BioPassword

BioNet Systems

BP-127

BioPassword Logon Protection v4.5

Software

• Windows XP Home or Professiona/Windows 2000 Professional (SP2)/Windows NT Computer 4.0 (SP5 or higher)

Hardware

• 133 MHz or higher Pentium or Pentium-compatible CPU
• 64 MB of RAM
• 7 MB of free hard disk space

Before installation, the user must have administrative rights to the local computer. The username and password of his/her account must contain at least 4 characters, although 8 or more characters are recommended. To install the software, users must follow the instructions with the installation CD. During this process, the user will be asked to answer 2 challenge and response questions. This is a backdoor method to grant access to a local administrator in case he/she is unable to type with a natural rhythm as recorded (e.g., because of a hand injury). The answers to two questions must contain a single word of less than or equal to 16 characters. The installation process is completed with a PC reboot. Note that there is no hardware component that comes with the software. A standard keyboard is used for keystroke input.

Number of Templates
During the enrollment process, 15 keystroke dynamic templates are created.

Creation of Template
The unique typing rhythm that a user exhibits is extracted to create a keystroke template. There are several models that can be applied to keystroke dynamics analysis, and it is not uncertain which model (or combination of model) that this software has adopted. The two most basic ones are to calculate the lapsed time between keystrokes and the hold time, and to calculate the totally time need to key in the information and the time needed for mental preparation.
The users need to key-in numerous typing samples in order for the software to learn the natural variations in the user's typing habit.

Authentication Process
During authentication, the user types in his/her password into the computer as usual, and then two things are verified: the correctness of the password, and similarities between the saved keystroke template and the typing rhythm of the user. If both tests are passed, then the user is granted access to the computer.

Several problems are encountered during enrollment.

Typos
When the user is creating the keystroke templates, he/she may make typing mistakes. It is crucial that the user does not use the backspace key for correction and then continue typing. The user must restart the template from fresh because a different series of keys would generate a different typing rhythm.

Speed of Typing
When the user repeatedly types the same string of characters, it is natural that the typing speed increases due to practice. It is uncertain if the speed of typing would affect the accuracy of the templates.

Admin GUI In this interface (shown on the left) the administrator can change the global settings in the General Info Tab, and User settings in the User Info Tab. In global settings, the administrator can change the number of typing cycles for enrollment which defaults to 15 when the program is installed. The range available is from 10 to 20, and the higher the value the higher the quality of the template that has been created. The administrator can also choose a security level for enrollment, which dictates how similar each typing cycle must be to the previous ones in order for it to be accepted. The default level is 3 and the maximum number is 10. The higher the level, the more accurately a user must type their name and password. In the user info section, the administrator can delete user accounts. A user account is automatically added when the user completes the keystroke template while logging in. The administrator cannot create a new template form this Admin GUI. In this section , the administrator can also adjust the security level for each individual user, this range also goes from 1 to 10. Essentially, the administrator is given the flexibility to adjust the sensitivity of the program by adjusting the security level. This is a threshold adjustment, also known as a back-end adjustment, since it is taken place after the creation of a template. The false rejection rate various a lot when the administrator adjusts the security level. It is uncertain how much control is granted to the administrator. This kind of drastic adjustment may not be good for the security of the computer because it requires extensive experiments to determine an appropriate security level for safe access and while maintaining a low to false rejection rate. (See the study of the adjustable parameters reference below.)

• Login Control
  The user has to enter their user name and password, and both the correctness of the password and the rhythm of typing are evaluated. If an administrator has typed in his/her password three times correctly but failed to meet the rhythm requirement then he/she has the option to choose the "assistance" key that appears on the login dialogue box. When this button is clicked, the administrator has can answer the two challenge and response question to gain access to the computer.

  The challenge and response questions are a good way to reduce lockouts. It is logical that this right is only granted to administrators. However, the assistance function itself is poorly designed. In order to access the questions, the administrator must enter his/her password and username for the forth time, and then click "assistance" instead of "login". If the administrator does not enter the credentials before pressing the assistance button, an error message appears.

• Password Protected Screen Savers
  When the screen saver is changed to password protection mode, the BioPassword software automatically integrates with the original Windows re-logon screen. After some kind of input (i.e., click of the mouse), the screen prompts the user to press Ctrl+Alt+Del. To regain access to the computer, the user has to provide the correct user name, password, and typing rhythm. What differentiates the re-logon process from the initial logon process is that even if the user has administrative rights to the local computer, and has supplied the correct user name and password, but cannot satisfy the rhythm template, there will be no assistance. The user would not have the alternative to answer the challenge and response questions.
  
  
• File Encryption
  Not Available.
  
  
• Single Sign On
  Not Available
  
  
• Customization
  The administrator can adjust the security level for enrollment and authentication. Please refer to the Admin GUI section.
  
  
• Training
  Not Available