I'm only now getting around to documenting this (my memory was jogged for some reason the other day), but back in 1998 I came up with an idea for adding a new "dimension" to password protection schemes without actually requiring that the user do anything different. The new "dimension" was time, specifically the timing of the user's keystrokes as they entered their password. I developed a working prototype which observed a user's keystroke behavior as they entered their password, recording the length of time they held each key down as well as the length of time between each key stroke. My prototype code then turned this data into a somewhat robust signature which could be stored and used for comparison at future logins. The signature method was designed to stand up to "normal" daily variations in typing speed and coordination while still generating the same representation; the sensitivity could be adjusted by tweaking a series of constants. I captured a few hundred samples of people typing in their passwords over several days in order to establish to my own satisfaction that the idea and its initial implementation were solid. The elegance of the idea is that it imposes no new requirements on users or the passwords they choose. The user does as they always do and the system would offer the additional protection.
A few items which I did not address in the prototype but would clearly need to in an actual implemented system. If a person changes their password you can expect that for some time the typing signature will be in flux, adjusting as their fingers adapt to the new formulation of letters and characters they've chosen. The system must recognize and allow for these changes, replacing the stored signatures over time to reflect these changes. It's important to note that certain situations will make the signature less consistent, such as occurs when a user only infrequently uses that particular password. Also, specific incidents, like injury would alter the signature. In all these cases where the new and old signature do not match a new check procedure would need to be added. This secondary check could include asking them to verify some additional piece of information, such as would have been asked for password recovery (e.g., mother's maiden name, name of their first pet, etc.), or perhaps access being temporarily denied, with alerts being sent to the user by email, requiring them to step through some authentication procedure.
The idea may not have been as advanced as retinal or fingerprint scanning, but I think it was still a good one, and I remain surprised I've not seen it developed.
My friend Arvin sent me this link to just such a system http://technology.timesonline.co.uk/tol/news/tech_and_web/personal_tech/article1667057.ece. Another potential patent slipped through my fingers. 😉