Thursday, April 17th, 2008
Fingerprint: A print for your typing
Category: JavaScript
, Security
Do you type the same way consistently? Say, if you put in your username and password?
Marcus Westin has created a little jQuery plugin that measures a finger print based on your typing style, Fingerprint.
Easy to use:
-
-
$('#form').fingerprint();
-
This automatically injects hidden fields with names 'timestamp-down' and 'timestamp-up' for the respective timestamps. On submit, these values get sent to the server, separated by commas.
If you want the value arrays instead, you can just pass in a function to receive the timestamps - this function automatically gets called when the form is submitted.
-
-
$('#form').fingerprint(function(timeStamps){
-
// .. process the timespamps here
-
});
-
The is a proof of concept library. I would love to see the analysis on how close the fingerprints are for people, especially on various keyboards (e.g. if they are on their laptop versus desktop).
Cool idea Marcus!
Hey :)
My father was using this on some oooold machines in BASIC or something like that :)
To login with any password, just with correct pauses :D
I must say I’m not too keen on the $(”#form”).fingerprint() syntax. So is fingerprint() a method of the form object? Is it an accessor or mutator? Does it return a new FingerPrint object?
Nifty idea, another way to measure/observe input for “human” behaviours perhaps.
next step is “Mouseprint” — saves mouse pointer position every 0.x seconds LOL :)
@Jordan1
This is a plugin for jquery, and follows the expected jquery syntax. $(’#form’) returns a jquery object for all elements matched with the id ‘form’. All css selectors work, so if you have multiple login forms you could do $(’.login-form’).fingerprint() and it would automatically fingerprint all you forms with the class ‘login-form’.
As all query plugins are expected to do, it returns the same jquery objects for chaining:
$(’#form’).fingerprint().focus(function(){ alert(’type your password with care! We are fingerprinting it.’) });
There is a library available on linux that does this exact thing. I never used it out of fear that if my typing habits changed I could never log onto my computer, it’s still a neat idea.
I think this is neat but it doesn’t work in Opera 9.27 Build 8841
For fun ported to Prototype:
http://pastie.caboo.se/182523
Works in IE6/7, Firefox 2.0.0.14, Opera 9.25/9.5alpha, Safari 3 win
Usage: $(’myForm’).fingerprint();
Hey, Thanks John-David - I assumed jQuery made the event object cross platform… :(
@GCheung55 - I used JD’s fix for the timestamps 0 and it now runs in Opera 9.27 Build 3731 on osx. New version is up and running, and an update in the repository
np, glad to help :), very neat idea by the way.
This is very neat, but does anybody else have a problem with jQuery plugins in general? For some reason I feel simply attaching method after method to a jQuery collection of elements, while convenient and short-handed to write, can quickly become annoying.
I guess I’d like to see more articles on Ajaxian written library-agnostic :/
I totally agree with you matanlurey - here it is. Though it comes at the cost of less flexibility. For example, I didn’t want to mess with onsubmit, so there’s no callback. However, it works pretty well: try http://narcvs.com/javascript/fingerprint/standalone/. The code is at http://pastie.caboo.se/183075/. Tested for Safari 3.1, Opera 9.27, and IE 7, all on OS X - please help me test if you get a chance.
Usage: fingerprintForm(formElementId);
This is probably more useful for injecting a required quirks for the form’s validation. For example:
A pause greater than 0.75 seconds within the user name.
A pause greater than 2 seconds between the user name and password
A password of n+(2*i) keystrokes where n is the true password length, and i is the number of required character/backspace pair.
This way you still don’t get-in with just username and password, which may be easily stolen.
Or you could serve disinformation to someone logging-in sans-quirk.
There is a commericial software for biometric authentication via typing behaviour: http://www.psylock.de/index.php?lang=en