Thursday, April 17th, 2008

Fingerprint: A print for your typing

Category: JavaScript, Security

Do you type the same way consistently? Say, if you put in your username and password?

Marcus Westin has created a little jQuery plugin that measures a finger print based on your typing style, Fingerprint.

Easy to use:

javascript

  1. $('#form').fingerprint();

This automatically injects hidden fields with names ‘timestamp-down’ and ‘timestamp-up’ for the respective timestamps. On submit, these values get sent to the server, separated by commas.

If you want the value arrays instead, you can just pass in a function to receive the timestamps – this function automatically gets called when the form is submitted.

javascript

  1. $('#form').fingerprint(function(timeStamps){
  2. // .. process the timespamps here
  3. });

The is a proof of concept library. I would love to see the analysis on how close the fingerprints are for people, especially on various keyboards (e.g. if they are on their laptop versus desktop).

Cool idea Marcus!

Fingerprint

Posted by Dion Almaer at 10:44 am
13 Comments

+++--
3.2 rating from 14 votes

13 Comments »

Comments feed TrackBack URI

Hey :)

My father was using this on some oooold machines in BASIC or something like that :)

To login with any password, just with correct pauses :D

Comment by zero0x — April 17, 2008

I must say I’m not too keen on the $(“#form”).fingerprint() syntax. So is fingerprint() a method of the form object? Is it an accessor or mutator? Does it return a new FingerPrint object?

Comment by Jordan1 — April 17, 2008

Nifty idea, another way to measure/observe input for “human” behaviours perhaps.

Comment by Schill — April 17, 2008

next step is “Mouseprint” — saves mouse pointer position every 0.x seconds LOL :)

Comment by locdev — April 17, 2008

@Jordan1

This is a plugin for jquery, and follows the expected jquery syntax. $(‘#form’) returns a jquery object for all elements matched with the id ‘form’. All css selectors work, so if you have multiple login forms you could do $(‘.login-form’).fingerprint() and it would automatically fingerprint all you forms with the class ‘login-form’.

As all query plugins are expected to do, it returns the same jquery objects for chaining:

$(‘#form’).fingerprint().focus(function(){ alert(‘type your password with care! We are fingerprinting it.’) });

Comment by narcvs — April 17, 2008

There is a library available on linux that does this exact thing. I never used it out of fear that if my typing habits changed I could never log onto my computer, it’s still a neat idea.

Comment by tj111 — April 17, 2008

I think this is neat but it doesn’t work in Opera 9.27 Build 8841

Comment by GCheung55 — April 17, 2008

For fun ported to Prototype:
http://pastie.caboo.se/182523

Works in IE6/7, Firefox 2.0.0.14, Opera 9.25/9.5alpha, Safari 3 win
Usage: $(‘myForm’).fingerprint();

Comment by jdalton — April 17, 2008

np, glad to help :), very neat idea by the way.

Comment by jdalton — April 17, 2008

This is very neat, but does anybody else have a problem with jQuery plugins in general? For some reason I feel simply attaching method after method to a jQuery collection of elements, while convenient and short-handed to write, can quickly become annoying.

I guess I’d like to see more articles on Ajaxian written library-agnostic :/

Comment by matanlurey — April 17, 2008

I totally agree with you matanlurey – here it is. Though it comes at the cost of less flexibility. For example, I didn’t want to mess with onsubmit, so there’s no callback. However, it works pretty well: try http://narcvs.com/javascript/fingerprint/standalone/. The code is at http://pastie.caboo.se/183075/. Tested for Safari 3.1, Opera 9.27, and IE 7, all on OS X – please help me test if you get a chance.

Usage: fingerprintForm(formElementId);

Comment by narcvs — April 18, 2008

This is probably more useful for injecting a required quirks for the form’s validation. For example:
A pause greater than 0.75 seconds within the user name.
A pause greater than 2 seconds between the user name and password
A password of n+(2*i) keystrokes where n is the true password length, and i is the number of required character/backspace pair.

This way you still don’t get-in with just username and password, which may be easily stolen.

Or you could serve disinformation to someone logging-in sans-quirk.

Comment by StevenBlack — April 18, 2008

There is a commericial software for biometric authentication via typing behaviour: http://www.psylock.de/index.php?lang=en

Comment by Jörn Zaefferer — April 23, 2008

Leave a comment

You must be logged in to post a comment.