![[Picasso Slide]](/staticimg/uffish_minipicasso.gif)
|
Get On, Clip In, Fall OffRandom bletherings of a dilletante cyclist. |
|
|
Get On, Clip In, Fall OffRandom bletherings of a dilletante cyclist. |
I have a lot of ideas in the shower. This is one of the sillier (but still almost plausible) ones.
The video game Guitar Hero isn't just a video game - it's also the foundation of a reasonably strong user authentication system.
People have been trying to find effective ways to authenticate users with biometrics for ages. It's now routine to see fingerprint scanners attached to machines, iris and retina scanners, and voiceprints. However, nobody has yet harnessed the power of rock as a method of authenticating that someone is who they claim to be.
Guitar Hero (and its open-source and therefore more useful for this exercise clone, Frets On Fire) is a game in which the player pretends to be a kickass rock star by playing notes on a guitar controller with 5 "fret" buttons and a bar which is hit to actually "strum" the selected note. A line of notes on an extended guitar fretboard scroll down the screen, and at the simplest level all the player has to do is to hold down the correct fret and hit the strum bar as the note scrolls across a line at the bottom of the screen. It starts out easy and gets very, very hard indeed at higher difficulty levels. Frets on Fire doesn't even need the guitar controller - it can be keyboard controlled.
What makes this interesting, though, is that every guitar player you listen to - every musician, really - will have a slightly different style. Nobody plays exactly on the beat and exactly according to the score - there are going to be individual patterns in the timings of the notes in a particular piece depending on who's playing them. Guitar Hero knows this - the player actually has a short but measurable window of time in which to play a particular note. Just measure the deviation from the "ideal" time for each note played, and you have a fingerprinting mechanism. This is similiar to the way in which telegraph operators developed distinctive "fists", enabling them to identify each other from the characteristics of the Morse they sent.
Even if someone miraculously plays every note right at the millisecond it's intended to be played, there's plenty of extra data to mix in from the timings of the players' manipulation of the fret buttons. Anyway, you definitely don't get style points in the world of rock for playing all your notes exactly in time (with the possible exception of some particularly tedious prog rock). That ain't rock and roll.
In short, it should be possible to make a reasonably good guess that someone is who they claim to be based on how they play a few of the widdly bits in Bark at the Moon. It doesn't have to be an entire piece - just a few licks will suffice. The more notes the better, obviously - just as longer passwords are more secure, rocking for longer is also more secure. Military applications and cryptoheads would probably insist on using the whole of Free Bird.
Higher levels of difficulty would also be more secure, as these involve progressively more notes and more frets. Thus, Guitar Hero practice would become a core job function for system administrators and others in positions requiring a high level of data security awareness.
There are vulnerabilities, but no more than other authentication systems. Impersonation is very difficult (everyone has their own rhythm, baby - even if you set up the sound to be identical, you can still tell if it's not Angus Young playing Back In Black), so the most obvious replay attacks would be resisted. However, this technique has unexpected strengths as well - alcohol and drugs will alter the player's reflexes and thus their timing fingerprint, enforcing sobriety requirements where these are necessary. That said, if while providing the initial sample the player is under the influence, they'll subsequently need to be drunk to be allowed to log in.
Posted by mpk at December 23, 2007 9:12 AM | TrackBack