The purpose of this project is to provide website administrators with an open source piece of software to detect and prevent account hijacking.
Please note: This project is currently not quite ready for use on a production website. The system for adding new devices is not complete so users will have difficulty using it from multiple devices.
When I originally came up with this project I wanted to use a system of modules to score the user's legitimacy with a series of tests. After writing the overarching system used by the modules I switched to focusing on one specific module, the keystroke dynamics module. While my work has largely focused on using keystroke dynamics, the use of modules leaves room for the inclusion of other forms of authentication.
My system is designed to preform authentication at any time and returns a trust score rather than a simple true/false reply. This comes with some drawbacks, it cannot be installed without configuration and improper setup can reduce the amount of security it confers. This design does allow for the creation of higher and lower security zones on a site, for sites to preform continuous authentication, and for more sensitive sites to require more trust.
The software consists of two parts a set of modules and server component.
The server is the part of my project responsible for running module components, handling requests, and combining the results of the different modules. From a software perspective it handles all the things that are abstracted away so that modules do not have to do them.
When the server starts up it imports all of the modules and registers their functions and scripts. In ordinary use a protected page loads the scripts from the server and they collect data for processing by the server.
For a guide on module development please see the wiki page.
Methods of Verification
The keystroke dynamics module collects data about how a user types and uses it to identify them. Because people have different typing patterns the software can identify when another person, potentially an attacker, is typing.
The current keystroke dynamics system collects the average amount of time needed to change between different keys. During processing these collected averages are then compared to previous averages and scored. Currently the comparison is done by finding all the overlapping keys and finding the difference between the averages. The differences between the times in the stored set and the collected data are then averaged and used to decide the final score of the user. If the average deviation between the collected times and the new ones is too high the person typing is probably not who they say they are.
The fingerprinting module preforms very basic browser fingerprinting. It collects the screen resolution of users' computers and the number of processor cores they have.
IP Address Checking
This is a very simple module to check the IP address of the users.
I started out the keystroke dynamics module with the hope that I could achieve a 60 percent reliability. Fortunately, I have been able to exceed this initial expectation and achieve a greater than 80 percent reliability. This still leaves considerable room for improvement.
In the course of writing this software I have realized that other methods may be needed to identify the individual typing in our increasingly phone based world. Phones have few identifiable traits compared to PCs and strive to eliminate typing making it hard to accurately confirm the identity of a user on a mobile phone.
If you wish to help with this project you can suggest improvements project or to the documentation.
Pull requests to improve this project and its documentation are also welcome. A set of possible improvements for this project are available here and in the issue tracker.
Reporting Security Problems
When submitting a security issues to the bug tracker please use the following message format:
<description of problem>
[//]: # (START MITIGATION)
<description of how to mitigate the problem>
[//]: # (END MITIGATION)
<Anything else you have to say>
This allows me to display the solution to the problem to everyone using the security bulletin.