Very interesting.  Sounds really secure, but I do agree with Adida that until we see how difficult it is to replicate the profiles, it'll be hard to say if the software is any more effective than existing security devices/software. 

I and some others explored this in the 1970s, and published the results here:
http://www.rand.org/pubs/reports/R2526/

The issue then was whether the clocks on computers would be accurate enough (a problem of what is called "interrupts").  Probably not an issue now.

A significant advantage is that the user can be continuously reauthenticated every time he or she types. Also, the statistics of user keystroke timing can continuously be improved. So if someone else starts using your computer, it will be noticed.

A problem: what happens when you hurt a finger?  Can you still log in?

I wonder if it would still work after a business lunch with a couple bottle of wine???

Arrggg…ARE WE BRAIN DEAD?

The existing user id / password system is an ancient method that was developed for fixed computer systems such as servers, desktops and people needed mobility of account access and people had just one or two accounts to manage.

It is totally a different situation today… People register to tens and possibly hundreds of accounts in their short online lifetime.

And having to define a different user id and password for each of these accounts is simply crazy to expect. And then to give away my mothers maiden name, pets name, my favorite restaurant, etc to a online website that can get hacked can not only compromise my online accounts but also my real accounts such as bank accounts where these are used many a time.

IT IS SCARY…..

I have not used social networking sites much and have switched from one to another regularly. I was on orkut, then got bored and switched to LinkedIn which sounded more professional and now use FaceBook regularly and come to think of it, I use the same password for all of these.

IT IS EVEN MORE SCARY NOW….

And this thought did not cross me now…it happened many months ago when the AOL story broke out and I wondered if there is a solution for this. And then I realized that the solution is not stronger password or having to tell the computer to remember it for me or to use my mother’s maiden name to recover it.

THE SOLUTION IS TO JUST DUMP THE PASSWORD……IT IS NO LONGER NEEDED.

Today’s USER AUTHENTICATION system is developed for DESKTOP COMPUTING not for CLOUD COMPUTING where people exchange information between each other more regularly.
Today, the computer is mobile be it the NetBook or your Smart Phone. You carry it where you go and with pervasive mobile internet connectivity, you can get connected from anywhere using Wi-Fi, or GPRS or EDGE.

SO PLEASE INTERNET SECURITY EXPERTS…..WAKE UP…WE ARE NO LONGER STUCK TO A DESKTOP. AND HENCE NOT NEED TO USE A USER ID/PASSWORD TO ACCESS OUR ACCOUNTS FROM A DIFFERENT COMPUTER. WE OWN A NETBOOK OR AN IPHONE FROM WHICH WE DO MOST OF OUR ONLINE ACCESS OR WORK EXCEPT FOR WHEN WE ARE WORKING IN OUR OFFICES WHERE THE COMPANY SPENDS ZILLIONS ON SECURITY ANYWAYS.

IBM had thought of a password free system many years back….they also filed a prior art on this.

http://www.priorartdatabase.com/IPCOM/000039794/

Others have followed… http://www.kirit.com/A%20simpl.....eb%20sites

And I have filed my own patent for EasySecured which offers a unique, simpler and completely SECURED way to achieve the same concept.

ISNT THIS AMAZING……NO PASSWORD TO REMEMBER, NO PASSWORD STORED ANYWHERE AWAITING TO BE HACKED?

IF PASSWORDS ARE NOT STORED ON THE SERVER OR YOUR COMPUTER, THERE IS NO WAY HACKERS CAN HACK INTO ONLINE ACCOUNTS.

AM I CRAZY? HOW DOES ONE AUTHENTICATE AN ACCOUNT IF THERE ARE NO PASSWORDS?

The solution is downright SIMPLE, your computer is your password. By this I mean not just a desktop, your netbook, your laptop, your smartphone, IPHONE anything that is a computer. YOU ARE NOT STUCK TO A SINGLE COMPUTER.

Your online account will open only from the computers you have registered to access. You do not have to define a password or remember it. Only your User ID which is like the PIN number of your Credit Card and which will work only from your computer or the computers you allow it to work.

ONCE AGAIN …..NO PASSWORD…. IS STORED IN YOUR COMPUTER…. OR THE HOST SERVER.

The password is a unique signature derived from the various parts of your computer mashed up using a patent pending technology that is generated real time every-time you try to login to you account from the registered computer.

The server authenticates by decrypting your user account details using this real-time generated password and granting you access to your account.

Hackers rely on stored user id and password on servers to hack accounts. In this case only your user id is stored on the server encrypted a real time generated password that is stored NOWHERE.

IF a hacker has to gain access to your online account, he or she has to also gain access to your computer or IPHONE or NetBook along with your original User ID.

As every User ID and critical user information such as credit card numbers etc are encrypted using a unique key generated by a physical device, there is NO WAY HACKERS CAN HACK INTO ONE ACCOUNT AND GET THE KEY TO HACK THE REST OF THE ACCOUNTS ON THE SERVER.

I have been working on this idea and concept for months and only need industry support to make this a reality and ONCE AND ON FOR ALL PUT AN END TO THE VULNERABILITY OF ONLINE ACCOUNTS.

You can twitter me @gurudatts to know more about this or email me.

gurudatts, Quite the advertisement for your patent.

You have a patent for an idea you believe in, yet rather than do something with it yourself you post a plea for other more capable programmers to implement your idea.  Of course you can then turn around and sue them to gather your free money from their hard work like a parasite that can't gather food for itself but rather relies on a much more capable host.

Furthermore, you are a fool if you think that your concept for a passwordless system is hacker proof. Such hyperbole is the hallmark of a con-artist. Everything is hackable, that is almost a rule of nature, just some things are more difficult than others. The system you describe is not even very secure. Lets assume for a moment that I am correct and that your system gets hacked. That means that the hacker now has a means to access secure sites from each and every computer that she gains access to by generating her own passcodes. The hacker does not need to lurk and catch a password, they can just generate one automatically from the zombied computer. Now I admit it would be difficult and take some knowledge and skill to do that, but with the payback of instant and unlimited secure site access from all the hackers zombified computers I can almost guarantee that someone, somegroup or some country will make the effort.

It's fairly simple to compromise a desktop machine. That is how botnets get so large. This no-password idea doesn't sound too secure.  I do like the weighted multi-factor approach described in this article though.

at least in "speculative fiction" (I don't recall the specific story, but it's out there)...

The scenario I recall was the computer system which monitored the input keystroke sequence as opposed to passively comparing the resulting string to a password table -- specifically with the ability to notice that this particular user always embedded a backspace key at some predictable point. Backspace and delete keys, and external "mouse-click" cursor repositioning techniques (click in the middle, insert some text, click at the end) would never show up in the final resulting string, so impersonation in this case would require dynamic monitoring, not passive interception. Quite secure. In particular, keystroke loggers would curl up and choke attempting to correlate "Dynamic Repositioning Embedments, Cursor Knowledge". I'd buy it. Unfortunately, since this qualifies as publication into the public domain, patenting this particular DRECK is probably compromised now.

As far as the concept of capturing a supposedly "unique" signature from multiple elements of a given system, you're running neck-and-neck, patent-wise, with Microsoft's "Genuine Advantage" near-fiasco -- personally, considering the average public response to THAT approach to 'verification' (which is VERY much similar to what you're describing), I'd suggest you avoid courting any Venture Capital types who have ever attempted to maintain a Microsoft Operating System on a potentially-changing personal computer -- whoa, bang!!! Oops. Sorry, bubble burst.