Comments on: Psylock: Biometric Security Without Sensors

By: GSC Team

GSC Team — Fri, 21 Nov 2008 11:40:12 +0000

Psylock was one of the finalists of our “Global Security Challenge” in London last year, having won the continental round in Europe before advancing to our global final.

By: Lion

Lion — Sun, 09 Mar 2008 10:15:06 +0000

Psylock is really amazing!
I had the possibility to test psylock @ CeBIT2008 and it’s really great.
The system recognizes me with about 95 – 99%.
With other userprofiles my matchscore is less than 1% – great!

Advantages:
- no extra Hardware
- keeps up to date: every new login is saved for your profile
- no password needed
- keyloggers difficult

Disadvantages:
- maybe you shouldnt’ break your arm or hand

Convice yourself:
http://www.psyl...r&Itemid=63

By: Tech Steve

Tech Steve — Thu, 06 Mar 2008 09:58:00 +0000

Hey Guys, quite interesting things which are posted here, BUT i’ve seen this technology on CeBIT 2008 and have to say, some of you are completely wrong…
1: Psylock Technology 2.0 is new / It was build in 2007 and is online since January 2008
2. Using the Psylock Technology you don’t need 1-2 minutes to lock into a website – You once (!) need 1-2 minutes for the initial enrolment. For the look in you only have to type a sentence (this is sometimes even faster, then typing Login Name and Password)
3. Keylogger – Guys this comment is really strange, because: Keyloggers are a realy big problem with normal passwords or fingerprint, … those are static thinks, witch you can copy! Psylock is based on and depends of a dynamic behaviour it is not static! So Keyloggers are useless!
4. Psylock is all-propose! The independency of Keyboards is tested with many thousands of users. BUT: you of course have to type always in am similar way (Of course Psylock is adapting the typing behaviour over the time.

By: Schep Tech

Schep Tech — Thu, 06 Mar 2008 07:45:50 +0000

Google the topic for third party analysis (not one of the vendors) and check performance. Granted, keystroke dynamics is a fascinating idea. it’s a very cool concept – but in practice is by far the worst performing of any of the biometric technologies in terms of accuracy coming nowhere near to fingerprint reading, iris scanning etc.

As a marketing proposition it really doesn’t belong in the same league as these technologies, calling it “biometric” is complete nonsense as it creates an impression of being comparably accurate. As a security product it’s an odd duck, depending on a behavioral measure. It doesn’t belong in any of the 3 usual security categories: something you have (like a car key), something you are (like a fingerprint), something you know (like a password).

Perhaps there is a market for it where a cheap (no extra hardware needed) security solution is required where it’s more important to create the appearance that something is being done than to actually improve security. er, possibly in government agencies?

By: Chris Cardinal

Chris Cardinal — Thu, 06 Mar 2008 03:27:55 +0000

I think this has its place: The system can easily be engineered to protect against keylogs by simply storing all attempts and rejecting any attempts 100% *identical* to previous attempts. While you could then reasonably introduce a small amount of entropy to a recorded session, at this point, ensuring that you can do so reliably, and that your keylogger was also written to log the cadence might be more than most want to deal with.

By: EMR and HIPAA

EMR and HIPAA — Thu, 06 Mar 2008 00:37:03 +0000

Biometric Authentication Using Typing Behavior…

I’ve been pretty outspoken about my love for biometrics in healthcare. In particular I couldn’t imagine my computer without facial recognition, but I’ve also enjoyed playing around with biometric fingerprint readers and proximity rea…

By: Girish

Girish — Wed, 05 Mar 2008 22:01:15 +0000

Check out BioPassword, the company has been around since 2004 with solutions for multifactor authentication using keystroke dynamics.

By: Adam

Adam — Wed, 05 Mar 2008 21:50:45 +0000

This is actually a REALLY old method of identification.

During the World Wars surveillance teams would listen to enemy radio traffic being transmitted using morse code.

The surveillance teams could eventually tell which operator was operating on any specific day based on their timing and technique, they called the method “fisting” (no joke) IIRC.

By: US Prof

US Prof — Wed, 05 Mar 2008 20:22:03 +0000

Get real, guys. Would you say that Boeing should cancel the 787 because the Wright brothers flew over 100 years ago? The concept may be old, but the methodology used in Psylock is not. It is not dependent upon the keyboard. Handhelds may be a problem, but there are a lot of industrial applications which do not involve handhelds. Try running SAP on your iPhone.

By: Schep Tech

Schep Tech — Wed, 05 Mar 2008 16:09:19 +0000

Yup old.

I used to run a small QA team working on a similar product. We found the tech could work, but only under tightly constrained circumstances. Out of a sample of 5 typists, we’d see a “pair” or two between which it would work reasonably well well, while with others it wouldn’t to one degree or other. Sometimes it would work in both directions (neither A nor B could break each other’s pass). Sometimes only in one direction (A couldn’t break B’s but B could break A’s). Among many, many other problematical behavioral and technical issues which our little QA group was able to come up with, this could be enhanced simply by having B present while A was typing, by listening and attempting to duplicate the pattern. Someone above mentioned the differences between keyboards. Back in the 80’s corporate environments might contain 100’s or 1000’s of identical keyboards, all from the same mainframe manufacturer, all purchased from the same production run, thus eliminating one very significant variable. Today obviously this has radically changed. Again our QA group was easily able to indentify pairs of keyboard types between which it was almost impossible for the tech to work at all, let alone reliably and efficiently.

So, you may take this test under limited circumstances (same computer, same time of day, same frame of mind, with a friend who happens to ‘match’ well, etc) and be impressed. But we found using a statistically valid sample, and under just about any real-world, variables-allowed circumstance, that the technology just doesn’t measure up in terms of acceptable false-positive and false-negative rates.

By: James Burke

James Burke — Wed, 05 Mar 2008 14:50:56 +0000

@8 – I was thinking more along the lines of introducing not only at login but “at random” during the assessment to ensure that the learner is “still there” and partly overcoming the sharing of usernames/passwords.

However, some repeating authentication along the lines of Vidoop with images would probably be better and less cumbersome.

Can’t really see this being used for data security on consumer or corporate websites.

By: baah-baah-the-black-sheep

baah-baah-the-black-sheep — Wed, 05 Mar 2008 13:59:38 +0000

@2 – too true. Never caught on.
@6 – it only proves the learner is present at the login time. Typing in an answer will be a completely different pattern.

A sure way to loose customers, I’d say.

Any environmental change will influence your typing. I’m quite dyslexic today and keep inserting spaces in wrong places. Will I be able to login tomorrow with my normal typing pattern?

By: damon

damon — Wed, 05 Mar 2008 13:41:42 +0000

So so so dumb. One of the big things that multi-factor authentication is supposed to protect against is compromised endpoints, like keyboard loggers.

In fact, within weeks of BofA adding their multi-factor authentication the the cute little sitekey, a leading trojan kit already had support for grabbing that (in theory) secret image right off the computer.

Adding to the trojan kit the ability to capture keyboard timing as well as actually keystrokes is a nit.

This is a security speedbump at best.

By: James Burke

James Burke — Wed, 05 Mar 2008 13:38:12 +0000

This could be a useful method for authenticating learners prior to an assessment activity as part on an online course – this has always been a problem area of not knowing who is actually carrying out an online assessment which could be overcome by presenting this type of authentication at random within the assessment?

By: John Biggs

John Biggs — Wed, 05 Mar 2008 13:23:25 +0000

This is best for a secondary mode of protection on laptops. Presumably this COULD be used on handhelds, provided you accounted for the vagaries of mobile keyboards. It’s old but cool. After all, you couldn’t embed Flash into your old DEC programs.

By: Webside Ventures

Webside Ventures — Wed, 05 Mar 2008 13:22:20 +0000

Cool, spend 1-2 minutes logging in to a website!

By: James Heaver

James Heaver — Wed, 05 Mar 2008 12:47:31 +0000

This is a technology with very limited scope, and I don’t believe that web-based services is part of the scope.

Obvioulsy one of the advantages of web based services is the ability to access them from any location and any device.

This technology breaks as soon as you change to / from a normal keyboard. Sign up on your desktop and you will fail the biometric test from your iphone / blackberry, or even a sub-notebook like the eeepc.

This technology had a place in the 80s and 90s, but I think mobile technology has made the technique unworkable.

By: Max Christian

Max Christian — Wed, 05 Mar 2008 12:28:29 +0000

This technique is quite old — has been around since at least the late 1980’s to my knowledge.

By: sourceroot

sourceroot — Wed, 05 Mar 2008 12:02:14 +0000

OMG that’s brilliant!