing. The fact that you have slowed your typing down to make sure you are hitting the right keys - which is self defeating as the algorithm is looking for you to do it at speed.

    Hopefully this as an idea will die a fast and permanent death.

    1. FlossyThePig

      Re: As Mr Scott said....

      So you have a password with a mixture of upper case, lower case, numbers and special characters. It was created on a PC with a full keyboard but you want to enter on a laptop or even a smartphone.

      What is Shift-6? Or worse what is Shift-2, Apple UK it's @, but PC UK it's ".

      1. annodomini2

        Re: As Mr Scott said....

        That's because Apple are forcing a US Keyboard on you.

  5. Graham Marsden
    Boffin

    "If you have JavaScript enabled"

    Hello NoScript...

  6. Anonymous Coward
    Anonymous Coward

    Concerned about privacy

    So develop a chrome plug-in, ha ha ha ha ha ha ha ha ha ha ha ha ha...........ha ha ha ha ha ha ha ha

    1. marioaieie
      Coffee/keyboard

      Re: Concerned about privacy

      See icon ------->

  7. Marcus Fil
    Pint

    The solution

    literally, to being profiled - alcohol - varying quantities from none to a bottle (or two).

  8. Anonymous Coward
    Anonymous Coward

    And when I frequently switch between QWERTY and Dvorak keyboard layouts? And, indeed use different keyboards depending on what computer I'm using? Trouble is, I'm sure these wouldn't stop someone from identifying me enough to trace me, but would probably screw up any password checkers trying to use typing profiling - not even mentioning mobile devices.

  9. Anonymous Coward
    Anonymous Coward

    Changes of posture?

    I'm sure I type my password very differently when standing up to the right of the keyboard, for example.

  10. DropBear
    Devil

    Fortunately, the good folks at Firefox HQ seem to have anticipated this and pre-emptively endowed their browser with a stochastic counter-measure: every now and then (whenever FF feels like it) I can type in half a sentence before I realize it has been (fully randomly) either a) held back then typed out instantly, b) held back then typed out one letter per second or c) redirected to /dev/null (presumably).

    1. Anonymous Coward
      Anonymous Coward

      I thought it was just me having that problem.

  11. Candy

    There are interesting user cases...

    Coursera have used biometric profiling of the way people type for years as a way of verifying that the same person that registered is the one taking various online tests.

  12. Irongut

    You can't change the way you type

    Actually you can, there's even a whole industry that teaches people to change the way they type.

  13. Triboolean
    Devil

    The Catboard Factor

    How I type depends on where the cat happens to be lounging on my desk, and if one of the keyboards is leaning of a stack of papers to avoid her. Often while she claws at me to try get my attention. Click click oww backspace click click

  14. Jin

    Hopefully not for lower security

    Moreover, behavioural biometrics bring down security.

    Whether face, iris, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.

    Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

    In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

    http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like