5

There is a service called https://www.typingdna.com/ which authenticates users based on their typing habits and it works pretty well but it still requires a password.

In order to try and replace the password, would it be possible to implement a popup like sized modal such as the Google Recaptcha thing where a user would either use their mouse or finger to scribble in order to authenticate, each user must scribble in a different way? So the idea is based on everyone having their own unique scribble which would produce a match in order to authenticate a new session on a website.

Is this idea possible? If it was, the "password" space would be huge, correct?

joego101
  • 73
  • 4
  • 5
    The scope for false-positives or false-negitives seems pretty huge. Time pressures, health issues, available space all factor in to how someone writes a signature. Signatures are not often used as verifiers of identity. – Martin Aug 30 '18 at 11:02
  • 1
    Basically how much risk as you willing to have? If you think a 5% risk margin is ok (for example); yes this will be a great method. – Martin Aug 30 '18 at 11:03
  • Interesting question so +1 - the only issue that I can see coming from this is that it would have a lot more limitation and room for errors than matching users based on their handwriting, so I couldn't see it working well, although I may be totally wrong! Interested to see the answers though – Connor J Aug 30 '18 at 11:03
  • The other factor is that if this information is recorded (say by Typing DNA site) then if this data is breached; you're left with the same problem as wth standard passwords that AI can simulate a genuine login effort. But if the AI/human does it perfectly -- does that mean it must be an AI? While a password has a binary result, drawing a house has a large grey area..... – Martin Aug 30 '18 at 11:06
  • I guess the idea is to not write something out but to just scribble something until a higher enough match is found, like the way typingdna works but just the user scribbling within a good sized modal popup. – joego101 Aug 30 '18 at 11:06
  • 1
    Somewhat related: https://security.stackexchange.com/q/121824/93625 – Ben Aug 30 '18 at 15:35

2 Answers2

3

I don't know the academic literature around TypingDNA-like methods, but I can throw in some ideas. In essence what you're describing is the Android Pattern Unlock, but instead of a 3x3 grid, you have a, say, 200x200 pixel writing area, right?

If it was, the "password" space would be huge, correct?

Technically yes, but be careful not to conflate the theoretical number of possibilities with the distribution of what people actually select. For example:

  • 90% of people's scribbles will be continuous strokes in the centre of the writing area rather than, say, doing random jumps right to the edges.

  • Fuzzy matching: two strokes by the same person will never be identical, so you will need an algorithm that accepts "similar" strokes as being equivalent. The fingerprint unlock chips in iPhone and Android have to deal with this, so you could do some reading there.

I don't have any numbers to do a calculation, but my intuition is that in practice this password space will end up being in the same ballpark as a 12 character password.

Capture and replay attacks: keyloggers are a problem with passwords; what's preventing a malicious program from logging your mouse movements and replaying them? You'll notice that RECATPCHA challenges are designed to be record&replay-proof. Fingerprint scanners deal with record&replay by giving the scanner chip its own CPU; on successful match it uses a cryptographic key to sign a message to the OS saying that you have successfully authenticated so that the OS and software never actually see the fingerprint -- nothing to record. I wonder what protection TypingDNA has against record&replay attacks.

Bottom line: Thinking through the attack surfaces is the most fun part of security work. I suspect this idea wouldn't give any more security than a traditional password, but it's neat and fun to think about!

Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
0

https://biosig-id.com/ is a solution that can replace typed passwords with digital signing/drawing (supports different types of devices so you are covered). Works with 4 numbers, letters, or shapes. It's still a password/secret after all but using this solution would kind of combine something you know with something you are (the way you are drawing that secret).

CristianDNA
  • 1
  • 2