-
-
AuthentiCadence User Interface
-
Successful Authentication
-
Failed Authentication
-
Model Flowchart
Inspiration
Two weeks ago, Uber was hacked by a teenager who had phished for the authentication from an employee. This is any company’s worst nightmare. Human error–like what happened at Uber–remains one of the largest weaknesses in a cybersecurity chain. IBM estimates that human error accounts for 95% of all breaches. Therefore, any cybersecurity endeavor must address this human element.
What it does
We address human error in cybersecurity by introducing AuthentiCadence, a biometric dimension to multi-factor authentication. AuthentiCadence learns the timing and rhythm of the keystrokes in the user’s password entry, defined as the user’s cadence. A binary classifier then identifies valid password entries based on this cadence. Importantly, even if a hacker knows the password, the device remains secured by cadence authentication.
How we built it
AuthentiCadence encodes password entries as vectors, where the vector components represent the timing of the password keystrokes. Then, we train a binary classifier to recognize the user's cadences. Any password entry that deviates too far from the centroid cadence encoding is rejected.
Challenges we ran into
The brainstorming process took several hours longer than we anticipated because it took substantial effort to prune our ideas into a single goal. But our team constructed a decision-making framework that accelerated our idea selection.
It was also our first time deeply engaging in front-end user-experience. We took a long time to discover good frameworks for developing front-end interactables.
Accomplishments that we're proud of
We were ecstatic to see how well our classification model performed. We were able to identify false password entries even when the "hacker" knew the cadence and the password string. This performed significantly better than we ever hoped for. Our visualization of the classifier made this process even more satisfying to observe.
We are also very proud of our front-end design. We learned a lot about implementing front-end techniques, and we are happy with how interactive the design is.
What we learned
We learned how to work with Tkinter, the technology we selected for front-end design. We selected it because it allowed us to all work in Python, but it introduced several challenges related to interfacing with the back-end model.
What's next for AuthentiCadence: On-Beat Security
Our model is sometimes too restrictive. When password are complex, even the user's cadence may be occasionally rejected. The classification should account for variability in cadence due to such complexity.
We also hope to add more user functionality. A more comprehensive system would account for multiple users, each with multiple possible password cadence profiles. (We considered a clustering algorithm to identify each user's multiple cadence profiles.)
Measuring cadence is a process independent of many dual-factor authentication products like Duo, so our product is compatible with existing security frameworks. A fully realized commercialized product would run in parallel with these established technologies to protect emails, phone logins, and database systems.
Credits
We are grateful for our interviewees, who agreed to participate as test subjects to demonstrate our product. In accordance with HackRice 12 rules, none of our interviewees saw or modified our code or made code suggestions. A big thanks to Peter Riera, Loic Duggal, Adam Vuong, and our other volunteers!
Fun quotes we made while sorry from sleep loss
- "I'm not too fond of this human thing."
- "I'm feeling Number 5." (AuthentiCadence is not Number 5.)
- "Oh I forgot! That's because we didn't tell you the trick!"
- "Because you have no rhythm." "Because my rhythm is on another plane."
- "As long as we have sound on paper."
Log in or sign up for Devpost to join the conversation.