As I began down the dismal path of studying for my (ISC)² SSCP certification I ran across an interesting concept in my study guide called “keystroke dynamics.” Basically it’s a form of 2-factor authentication that allows users to authenticate not only by password but also by the way in which they type their password.
What’s interesting is it is one of the only forms of biometric authentication that can be implemented at little cost with currently available technology. Of course there are cons to KSD (don’t get arthritis!) but if you give users the option to authenticate by KSD OR via a series of the usual what’s-you-mother’s-maiden-name questions, I believe this could be practically implemented.
KSD relies on analyzing dwell time (the time a user keeps a key depressed) and flight time (time between typing one character and the next). This data is recorded and then transmitted along with your password. If there is too much delay between the valid dwell time or flight time access is denied.
I thought I’d attempt a web implementation using PHP and JavaScript. You can see the results of this endeavor by playing with the demo below. It captures dwell and flight differences in milliseconds and if you are within the valid omega for each and posses the valid password you will be granted access.
I was playing with the mathematics behind this the other day and it seems like this would make it exponentially harder for an attacker to brute force a user’s password. If we take the dwell and flight omegas I use in the demo below (120ms and 100ms respectively) and let’s suppose from person to person dwell times deviate approximately 400ms and flight times can deviate 1000ms we can calculate how many more combination are possible in a standard 8 character password:
(400ms / 120ms) * (1000ms/100ms) = ~33 unique ways you can type one character
(400ms / 120ms)^8 * (1000ms/10)^7 = ~152,415,790,276 ways to type an eight character password
This means, even if an attacker knew your password (ie. saw you type it or by means of keylogger) he would then in theory have to try all the 152 billion possible ways to type the password.
![[Slashdot]](/wp-content/plugins/slashdot.ico){kind=small}
![[Digg]](/wp-content/plugins/digg.ico){kind=small}
![[Reddit]](/wp-content/plugins/reddit.ico){kind=small}
![[del.icio.us]](/wp-content/plugins/delicious.gif){kind=small}
![[Technorati]](/wp-content/plugins/technorati.ico){kind=small}
![[StumbleUpon]](/wp-content/plugins/stumbleupon.ico){kind=small}