Monday, March 4, 2013

UPDATE: Next Gen Credentials

UPDATE: Recently, I posted some musings on fixing the issue of too many passwords, security and next gen credentials.

It turns out that there is another approach I was unaware of: Behavioral Biometrics. Here's the idea. The system will confirm that the user is who they say they are by the way that they type, not by their password. The concept of using behavioral biometrics for authentication is nothing new, but prior approaches use the typing style as a secondary credential in multi-factor authentication schemata. I.e. a user would both need to know a password AND type it properly.

Obviously, the two-factor scheme would be more secure and not solve the remembering-passwords issue. The biometric only scheme would solve that issue, but would it be more secure than password authentication?

Aside from the problem of false positives (granting access to an unauthorized user), the more likely issue would be false negatives. It isn't clear to me that everyone types in a way that could be consistently recognized all the time. Perhaps for trained stenographers, but what about non-touch typers? I don't touch type. Rather I hunt and peck rapidly and inconsistently. How would a system recognize my style? Perhaps the algorithms are sufficiently robust. Perhaps these systems will only be adopted in situations (such as the NSA) where security is prized above ease-of-use.

It makes me wonder, though how robust these approaches are. Could an attacker watch someone type and mimic their style? Probably, but an attacker who could do that could more easily discover the password by watching.

Identification by behavioral biometrics was pioneered by authorities in Big Brother Britain (which has installed around 4 million cameras to spy on its citizens). British authorities use gait recognition, a computer vision technique whereby software identifies users by their walking style.

Ironic that security firms are using these techniques to secure people's personal information whereas Britain is using them to invade privacy.

No comments:

Post a Comment