06-04-2012, 12:04 PM
Typing Patterns :A Key to User Identification
MIT-keystroke.pdf (Size: 283.22 KB / Downloads: 170)
Most current access systems prompt users to
authenticate themselves with a username
and password pair. This method of authentication
relies on the password’s secrecy and,
in some cases, even the username’s secrecy. If this secrecy
is not breached, the assertion is that these tokens uniquely
identify a valid user.
The problems associated with maintaining password
secrecy are well understood.1 Passwords that consist of
common words, phrases, or terms associated with a particular
user are universally considered weak because of the
relative ease with which a third party can guess them or
find them via dictionary attacks. Some systems require
users to remember obscure token phrases—the more obscure,
the better. Of course, obscure also usually implies
“hard to remember,” which is a usability liability.
Applications
The first suggested use of keystroke characteristics for
identification appeared in 1975,3 but observations about
the uniqueness of an individual’s typing characteristics
stretch as far back as the end of the 19th century. Telegraph
operators at the time could often identify each other by listening
to the rhythm of their Morse code keying patterns.
4 Let’s look at some of the pertinent and interesting
ways in which keystroke dynamics can be applied.
Authentication
The domain of applications that would benefit from more
secure authentication without significant burdens on usability
is extensive. Applications involving financial transactions
are among the most likely to be targeted by attackers.
Gartner Group estimates that online retailers in the
US lost US$1.64 billion to fraudulent sales in 2002 and rejected
another $1.82 billion in legitimate sales that looked
suspicious.5 Consumers share in the desire to keep financial
information safe from prying eyes, but their tolerance
for inconvenient security solutions is tempered by fraud
laws that place the burden of financial loss on retailers.
Identification and monitoring
Closely related to the problem of authentication is the
identification of a user from a set of potential candidates.
Imagine a scenario in which physical access to a system
could be restricted to a set of users, and the system could
decipher which user is at the keyboard.
Beyond keyboards
The concept behind keystroke dynamics is not limited to
the traditional keyboard: any interface in which keys must
be pressed can benefit from similar techniques. Such application
domains include PIN authentification at automatic
teller machines and phone numbers entered
through cellular devices. Early studies indicate that there
is potential for authenticating users from input on numerical
keypads, although the levels of accuracy are expectedly
worse than with a keyboard.
Privacy and security issues
Should keystroke dynamics gain acceptance in the marketplace,
issues of privacy and security must be carefully
evaluated. Of the most concern are databases that maintain
users’ keystroke-timing patterns. With this information,
attackers can subvert authentication systems that rely
on keystroke biometrics.