The Signature Authentication Demo Program by liamei12345


									      The Signature Authentication Demo Program
                                       Written by Ingvald Straume

(1)    How to use the demo program

The program (signature.exe) has a standard Windows graphical user interface, which is pretty
self-explanatory. The user is allowed to record an original signature by drawing, using the
mouse, onto the main form. Thereafter, the user may record a secondary signature to be
compared against the original signature.

       fig. 1 – The user interface while the user is in the process of drawing his original
       signature, but before the ‘Done’ button is pressed.

Drawing can be done using any of the three mouse buttons, or any combinations of those. (With
the demo program, the various button combinations produce different colors on the screen.)

Recording starts when the user, after selecting the appropriate ‗Create … Signature‘ command
from the ‗Action‘ menu, presses any mouse button while the mouse cursor is positioned over the
green background. Horizontal and vertical coordinates of the mouse cursor, and the state of the
left, middle and right buttons, are recorded several times per second. The record‘s end is
trimmed to the point of time when the user last time released the mouse before clicking the
‗Done‘ button (or pressing the return or enter key on the keyboard).
       fig. 2 – The user interface after the user has recorded both his original signature and
       secondary signature, and selected ‘Compare Signatures’ from the ‘Action’ menu.

The demo program works best if the user is skilled at drawing by mouse. The signatures to be
compared must be drawn fluently — without haste and without hesitation. For best results,
practice until you know how to draw the two signatures equally without thinking about it! The
signatures have to be roughly the same size, drawn in roughly the same place during roughly the
same amount of time, and the motions and button actions of the mouse have to match.

(2)    General information

The Signature Authentication Demo program was made in an effort to demonstrate that it is
possible to use graphical signatures as authentication method for personal computer systems, in
replacement of the plain old user name and password login procedure. The method requires a
computer with a graphical user interface and a pointing device (e.g. a mouse).

The general idea is that the user, upon login, instead of typing some secret password, draws his
or her personal signature onto an area of the screen using the mouse. This login signature is then
compared against one or more previously stored original signatures on the computer system, that
the computer system knows belong to the true user. If the login signature‘s pattern match the
previously stored original signature pattern, the user is authenticated. This way, users may be
provided with better protection against someone else breaking into their accounts, compared to
traditional password login systems.

The problem with passwords is that an intruder may be able to get or guess a user‘s password.
And as long as someone is able to type a valid user name and provide it with the correct
password, the computer system happily trusts that someone to be the genuine owner of the user
name and password, granting him or her access to the true user‘s resources, without questioning
the persons identity any further. Besides this, remembering and maintaining passwords puts
effort on users.
From a security point of view, there‘s a giant hole to be filled here. Smart cards and PIN-codes
may provide better login security than solely user names and passwords. (That is: as long as the
users don‘t loose their smart cards.) Unfortunately, most personal and networked computers in
most companies and in most homes are not equipped with smart card readers. Therefore, in order
to employ that method, additional hardware investments have to be done.

This is where the graphical mouse signature authentication method comes in. If well developed,
such an authentication system can be as secure as smart card authentication systems, or even
more secure. (Smart cards may get lost or stolen. But the ability to draw a unique personal
graphical hand signature can‘t easily be copied.) Provided that the system has clever enough
algorithms for determining the authenticity of login signatures, authentic users may easily gain
access to the computer system, while spoofers are efficiently shut out. Even if Mr. Hostile
Hacker knows what the signature belonging to a particular user looks like, an even if he knows
what mouse motions and button actions are needed to produce it, he may in fact not be able to
copy it. — Because the ability to do so, lies in the hand and nerve system of the person who
produced the original signature pattern in the first place.

With traditional password authentication systems, users are encumbered with the responsibility
of maintaining three important security issues. These are:
         keeping passwords secret
         changing password frequently
         choosing complex, impersonal passwords that are hard to guess
          (and consequently hard to remember)

If the users don‘t pay proper attention to these issues, their accounts get vulnerable to intrusion
by spoofers. With a graphical mouse signature authentication system, problems like those
described above are eliminated.

(3)       Further developments (proposal)

The Signature Authentication Demo is a version 0.01 Beta release. The authentication algorithms
in the demo program works well only if the user drawing the original signature provide the
         First the user has to practice (quite a lot) drawing his or her signature on the computer
          screen using the mouse, so that he or she is enabled to draw it fluently, before using the
          Signature Authentication Demo program to draw and record the original signature.
         Second, when the user has developed the skill to properly produce an original signature
          and a matching secondary signature, he or she will have to redraw the secondary
          signature several times, after each time slightly restricting the divergence settings and the
          ‗Hits Required …‘ settings to make the settings fit the user‘s personal drawing style. This
          must be done manually.
For the program to be more convenient to use and for it to reliably live up to the ideal of easily
authenticating true original signature owners while efficiently rejecting spoofers, a few
improvements have to be made:
             The algorithm for computing the best suitable offsets used when comparing
              signatures, needs to be developed further. Though the current version works fine in
              most cases, it is not the smartest possible. Some times — though rarely — the
          algorithm take the wrong path, so that comparison of two matching authentic
          signatures evaluates to ‗Failed‘. A more troublesome aspect, however, is that the
          offset algorithm has a tendency to ―fool‖ the comparison algorithm to believe that
          spoofers‘ signatures are more similar to the original signature than they actually are.
          This ought to be fixed.
         The program should have algorithms for automatically adjusting the comparison
          settings to the users drawing style. Also, the maximum offset and the divergence
          values for the different comparison parameters should be allowed to vary through the
          signature. In order to have the program automatically adjust the comparison settings,
          the user will have to redraw the original signature a few times. Thereby, the program
          is going to need algorithms for merging several instances of the same original
          signature into one ―authoritative ‖ original signature pattern.
         In addition to the eight comparison parameters in the current version of the Signature
          Authentication Demo program, two more comparison parameters may be introduced:
          relative angle (or angle change) and relative velocity (or velocity change).
         Furthermore, the original signature pattern and the comparison settings should be
          allowed to change slightly over time. In a real-world graphical mouse signature login
          system, signatures are likely to evolve as users log in repeatedly, week after week,
          month after month. (E.g. a user starts drawing a bit faster, or the signature curves
          grow slightly bigger.) The program should have algorithms for adapting the original
          signature pattern and comparison settings to the natural evolution of the users‘ mouse

May 20th — 2003

                                                                   Ingvald Straume – 2003
                                                                   Kvilaveien 10
                                                                   N-2312 OTTESTAD
                                                                   Norway – Europe

To top