On 07/10/15 17:48, Michael Nelson wrote:
It is surprising to know that Javascript is fast enough not to have an impact on system performance when monitoring the keystroke timing!
Well it does have an impact, but not enough to ruin things. Of course it's not just js itself, but the browser, which swaps things in and out to do lots of things whenever it feels like it.
As requested, here are some details. This is more technical than political, but may be of interest.
Technical is fine, there are a lot of Political discussions on here but I don't think it's by design, just a side effect :)
This concerns keystroke dynamics on a phrase known by the auth server, not the general background stuff. So we are not really talking about the passive spying/monitoring here, but rather a potential product. So after I wrote my keystroke dynamics proof-of-concept I discovered that the statistical technique had been patented 25 years before (the patent had expired), which validated my approach... Mine had some extra twizzlers though.
At Web browser-based initialization, the user sets a reference challenge word, say, "foobar". She must then enter some samples. For each sample, a vector of 12 time values is created, one for each keyDown and keyUp event. Some subtlety is needed in the programming, as keyUp on F might occur before keyDown on O on one sample, but after on the next. We would like to compare apples to apples.
So we have a sample from the population of vectors as generated by the human. When authentication is checked, we must measure the distance of our trial vector, from the population. For this I used the Mahalanobis distance. Mahalanobis was a well-known Indian statistician who in the 1930s designed a test in order to help anthropologists decide whether skull fragments found in caves matched each other. This test measures the distance between each pair of entries in a vector. So F-down and F-up are compared, and also F-down and A-down are compared. Crucially, the distributions for each pair are normalized. The vectors can have any numerical data in the components. It can be used in botany with leaf area, weight, rainfall, etc. It works beautifully for typing patterns. Notice that we don't need to extract "dwell" times for keys, but all the same info is there in the more primitive array.
I set a configurable threshold of 20 for the distance triggering secondary authentication. If I typed with proper focus, I would get distance of say around 4. If someone else typed they would get say 70 or 150. These are just typical examples. It worked fine. Here are some things I learned.
1. It's very hard to test objectively to make a business case. Why? Well if you go around the cubicles asking people to try it, you might get some people testing it on a laptop they don't normally use, or using some sort of random typing, on a string that they don't have an established pattern for. I realized that KD is not magic. Just as you would not expect to type a normal password "123456" by mashing the keys randomly, you have to consciously type in your official pattern for KD to work. It is well-known that the best words for KD are things like your own name, for which you have a well-established pattern. Now you see one of the reasons that this stuff has not taken off. You might assiduously set the samples (or have passive background capturing working) on your usual desktop. Then it will fail when you hunt-and-peck on your laptop.
2. I had a mobile developer add in touchscreen events for an iPhone test. This uses character and time, and also x and y co-ordinates for both press and release (there is some drag). The future will bring force. The beauty of Mahalanobis is that these just go right in and work immediately. Well, the stats does. Dealing with these big fat vectors is not trivial. I proved that it would work (actually it could not fail), but did not complete the mobile version.
3. I hacked the stats out in C. Interestingly, for me it was harder getting the online demo going with the Web page, jQuery, PHP, and MySQL, than implementing the actual Mahalanobis test. Maybe I should set the demo up for folks to try.
4. Twizzlers. One is that I allowed arbitrary shifty characters in my phrase. So in fact our user could simply tap her favorite rhythm on the Ctrl key, for her authentication factor. Worked fine.
5. Hope the above was of interest...
Definitely, thanks for writing it up.
mn