Tablet PC + Signature Biometric + WSE Security = Web Login

http://www.brains-N-brawn.com/tabletSign 9/1/2004 casey chesnut


passwords suck. especially when you have to remember alot of them. eventually you start writing them down ... which sucks. or you come up with one password and use it over and over again ... suck. then some site will come along and make you have some capitalized and/or special characters in the password, and your 'one password' does not fit that criteria, so you have to come up with an even harder to remember password for this one site. that sucks. then another site makes you periodically change your password ... periodic suckiness. to nag even more it remembers your previous passwords (or hashes of them) and wont let you repeat them. did i mention suck?

one solution in the works is kerberos. basically you sign in once, and then your authentication flows from site to site. of course, all these sites have to be updated to support kerberos ... so dont expect anything near term. another solution is a biometric. a biometric is biological characteristic that is unique to you. it can be physiological or behavioral. a physiological biometric is your iris, thumbprint, voice. a behavioral biometric is the way you type, the way you write your signature, etc. for this article, i will summarize how to expose a signature biometric for use on the web. this will let you 'sign in' (pun intended) to web sites in the future using a Tablet PC (test page and video below)

Ink the Web

to expose a signature biometric on a web page requires what is called 'ink on the web'. it is currently only possible on Tablet PC 2005 using IE6 and .NET 1.1. this web site has a number of ink-enabled web pages, including the comments link top-right. here are some other links


it works by a user browsing to a web page. if they are not a registered user then they have to register their signature. first, they choose a username. they ink their username and it is recognized into text. second, they have to check the availability of the username; to make sure it is not already taken. third, the user has to sign their password 3 times. they need to sign the same word each time, and they need to sign it similarly each time. they cannot sign the word lower case one time and upper case the next. after signing 3 times, the control sends the data to the web server.

the web server does some processing of the 3 signatures to generate this template. this template is data concerning the word you sign. currently is considers these aspects of your signature:

this template data will be used later on to verify your signatures when logging in. this biometric algorithm could be made significantly more secure. it could consider pen pressure, tilt of the pen, individual character strokes, and even when your pen is not writing. e.g. when you lift the pen, it could note the path the pen hovers over the tablet until you start writing again. finally, it could do a biometric of the user name too, along with the password.

some interesting things to note here are that the control automatically does a (partially) blind signature. as a user makes a stroke with the pen, it is visible; but as soon as they lift their pen, it disappears. this makes it significantly harder for somebody to see what they are writing. the control could be written to not show any ink at all. also, the user does not even need to use a word as a password. they could draw a star, or stick figure, or whatever. another trick to make it more secure is write the word a little differently than you normally do. if you usually print, then possibly use graffiti syntax (or cursive) instead. this is in case somebody does figure out your password, then they cannot take some of your old notes to see what your print looks like. of course they still have to write it in the same amount of time, size, etc... for the biometric to pass. that is kind of unique ... you dont want to do this; but you could tell somebody your password, and there is still a chance that they could not successfully login, especially if they are not familiar with your writing style


after registering once, then the user can login many times. first, they enter their username and it is recognized as text. second, they write their password once. the control collects the raw data and then posts it to the web server. the web server compares the signature to the template and returns whether the signature is valid or not. if it is valid then the user could be directed to the secure part of the web site.

NOTE it does not currently allow a user to change their password. this would be necessary because peoples signatures can change over time. as their handwriting changed, they would need to re-register

WSE Web Service

the great thing about having the biometric algorithm on the web service is that you can update it whenever. also, if a hacker decompiles the control, all they get is info on how to collect the raw data. this does not help them to actually know what the biometric does ... so they really dont have much info at all. of course you can sign the control to make sure it is not tampered with, as well as obfuscating the code. also, you can throttle the security down (or up) for certain sites. kid sites could use a simpler biometric, while DOD could be much stronger.

the communication with the web service is also secure. all requests from the control are signed and encrypted following the WS-Security specification. all responses from the Web Service are signed and encrypted as well. the Xml-Signature makes sure that the messages are not tampered with, and Xml-Encryption makes sure nobody else can read the message. my current implementation does have a known flaw ... which i have not fixed out of sake for time. this could easily be fixed in the future. WS-Security is convenient because it does not require the web server to have an SSL certificate. also, the controls implementation of WSE will run without requiring any additional security. it works in the default medium-security internet-zone of IE

Test Page

here is a basic test page you can try it out with

NOTE the 1st WS call will be slower because it has to spin up the WS proxy as well as the security pieces


here is a video of it in use (3 megs)


this shows that it is possible to do a signature biometric on the web for user login. think that it is a compelling reason for ink on the web for the advantages it offers over traditional text passwords (e.g. being near impossible to dictionary attack). i dont expect to see this anytime soon ... but it sure is cool

aside, it does show it is possible to make secure WSE calls in a sandboxed environment ... i expect there are a number of people that need that capability today


not giving away the source code with this one


might update this to use a more secure biometric algorithm. also to fix the known security flaw and support changing passwords


i've got another article in the works regarding the Tablet PC dictionary. no clue after that