Quirky biometric modality praised, has yet to catch on
Maybe you’re a hunt and peck typer. Or perhaps you zip around the keyboard but linger over certain keys. And it’s possible that you type much faster after you’ve had your morning coffee than you do when 5 o’clock rolls around.
A person’s typing patterns can be as unique as a fingerprint or signature. That’s the idea behind keystroke dynamics, and some technology firms have built their business around using this biometric as a form of authentication.
Keystroke dynamics or keystroke biometrics is a behavioral biometric rather than a physiological biometric. That means it measures some action such as typing, gait, signature or voice rather than a physical characteristic such as fingerprint, face or iris.
Behavioral biometrics are based on a individual‘s specific behavioral trait. Examples include speech patterns, signatures, gait and keystrokes.
Physiological biometrics are based on an individual’s physical characteristics. Examples include fingerprints, hand geometry, iris, and DNA.
Although it’s been slower to catch on, some say keystroke dynamics can be as good a form of authentication as any other biometric. “The technology works pretty effectively,” says Avivah Litan, security research analyst for IT research and advisory firm Gartner Inc. “There have been some well regarded, prestigious New York banks and credit unions that have used it for private banking … it’s much stronger than a password and it’s every bit as good as a hard token going through the Web browser.”
So what’s the hang-up?
“It’s unconventional. People generally don’t like to adopt unconventional measures. So as soon as you get more big banks and service providers using it, they’ll all start jumping on the bandwagon,” Litan says.
The concept of keystroke dynamics goes back to the use of Morse code during World War II. The military used the code to tap out important messages but it was crucial to determine whether the sender was an ally or an enemy. The Army Signal Corp discovered that the rate and rhythm of the tapping differed between individuals. They developed a concept called “the fist of the sender” to use these variables to ensure received messages were valid.
Today, keystroke dynamics can provide strong authentication to Web-based applications, e-mail and networks.
Systems that rely on keystroke dynamics measure the movements and patterns a person makes when typing, such as the duration of each keystroke, how long each key is held down and the overall typing speed.
In particular, these systems look at the dwell time–how long a key is pressed–and the flight time, or how much time it takes to get from one key to the next. Other factors might include typing habits, such as whether the person holds down the shift key or uses ‘Caps Lock’ to type a word in capital letters.
Miami-based AuthenWare Corp. offers software to verify that the person typing a user ID and password is the actual owner of those credentials. Its AuthenWare Technology system uses keystroke dynamics to evaluate the way that person types the credentials.
AuthenWare also considers other behavioral and environmental characteristics, such as whether a person uses a mouse to move from one task to another, as well as the person’s IP address, time zone, operating system and browser and typing speed at different times of the day. “Maybe you had a lot of coffee or are tired, and you may be typing faster or slower, but it is still you typing,” says Tom Helou, president and chief operating officer of AuthenWare.
All of these elements help AuthenWare build an accurate personal pattern for each user to minimize identity theft, Web fraud and system vulnerability. “Even when you’re switching from one computer to another, we have the ability to determine whether you’re the right person to be accessing those credentials,” says Helou. “The application turns the person into the security device.”
The system compiles all of a person’s typing characteristics using an algorithm to create a numeric template that, in essence, encapsulates the variables. This template is compared to the enrolled template created during previous typing sessions. If the pattern is mathematically similar to the one already stored, then the user is granted access.
If a hacker were to type the person’s username and password at a different typing speed the system would reject him. “We make stolen information useless,” Helou says.
‘A layered approach’
Like other biometrics, keystroke dynamics is not a perfect solution. Most security experts agree that using layered techniques is best. Keystroke dynamics can be one part of a suite of authentication modes. “You can’t rely on it on its own, but you can’t rely on anything on its own,” Litan says. “You have to have a layered approach.”
That’s the idea behind KeystrokeID, one of a series of strong authentication and encryption products offered by ID Control based in The Hague in The Netherlands. KeystrokeID is designed to work in tandem with the company’s other strong authentication tokens, such as one-time passwords.
“We don’t believe in using only one single method of strong authentication,” says Hans Kortekaas, CEO of ID Control. “We offer a mix, which means there’s always an ideal solution.”
Key to any biometric solution is the false acceptance rate and the false rejection rate. False acceptance is the rate at which someone who isn’t you gets in with your credentials. False rejection is when you’re the correct person, but the system doesn’t let you in.
At the highest security level setting, AuthenWare’s false acceptance rate is .19%, but the false rejection rate tops out at 3.2%. To ease the challenges caused by false rejections, AuthenWare lets the user define the security level that he or she wants. For instance, a person working in research and development might be willing to risk more false rejections for the sake of higher security. Alternately, a person on a home computer might not need as much security and could lower the false rejection rate for the sake of convenience.
With KeystrokeID, there’s a false acceptance rate of about 1 in 10,000 people, whereas the false rejection rate is about 3 out of 100. “Even though that is the case, you have to remember that you can always put a threshold on your security measure,” Kortekaas says.
If a person is falsely rejected and the system knows his mobile number, ID Control can send a one-time password to use for that day or that session, explains Kortekaas. “From that point of view,” he adds, “you always have control.”
Keystroke biometrics is still less popular than other forms of biometric authentication because not enough people are familiar with it yet. “No one wants to be first out of the box,” Litan says.
One challenge is that the same person’s typing speed can vary greatly on different computers. KeystrokeID addresses this issue by allowing the user to notify the system of which computers he uses on a regular basis, and then select which computer is being used at each time of the day.
There’s also the issue of what happens when a person breaks a hand or finger. Typing patterns tracked in the AuthenWare system can adapt to nuances in user typing behavior such as those caused by injury, illness, medication or even the consumption of too much caffeine.
For KeystrokeID, the solution goes back to layers of authentication. “Again, what do you do when someone loses their ATM card?” Kortekaas says. “If you lose one arm, you still have the other arm to receive a one-time password on your mobile phone.”
With any form of authentication, there are risks. With an ATM card, for instance, the user has to remember his or her PIN number. “People forget that there’s always a chance someone guesses right and can use your card to withdraw your money,” Kortekaas says.
Many forms of authentication that rely on biometrics, such as eye scans and fingerprints, can be expensive, intrusive and inflexible to the customer, says Wayne Snell, vice president of marketing for AuthenWare. “And once you configure it for a certain security level, you can’t go undo it.”
With keystroke dynamics, there’s no new software or hardware for the end user to install, so it’s less expensive, Helou says. “It’s software that only gets invoked when someone types in a username and password, so it’s much less intrusive to the user,” he says.
The average corporate employee might have 27 different user IDs and passwords that need to be changed regularly, often without repeating any of the previous characters, Helou says. A system that relies on keystroke information could eliminate the need for multiple user IDs and passwords.
“It’s very difficult for us humans to remember those unnatural credentials,” Helou says. “So you store that information in a file on the back of the keyboard or on a shelf (and) whoever can get to that file can get this information.”
A growing number of companies believe that changing usernames and passwords too often is a poor security practice, Helou says. “We believe the same thing,” he says. “So for companies to secure their users, they are adding more and more security layers. Then the challenge becomes (balancing) security and user friendliness.”
Keystroke dynamics works especially well for workplaces, where most employees use the same keyboard day after day. The same applies for online courses, in which a student might follow the same course for nine weeks–allowing time for the system to measure his typing patterns–and then take a test that requires strong authentication in the final week.
ID Control’s clients include a mix of legal, health and financial companies. AuthenWare primarily serves government agencies, retailers and banks that use the technology mostly for securing online transactions.
The key for keystroke is its flexibility to add an additional layer of security to any transaction requiring data entry. This makes the ultimate market for the biometric authentication technique virtually limitless.