Subj : Re: Presenting a new(?) idea for free open source software development. To : comp.programming From : Arthur J. O'Dwyer Date : Mon Aug 08 2005 03:00 pm On Sun, 7 Aug 2005, Ingvald Straume (from Norway - Europe) wrote: > > I'm a 32 years old novice to average programmer, and I have an idea > which I believe to be fairly good: An authentification system to > replace the old fashion password authentification method. The general > idea is that a user - using the computer mouse - draws his/her > signature onto a canvas on the login screen. The login program records, > from millisecond to millisecond, the mouse motions and the curve drawn > on the canvas by the user. Then the program compares the curve with an > already stored pattern which has been preadapted to match the authentic > users graphical mouse signature. First problem: I've never in my life seen a mouse that can be used to draw free-form curves accurately. Open up a bitmap editor and try it yourself --- even a new mouse out of the box will most likely have irregularities in its movement, and even the cleanest desk will have bumps and ridges that throw off the mouse. Second problem: You have not described the "stored pattern" or the "graphical mouse signature," which seem to be the cornerstone of your whole idea. For example (supposing "First problem" didn't exist), you'd want your "pattern" to compare equal even if the user starts his signature one pixel to the left or right, or draws a loop a little bit smaller than usual (for some definition of "a little bit"), and so on. If you can't find a good solution to this problem, you have nothing. Third problem: Any solution to "Second problem" must be a heuristic, rather than an ironclad, foolproof algorithm. One of the best things about contemporary cryptographic protocols is that they're well-defined --- anybody anywhere in the world can implement them, and nobody has to worry about "edge cases" --- like "What if the user is feeling extra tired today and can't draw straight?" > I believe that this method will have some advantages compared to the > traditional password security system: > > 1) A graphical mouse login and authentification system is safe: Even if > an intruder knows what the true user's signature looks like, he won't > be able to reproduce it, because that requires that the signature is > drawn in the true user's individual style and timing. No problem. If the intruder controls the hardware (the input device), he controls everything. He just unplugs the mouse, plugs his capture device between the mouse and the computer, records the user's mouse movements, and then can replay them any time he wants access to the user's account. Ditto over a network --- your protocol amounts to the following: Server: Hey, user, give me your password. User: Okay, here it is: (up-down-up-down-left-right-left-B-A-B-A) Server: Thanks! You're okay. That's literally the second dumbest protocol there is. (The first dumbest is the one where the server doesn't ask for a password at all. :) > 2) Users will no longer need to remember passwords. No; now they'll need to remember their "mouse signature," which is probably harder than remembering an English phrase. And they'll never be able to access their account from any machine without a mouse, unless they are smart enough to invest in the same movement-capturing device (or software) our hypothetical hacker used to grab their password in the example above. Looks like a non-solution in search of a problem, as far as I'm concerned. -Arthur .