Authetication through Keystroke Dynamics (behavioral biometrics part2)

Expanding a bit from my original thread: https://forum.autonomi.community/t/behavioral-biometric-with-safe/
I would like to make a specific post with more details of how it may benefit the MaidSafe project.

Since we are in the middle of the redesign of the authentication scheme I think it is the appropriate moment to put this option on the table: Keystroke Dynamics.
Keystroke Dynamics can identify a person by the speed, style and latency of typing, it also considers the ratio of mistakes, to uniquely identify the user.

Instead of using usernames or double passwords, imagine the following login sequence:
(imagine that you are already enrolled)

1. You open the launcher
2. You are greeted and asked to type a short phrase generated randomly.
3. Once you submit it, Launcher greets you and you are logged.

Very easy, there is nothing to memorize, just be your normal self.
The advantages of this? Besides the obvious user friendliness, normal keylogging doesn’t work, the words you type are meaningless.
What matters is how you type it, that identifies who you are.
If you are thinking about keyloggers that timestamp key strokes, well, since the paragraph you type are randomly generated everytime you login the attacker can’t simply do a reply attack. To successfully compromise it, it would involve some deep analytics to map out the timing of every keystroke, OCRing when the phrase appears and emulating your typing style.
In any case, if your computer is pwned and they have enough privileges to have payloads running it is game over anyways, but with this Keystroke Dynamics implemented it would require some extra effort as it must be tailored for this specific attack incrementing the cost of the attack.

This also would provide a solution to the “proof of unique human” (https://forum.autonomi.community/t/proof-of-unique-human)

It could also be combined with username/password scheme, still using keystroke dynamics.
I was thinking the following:

1. You open the launcher
2. Type your one password (min 5 characters, complexity not required), if everything okay, you are authenticated.
   2.1) If you you mistype it, try again
   2.2) If password is correct but he timing doesn’t match, sends you to the full phrase authentication.

In the case of using passwords, I think they can be particularly weaker in replay attacks.

The enrollment process could consist on typing two to three phrases that would contain all the letters of the alphabet (like the “Lazy brown fox…”). It would be really really simple and straightforward, and yet there wouldn’t be a compromise on its security.
In the enrollment it could be added an extra option for emergencies: asking the user to type two phrases with only one hand, for each hand. This way you allow the user to get authenticated if they get one hand incapacitated, I think it is enough redundancy considering that statistics of both hands of being mutilated are quite low.
Minor injuries in fingers shouldn’t affect the typing latency.

So summarizing, the benefits are:

1. Bruteforcing becomes impossible (not only you have to find the right password, but also the right latency for each character)
2. Even typical Keylogging becomes irrelevant
3. Shoulder surfing or writing down the passwords are also irrelevant
4. New methods of hacking must be invented to attack this specific system, and to exploit that the attacker must gain local access. In fact at that point it may be more practical to directly grab the private key from memory, than to emulate the keystrokes latencies as it would take time to map all the keys of the victim. (you will have to sit there and wait to “harvest” enough keystrokes, hoping that he writes a lengthy mail anytime soon)

As an anti-bot method, botmakers would have to randomly generate profiles with keystroke timings maps, then OCRing the phrases that the launcher would be generating for enrollment. It would certainly add more difficulty to the process.
For anti bot measures I would propose at registration/enrollment to show a short game such as breaking the maidsafe logo randomly into pieces and asking the user to fix the puzzle by clicking and dragging the pieces with the mouse, very easy for humans, very hard to automatize it.

Some papers on Keystroke Dynamics:

• http://avirubin.com/fgcs.pdf
• https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3835878/
• https://hal.archives-ouvertes.fr/hal-00990373/document

Some attacks:

• https://cseweb.ucsd.edu/~dstefan/pubs/stefan:2011:robust.pdf
• http://www.ijser.org/researchpaper%5CMitigating-Snoop-Forge-Replay-Attack-by-Integrating-Text-Based.pdf
• https://brage.bibsys.no/xmlui/bitstream/handle/11250/143841/Rundhaug%20-%20Keystroke%20dynamics%20-%20Can%20attackers%20learn%20someone’s%20typing%20characteristics.pdf?sequence=1

There is a commercial demo here, so you can test it out with enrollment and authentication:

• https://www.keytrac.net/en/tryout

Schemes such as this need a fallback option because things can happen that make someone unable to maintain their normal biometric characteristics. In this case, injury to one or both hands/arms, for example.

What then?

Once you have fallback then biometrics is only for convenience in a open adminless system.

Also I do not keep to similar dynamics. Depending on sleep my typing is slow/fast one/two hand multiple/no mistakes.

Biometrics are really too infant a technology even through we arrogant technocrats think its the solution to all security situations… When in reality it is only good enough for making things quicker. Really they are only good in closed systems, like a high security centre where if a user loses ability it can be overridden by the admin staff.

SAFE though has no admin staff to override any problems.

So you need to provide the user with an override and so then lose any security benefits that any biometrics could provide.

That’s why I was suggesting to enroll the typing with only one hand, which would become the emergency option if you can’t use both hands together, which is extremely unlikely.
These are the statistics:

Numbers and percents on amputations

● 50,000 new amputations every year in USA based on information from National Center for Health Statistics

● Ratio of upper limb to lower limb amputation is 1:4 (4)

● Most common is partial hand amputation with loss of 1 or more fingers, 61,000

● Next common is loss of one arm, 25,000

● Existence of 350,000 persons with amputations in USA, 30% have upper limb loss

● Of this, wrist and hand amputations are estimated to make up 10% of upper limb population

● Transradial amputations make up 60% of total wrist and hand amputations

● Which means 70% of all persons with upper limb amputations have amputations distal to the elbow(3)

● In US 41,000 persons are registered who had an amputation of hand or complete arm (5)

● 60% of arm amputations are between ages 21 and 64 years and 10% are under 21 years of age (4)

Table 1 - Causes of Upper Extremity Amputation (in percent)
Congenital. . . . . 8.9%
Tumor. . . . . 8.2%
Disease. . . . . 5.8%
Trauma. . . . . 77%

From “Work-related Hand Injuries and Upper Extremity Amputation”

The injuries were divided almost evenly between left and right hands, 51 and 48 percent, respectively. Only 1 percent of the cases studied involved both hands.
This percentage corresponds with the national estimate of adults who are right handed.

Have you tried the demo?
https://www.keytrac.net/en/tryout
It doesn’t really matter if you are tired or slow, it will still recognize you as the latency is proportional to the speed you are typing. As long as you have all your fingers, it won’t affect your ID.

BTW, the override can be made with consensus, in the same way that multisig addresses work.
Imagine that you add certain users to your trusted whitelist, if everyone in that list or the majority of the users in the trusted whitelist agree on an override, you get your password reset.
It could work pretty well, if you are afraid of collusion you can be smart about it and add people who hate each other but that are loyal to you. One guy could be your lawyer, another your father, and another your father-in-law.

Now the chances of all four of them losing both their hands is quite remote.

Don’t have any.

And oh lets just make it all too complex and the ordinary user will ignore SAFE

Just have a strength tester on the passphrase. So much easier than biometrics that reply on unstable metrics that can be changed due to illness, stroke, or a number of other events that happen to a major portion of the population in their lifetime.

You still need to allow overrides for the sole user not relying on uncertain “friends”/“associates” etc. Remember these have to last for years and one thing humans can rely on and that is things change.

With that argument I should start worrying about having a stroke and getting retrograde amnesia, not being able to recall my password. It is pointless to worry about extremely unfortunate and unlikely events.
Well the chances of that happening are exactly the same of losing both limbs at the same time.

One sibling, your lawyer and a friend would be enough to reset one’s password, and I think it is quite a pragmatic approach. Come on, even the saddest person in the world can find three individuals.

What about joint problems that are age related. Changing all metrics.

We are trying to make a secure system not a social network. I’d rather have a strong password than biometrics thanks.

What is your resistance to having a strength test??? And remember there is no password file that can be cracked “offline” but all passwords will be limited to a few tries per second.

And remember that if you somehow made SAFE install biometrics then I can mod the launcher and remove it.

If you want biometrics so much then you can modify the launcher and include it.

But there is NO WAY you can absolutely require the launcher to have biometrics for EVERYONE.

BIO Metrics only works well for closed secure systems. Ones where there are administrators who can override any account.

EDIT:
look at the unique human thread for a lot of talk on biometrics.
IoT devices cannot give biometrics, they have none, but still need passphrases made for their accounts.
Have fun trying BIO metrics for your login. I crack your password and use a modified launcher that doesn’t use biometrics to ensure I typed it. Thus your passphrase still has to be strong enough on its own.

Actually, every time you type in your phrase or password, it is also an update on your biometrics, so if there is a degenerative disease or you are simply getting old, it won’t affect your ID either.
Take a look at the PDFs I linked.

By the way I think you misunderstand how biometrics could function here: you can replace the “secret” and the “pin” as it would be derived from the biometrics. You can call it salting the pass to picture it better.
How are you gonna “crack” my password? Bruteforcing? You have to consider every single timing variable for each character, the entropy is freaking crazy. Lets say you generate keystroke latency variations between 1ms to 500ms between keys, that by itself adds 500 extra combinations above the 62 possible alphanumeric and upper case characters.
So a five character passwords is 62 * 500 * 62 * 500 * 62 * 500 * 62 * 500 * 62.
It is then 62^5 + 4^500, total entropy 1000 bits.
Can you beat that? And for the end user it is simply a 5 chars character… and this is the bare minimum, I haven’t even considered symbols and longer passwords.
Bruteforcing becomes impossible if you incorporate the timing variable.

There are several scenarios to consider:
Local attack

1. Physical access: If you had access to my pc, you already can have a keylogger or even simply dump the memory to get the private key. Basically you can do whatever you want at that point and nothing really will protect you against being pwned. Even if you have hardware tokens, the attacker can simply wait until you login, and do whatever he wants while it is logged, the same way current attackers “hack” into truecrypt drives, they wait until it is mounted and they exfil everything. Having said that, if it is an opportunistic attack from a off-the-self malware, they won’t be able to do anything unless they are specifically prepared against keystroke dynamics.
2. Reading the password from a paper if written down: not possible
3. Shoulder surfing: not possible.

Remote Hacking

1. Pwned with Rootkit/Malware? Well, the same as point 1 in local attack. You have full control, it is practically game over.
2. If you are attempting to bruteforce your way in with Keyboard Biometrics it is simply impossible.

Advantages:

1. Create a unique profile per user (for botmakers, it raises the bar of the difficulty for the creation of clones)
2. You don’t need to memorize anything complex, it can be “traditionally” weak and yet have monstrous entropy.
3. You can simply not have any password at all, and simply let yourself authenticated with your keystroke latency by simply typing a random passage.
4. Subtle behavioral change will be updated every time you login, because essentially you are enrolling yourself every time you login.

Disadvatages:

1. You must have all your fingers or upper limbs
2. Drastic changes in health that profoundly affects your behavior.

To be honest, to be worried about the hypothetical case of losing my both hands is like worrying of being decapitated.
Statistically the chances of happening either case are almost the same.

It can’t work.

There’s no authentication in the classical sense on the SAFE network.

When you log on, all what happens is that you address, download, and decrypt your account block, which in turn gives you the necessary information to access the rest of your data.

Biometrics works on a statistical basis: while it can assign a more or less dependable probability to your being a certain person, it can’t resolve it into a stable 256-bit key.

Keystroke dynamics is junk science, the idea that there is a patterned delay between keystrokes that is unique to every person is laughable. There have been similar attempts at stylometry which also tout massive correlations among unknown authors. However note that all these papers only use up to 100 subjects and attempts at creating fingerprints among large groups of 1000 or more break down significantly.

But if you are just using this for id’ing a user on localhost this is overkill, passwords work fine and collecting telemetric data on users is the short of evil shit only microsoft would do.

All of this is great, but we need basic SAFE with basic credential etc first,

then I’m all for building extra, optional ways on top of that, for higher level features!

So true.

When I read that the idea was for the biometrics to generate the address and/or key then it became senseless. Come in upset one day and you could be locked out and the more you try the worse it gets because you get more unset & angry.

There is no way that a 256 bit key could be generated, let alone the 512 bit address of safe.

Lets take a much more stable biometric that has been used for ever so long. Finger prints, matching is still an art, they only ever give a confidence level of matching. The exact matches from the movies/shows/dexter are works of fiction. Even finger prints can be different from one print to the next, wear/tear, injury, etc can cause temporary/permanent change. So rather than use a 100% match, any matching is imprecise and uses a confidence rank. 7 billion people and some (few) have the same print - wonderful biometric hey, yet considered better than most non-invasive metrics. Retina scan is better, but still suffers from variance between readings and even that could not be used to create a reliable 512 bit address.

Biometrics are used for picking one person from a group and reliably identifying the person to the exclusion of the rest. They are not used for generating reliable keys.

Thus to use biometrics

• you cannot generate the address and/or passphrase with it.
• So then you need to store the bio-metric somewhere.
  • On the PC? useless because you are limited to that PC. Modded launcher bypasses it
  • On Safe, then you make a new launcher that ignores the bio-metrics test.
  • Get the group to do compute intensive comparisons, then all the problems of people being locked out, the complexity required for account recovery. That only works for highly motivated people with accounts they really need. The ordinary internet user will just go “SHT this SAFE is CRP, I am never using it again”
  • So the recovery method has to be easy and QUICK/instant so then what use is the biometric as security

tl;dr

• Biometrics are used to identify one person and exclude others. It works on a confidence level not an exact “number” since the metric has variance between readings.
• Biometrics cannot generate a number without a list of likely candidates to compare against. Great for security systems, useless for generating specific numbers on its own - it needs a list, even if the list has only one entry.
• password/passphrase strength test will ensure all the entropy you need, and do it 1000 times easier on the processor and the person.
• some (>50%) of the population will be excluded some of the time because of injury/illness/mood and thus an override is needed. Just like happens with security systems that use biometrics for security (admins handle this)
• Any override for the biometric has to be QUICK, EASY and FRIENDLY otherwise the average internet user will hate SAFE and unless the data they stored is vital they will never log in again. That rules out relying on 5-10 “friends/family” because how often can you reliably get >50% of them to help NOW. It sounds great and useful for vital data, but most will go SH*T I am not using this again
• Biometric can be bypassed. I will say this again biometric can be bypassed. Why, because if in launcher then mod the launcher, if done at great expense by the group then just use the override. Make the override any more than a passphrase (or secrets) then majority give up on SAFE as a bad joke.

I like your idea, but it’s not great for SAFE, to be honest. Don’t get me wrong it sounds badass, but there are too many things that could cause a false read. The way you login on your phone keyboard vs computer keyboard, and rapid degenerative disease, or car accident, literally anything that might change the way you type… At least if you have the password you could give it to someone else if you needed to, or something. Think about one of the major use-cases for the safe network. Someone uploads some kind of document that proves a country did something bad or something like that. They give the password to a friend in case something happens to them. That kind of thing.

Once again it’s a great idea, but you have to consider all of the things that it will prevent from happening good AND bad. There are use cases you might not be considering.

That said, if it could work, it would be cool. Of course, you could always just make an adjunct bit of software that auto generates a PIN based on this principle, of course.

HYPR just raised another $3M. Will be interesting to see what biometric ‘logging-in’ ends up looking like in a few years.

I still think the idea is workable, so far the researches are consistent.
The specific implementations of the existing solutions may not be ideal for Maid right now, but to ditch the whole concept of behavioral biometrics is very miopic.
One thing I am absolutely certain, from the psychological perspective, is that one thing that almost never changes in humans is their behavior.
Tapping into that for behavioral identification is a no brainer. The whole financial and legal system has been using it for centuries in the offline world, it is commonly known as “signatures”. Forensic document examiners do study the handwritten habit of the user, and such habits are so constant that it can be detected by experts to determine authorship or authenticity.
Why do you think such habit can’t the reflected on the keyboard as well?

In fact, I whenever I have time I might just delve myself into it because I find its potential fascinating… although the end result, if efficiently successful, might be quite creepy.
Imagine if your operating system detected anger or depression by the style of your typing… Like “uh, oh, are you sure you want to send that mail right now?”

But first, the arguments against “losing a finger” or “losing both hands” are really statistically speaking at the same level of suffering a stroke and suffering amnesia, so either biometrics or passwords have the same level of risk of being unusable there, so it is pointless to worry about it. Shit happens.
Also, I wouldn’t give up on the peer password resetting concept, in practice it may not be as bothering as you imagine. In fact, being a bit cumbersome could be a security advantage, for example having to call your two friends to confirm that you is you and not an impersonator to reset it, and besides it is not something you would be doing frequently anyway (ideally in this scheme, you would be doing it because both hands got smashed or your degenerative disease appeared so suddenly that it makes you unidentifiable, so how often does that happen? And if it happens more than once in your life, you are indeed a very unlucky guy, because it means that you got your hands reattached and lost them again!)
A more legitimate concern are the consistency of your latency in changes of mood, stamina or tiredness, which contrary to “common sense” is quite stable… as long as you have all your typing fingers. Such changes are also perceived by document examiners, and still can identify if it is authentic or not.
The unique hash generation from a statistical analysis is an interesting puzzle, but I think there is a solution around that.

In any case, rhetoric is useless and conjectures about its viability are nonsense; to effectively know if it is useful or not we have to start gathering data and doing some empirical tests ourselves.
What are the actual rate of lost passwords, how do the users behave, what’s the failure rate, under what conditions, what’s the rate of disabling injuries. So far, the existing data in this subject are quite encouraging so I think I will start thinking a way to make it work with Maid.

I like the idea, but it will just spawn a more sophisticated keylogger/macro that can copy the pattern I would think.

I just tried the demo and had accuracy matches from 40% to 95% so I am a bit skeptical on the validity of the feature at this point. I understand the more you use it the better it gets, but if your machine is compromised anyway, the same can be said for the baddie…

Yeah, I pasted some possible attacks on my first post. But the replay attack can work only when there is a user/password login scheme.
If it is about typing random words appearing in the screen is different.

Also “simulating” different typing styles by unnaturally changing your speed to see if it “still” recognizes you is not a good way of testing.
A more faithful way is by simulating real life conditions that may alter your typing, such as just logging in when you are just waking up, at afternoon, at night, after you came back from work, after you came from a nightclub, maybe after having sex, after working out, after drinking coffee, after a fight, in a hurry, after cutting yourself!, etc…

In my case, I would get 99% or 100% all the time.

Another test that should be done is if anyone can log into my account. If there is one “collision” of typing styles from different people the whole concept would be dead.

*Edit: It just occurred to me that the “sophisticated” atrack possible for the random sentence generator (that only analyses the latency between characters) is more scary than I imagined. Although it would be extremely novel, intuitive and impossible to crack by normal means (bruteforcing or keylogging)… if this type of authentication becomes prevalent it would effectively mean the death of keyloggers as it becomes irrelevant, but possibly the rise of behavioral profilers which would effectively work as the trainer silently monitoring in the background all your quirks until it maps all your timings, and then OCRing the random sentences displayed at login typing it like you would do. At first I thought that the level of complexity that would require to develop such system was making the attack way more expensive, therefore more secure.
Then I realized that ONCE such malware is developed, and IF succesful, it would be extremely scary as it is like effectively stealing your personality, and… as I said, you can’t change who you are, unlike passwords. What’s probable is that once you are owned in this fashion, you are effectively owned for life, they would be able to emulate your typing in every single service that uses this type of behavioral biometric.
A way to mitigate this would be compartmentalizing it… argh… but we can’t force people to use Qubes OS.

I guess I am back to square one: using hardware tokens to defeat keyloggers.

I really like these type of technologies or ideas but in practice, unless there is a fall back, I wouldn’t trust it.
I think it’s nice as an option to make it easier to log in when you feel lazy, as long as you can always fall back to regular user/pass.
E.g. I like the fingerprint scanner of my cellphone, but when I’m at the beach or in the rain sometimes it just doesn’t work, moreover, if I switch hands it doesn’t work either (I know this is just a silly limitation that can be fixed).
How about being drunk, will it affect my keystroke dynamic? I guess so, will it be able to recognise my drunk keystroke dynamic in order to accept it sometimes (when I decide to get drunk)?

haha, try it out! Live test our biometrics solution - KeyTrac

1. register being sober
2. get a can of beer, *drink, login
3. goto 2, until it fails or pass out

*Edit, I realized I created an infinite loop, haha