• Research
  • Topics
  • Projects
  • Local Events
  • Conferences
• Publications
• Teaching
• People
• Partners
• Resources
• News
• Jobs
• Contact
• About NISlab

Authentication in a health service context

Keystroke Dynamics Mimicking Experiment

We already know that people can be authenticated by the way they type their password, meaning not only the "value" of the password is considered, but also the typing rhythm. Some people will type very fast, some slow, but everybody has his own way of using the keyboard and everybody will type different keys in different ways. We can strengthen a password mechanism by including the typing rhythm. In this case loosing a password (for example by shoulder sniffing) is less of a problem because the person who stole the password has a different typing rhythm.

In this experiment we want to see how easy or difficult it is to copy somebody's typing rhythm. To see this, I need many voluntary (legal) hackers, trying to mimic the typing of some victims. The more people try, and the more often they try, the more useful data I will be collecting.

The experiment will consist of two parts:

1. In the first part the volunteers will type 3 passwords at least 30 times (per password). From this we can see how their normal typing rhythm is.
2. In the second part the volunteers will try to attack 3 selected victims by (trying to) mimic their typing rhythm

We want to see the influence of the feedback to the attacker on his/her performance. We will use three different levels of feedback:

1. "Yes/No"-feedback: The attacker will only see if his attempt was succesful or not. He will not gain any knowledge if one (failed) attempt is better than another (failed) attempt.
2. Score-feedback: The attacker will get a score showing how good the attempt was. If he changes something in the way he types the password, he can immediately see if that was a good change, improving his score, or not.
3. Full-feedback: In this case will the attacker not only see the precise timings of his/her own attempt, but also the full information of the victims way of typing. All information is represented in a nice graphical interface.

The attackers need to try to "break" the victim by attacking him/her as much as possible. The resulting data will be used to see if there is a "learning-curve" in the attacker's performance, and for which of the feedback levels it is easiest to learn to mimic the victim.

There will be three victims selected from the participants of the first part of the experiment. We will chose one person that seems to be easy to copy, one that seems hard to copy and one which seems to have an "average" way of typing. Obviously we do not know beforehand who will be easy or hard to copy, but we try to extract this information from the analysed data of the first part.

All volunteers can spend as much time attacking the victims as they like. Obviously the more attempts an attacker tries, the more information we get from the experiment, so the better for the results. The time needed to perform the first experiment is approximately 3 times 10 minutes. This experiment can be done at any time suitable to the participant. The only "restriction" is that he/she should type the 30 tries of a password in one session. So he/she can spend either 3 times 10 minutes or 30 minutes at once.

The first part of the experiment has already started now and will continue in 2008. The second part will start in January 2008 too. There are little or no restrictions on who can participate. In principle you only need to have some working experience with a keyboard and a computer to run the experiment on. In case you do not have a computer available, it is also possible to run the experiment on one of our computers.

So:

• Do you think your way of typing is hard to copy?
• Do you think you can easily copy someone's way of typing?
• Do you want to see if you are better at mimicking than your friends?
• Are you interested in a nice (surprise) gift if you are the best mimicker or the hardest to copy victim??

then you can sign up by sending an email to patrick.bours@hig.no. We will be glad to provide you, if needed, with more information on the experiment and to send you the information collecting software.

Number of participants so far in total: 24 (out of 50)
Number of participants that completed part 1: 8
Number of participants that completed part 2: 0
Date: 19-12-2007
Time: 12:00