We have discussed about Yubikeys, SQRL, and other 2FA that are based on the “something we have” to complement the typical passphrase/pin (“something we know”)
But there is another type of 2FA option, a stealthier one, based on the “something we do”: behavioral biometrics.
Keystroke dynamics measure the timings quirks that we have while typing that are unique to each person. Our hand positions, our speed, the length of our fingers, everything affects and we all have personal identifiable styles.
This would kill two birds with one stone:
Proof of unique person
Impossible to use stolen credentials.
This adds an interesting layer of security, although the only weakness here would be a keylogger capturing the timing and movements of the keyboard and the mouse so a hardware solution (“something we have”) such as Yubikeys, would still be needed.
I know of two companies offering this technology: BehavioSec and KeyTrac
No company in the world should have people their biometric. Imagine a future in which your bios can be sold on the darkmarket and that being used to buy stuff. You can’t change your bios so you’ll probably spend your life trying to find a solution.
Agreed, but wonder if we can do it differently, by using the differences to add to entropy (in terms of your pin input or similar). The issue may be different input keyboards behave or force different behaviour. Still could be something. If we could ditch pin for a pattern in input then it may be pretty cool, of course a keylogger using timing attacks could probably still capture this. Worth investigating though.
I was thinking in the exact same line.
If passwords are self-authenticated, the behavioral biometric could work as a salt.
No one owns the biometric data except the user itself.
I would argue that when you play with patterns you would also have to store that pattern. Example:
I (0.01sec) took (1sec) two seconds (3sec) to (1sec) write this (2sec). first time (written by me)
I (0.01sec) took (1sec) two seconds (3sec) to (1sec) write this (2sec). second time (written by computer)
How do you know if I or a computer wrote the second time? How do you measure what a human did, if an computer can replicated that exactly even within nanoseconds? Patterns become predictable if you register them long enough.
Don’t get me wrong i love this stuff. But if we start playing with biometric, we’re just opening a door, we can never close again. Let’s not forget, that browsers are the new operating systems now adays and they can be hidding stuff we’re not even aware of. When the SAFE Network got biometric, it only makes it easier to physically force some one to enter their code. Because they know your username & password, they only have to force you to type on your keyboard.
The thing with Apple’s Iphone that can save consumers a little, is that with a fingerprint you can just use another finger and lock down your phone. With something like a pattern recognition it’s impossible.
Why I keep rambling about SQRL (it needs multisig) like a madman is because, you don’t even need a keyboard or mouse to login. I know a mobile environment is the same as a computer environment. But what would be great is if somehow you could run Android on the SAFE Network and have that on your mobile.
Multsig login in combination with 2FA would be good, you don’t want things you can’t change as a log on, it will just follow you like your shadow.
Big problem with these types of BIOMetric is that if a person is ill, had an accident like simply hitting their finger with a hammer, then they are screwed. If an alternative is provided then the BIO Metric is not securing the account.
I cannot count the number of times a particular BIO Metric (incl this one) would have excluded me from logging into my own account.
In the U.S., we just recently had a breach of federal employees’ personnel files (talked about in that same twit-security podcast video above describing SQRL) where 1.1 million people’s fingerprints are now in the wild.
So it’s not just a matter of accidentally burning your hand and not being able to use your own fingers to log in for a week, but our own biometric data is not always as close to us as we’d like to think.
You are describing a problem of a server/client architecture. You may say the same about passwords.
MaidSafe changes that equation with self-authentication, whatever that identifies you never leaves your computer.
Unless your computer is compromised. SAFE removes the central point of failure leading to mass breaches, but it doesn’t deliver absolute security. It’s almost inevitable that at some point some OS-level virus will compromise a meaningful percentage of SAFE accounts.
That’s when Yubikeys comes in.
For what I understand, the biggest risk that it has is being compromised with a keylogger. Remove that from the equation, and I don’t know what vector is left.
It is accessible, so we use NaCl keys and respect the formats and memory “hardness” there, for signing etc. it has to be, but there are chains of keys so revocation can happen in event of theft. There are a few other things like short lived keys, essentially though the private key needs to be available, it is the degree and responsibility per key that then becomes important. So multiple keys with differing responsibilities and only download and decrypt those keys you absolutely need. This will become a large part of the first security sprint for sure and then thereafter forever
I should add an area to look into if you are in this area is something I have not fully developed though. Using 2 accounts in a multisig manner for 2 factor auth, so log into your phone and computer say to access your account. Not yubikey but could be linked in this manner I feel. Anyhow it’s worth considering.
The other area is site visits logins in SAFE, using a SQRL type HMAC solution means unique verifiable visits where we can get the private key per site / location and, well basically do what SQRL does. This also links into the furthering security conversation. I am way into routing structures right now, but this will be a big focus soon.
Thanks for reminding me that we’re working with a new paradigm. The “usual” gets ingrained sometimes.
And I’m glad your comment brought others in to explore the “local compromise” scenarios. Not nearly as severe as a third-party data-store being compromised, but still good to be cognizant of.
@dirvine Is there any impediment to implement FIDO U2F in SafeNet?
[Quote]“The technical working group of the U2F have a proposal on the table, so far it hasn’t been any major objections, in essence now that the browser can talk to the authenticator, one of the key pieces that the authenticator device needs to be implemented is what we call test of user presence.
So it is not good enough to leave your token in there, so if you are going to authenticate to the service, the service will provide a challenge and the authenticator will need to do something.
From my perspective the authenticator is blinking, and you have to touch it so there is an intent and to show to the browser that you are present. There is a challenge-response that is critical in this ecosystem” [/quote]