Analyzing script could ease the strain on people’s memories.
A new online authentication system called Dynahand could make logging in to websites a little easier. With Dynahand, users simply identify their own handwriting, instead of entering a cryptic password or buying a biometric device to scan their fingerprints.
Passwords can be secure when used properly, but many people don’t use them well. Creating weak passwords that are easy to hack, using the same passwords for multiple accounts, writing down passwords on slips of paper–these bad habits undermine security. University of Glasgow computer scientist Karen Renaud, who worked on Dynahand, says that people can’t be blamed for this carelessness. “I don’t even know how many passwords I have,” she says. “It’s ridiculous … I think people who design websites are totally unrealistic with the load they put on people.”
Replacing passwords with biometric authentication, which identifies users based on physical characteristics, such as fingerprints or retinal scans, isn’t ideal either because users have to buy additional hardware to take advantage of such schemes. In contrast, Dynahand requires no extra hardware or feats of memory.
To open a Dynahand account, a prospective user submits a variety of handwriting samples. To log in to her account, she must select her own handwriting out of a series of samples presented. Depending on the desired level of security, she may have to do this several times for a single log-in.
The user’s handwriting samples contain only digits, since numerals are harder for an outside party to recognize than letters are. The digits displayed are random, so the handwriting is the only clue to the correct answer. The researchers use an algorithm to analyze characteristics of all the handwriting samples presented, such as the width of the strokes, to be sure that the samples are distinct and don’t confuse a legitimate user.
Renaud says this type of system appeals especially to older users, who can be very aware of the strain that remembering yet another password will put on their memories. She has found that the system also appeals to dyslexic people, who sometimes use very easy passwords because they have trouble remembering complex passwords. Both populations, she says, are willing to use a slower system in exchange for not having to remember a password.
Larry O’Gorman, a computer scientist at Avaya Labs who researches ways to make security more user-friendly, says that he thinks the Dynahand system is interesting, particularly in the way that it has users recognize digits. But he isn’t convinced that it’s secure, as even a single log-in involves identifying handwriting samples multiple times. “A clever attacker will choose the same style of handwriting for each stage,” O’Gorman says. “I don’t know how easy it is to match handwriting styles from one stage to the next, but I believe it can be done to some degree.”
Renaud doesn’t think Dynahand is secure enough for protecting sensitive information, such as bank accounts or health records. Rather, she believes it could be useful for social sites, where a user wants her account to be private but where nothing disastrous would happen if someone broke into it. Using Dynahand in those circumstances could reduce the number of passwords that users must remember, making them more capable of recalling complex passwords when security is crucial.
The Glasgow researchers say that Dynahand’s security could also be enhanced by keeping track of the time it takes a user to respond to each handwriting challenge and by watching out for abnormally long log-in times (which could signal an intruder trying to analyze the samples in search of the correct one) or abnormally short log-in times (which could signal an intruder trying to break in using a brute-force technique that involves a computer rapidly trying every possible response).
The main obstacle to getting Dynahand on the market, Renaud says, is that creating a new account takes too much manual labor behind the scenes. “I put hours and hours into scanning samples in manually,” she says. “That’s okay because I was testing an idea, but a company’s not going to want to do that.” She is now working on ways to automatically collect and analyze handwriting samples.
Keep up with the latest in Security at Business of Blockchain 2019.
May 2, 2019