Section 11.2. Applications


11.2. Applications

The first suggested use of keystroke characteristics for identification appeared by 1975,[3] but observations about the uniqueness of an individual's typing characteristics stretch as far back as the end of the 19th century when telegraph operators observed that they could often identify one another by listening to the rhythm of each individual's Morse code keying pattern.[4] For a more complete introduction to research leading up to the invention of keystroke biometrics, see Leggett et al.[5] In this section, we highlight some of the most pertinent and interesting ways in which keystroke patterns can be applied.

[3] R. Spillane, "Keyboard Apparatus for Personal Identification," IBM Technical Disclosure Bulletin 17: 3346 (1975).

[4] W. L. Bryan and N. Harter, Studies in Physiology and Psychology of the Telegraphic Language 6 (New York: New York Times Co., 1973), 3544.

[5] J. Leggett, G. Williams, M. Usnick, and M. Longnecker, "Dynamic Identity Verification Via Keystroke Characteristics," International Journal of Man-Machine Studies 35:6 (1991), 859870.

EXAMPLE USAGE: IDENTIFYING A USER

Virtually all strategies for identifying an individual from his typing patterns entail collecting timing information on individual keystroke events. As the user types, a background process collects timestamps that indicate when the user presses and releases each key.

The most common method used by researchers utilizes keystroke digraphs the timings of two successive keyboard events. Figure 11-1 illustrates the various timing metrics that can be extracted from a digraph. Researchers have also examined techniques using three or more successive keystroke sequences, and have proposed measuring keystroke force and other features.

Generally, identification requires two stages:

  • Enrollment, in which a number of keystroke traces are collected to form a profile

  • Classification, in which the user provides a typing sample for comparison to the profiles in order to identify the user

Enrollment methods include requiring the user to type long texts, collecting traces transparently as the user works normally, and collecting traces only for a static set of words (such as the login typing pattern).

Classification methods range from statistical comparison to machine learning and pattern recognition techniques. Much of the body of research in keystroke biometrics focuses on creating and evaluating classifiers.

By far the most commonly researched usage scenario, keystroke-enhanced login , collects enrollment data from users while they sign into a system (either transparently, during a transition period, or in a session that collects a number of login samples in one or more sittings). Once enrolled, the system continues to collect keystroke timing information from each user during sign-in, using the initial profile to either accept or reject the user. If either the keystroke classifier rejects the user or the password value does not match the expected value, the user is rejected. The process is completely transparent to the user under such a scheme, as long as the keystroke biometrics classifier achieves accurate classification.


11.2.1. Authentication

Harnessing a user's typing patterns for authentication is highly attractive because it can be layered transparently onto existing systems. Applications involving financial transactions are excellent candidates for utilizing keystroke pattern authentication systems. Gartner Group estimates that online retailers in the U.S. lost $1.64 billion to fraudulent sales in 2002 and rejected another $1.82 billion in legitimate sales that looked suspicious.[6] Not only are these applications among the most likely to be targeted by attackers, but also consumers' tolerance for inconvenient security solutions is tempered by laws and regulations that frequently place the burden of financial loss on retailers. Because users would not perceive the difference between a traditional username/password login and one that had been modified to use keystroke biometrics , financial applications could add this type of authentication with little fear of user rejection.

[6] R. Richmond, "Fed Up with Fraud," The Wall Street Journal Classroom Edition (April 2003); http://www.wsjclassroomedition.com/archive/03apr/BIGB_retailer.htm.

Figure 11-1. Digraph latencies for the typed sequence "no"; the most commonly used metric of a digraph is the time between the pressing of the first key and the pressing of the second key, but there are a total of six such metrics, as illustrated


Another likely candidate for this type of authentication is digital rights management. Here, the interests of consumers and content providers are not entirely aligned. Content providers desire to discourage individuals from sharing accounts, but without alienating legitimate users through additional complexity. Keystroke biometrics-based access controls to digital media accounts could largely eliminate account sharing without imposing additional hurdles to legitimate user access.

A compelling space for implementing password-based typing pattern authentication is the World Wide Web, where it is infeasible to outfit client machines with traditional biometrics devices. While other multifactor solutions exist,[7] they come with significantly higher infrastructure and usability costs. A web-based authentication solution incorporating keystroke biometrics replaces a standard form-based login with one that is capable of collecting keystrokes. The feasibility of implementing a Java applet to perform this function has been demonstrated by several research studies,[8], [9], [10] and source code is available.[11] Besides being supported by all recent browsers and operating systems, an applet can keep keystroke timing information private by sending it through an encrypted SSL connection to the server, which performs the processing. Any server responses can then be redirected back to the browser just as if a normal form-based login had occurred.

[7] For example, see RSA SecureID at http://www.rsasecurity.com/products/securid/.

[8] S. Cho, C. Han, D. Han, and H. Kim, "Web-Based Keystroke Dynamics Identity Verification Using Neural Network," IEEE Journal of Organizational Computing and Electronic Commerce 10 (Dec. 2000), 295307.

[9] M. Tapiador and J. A. Sigüenza, "Fuzzy Keystroke Biometrics on Web Security," tech. rep., Escuela Técnica Superior de Informática, Universidad Autonoma de Madrid, Cantoblanco, Madrid, Spain, (March 2000).

[10] A. Peacock, "Learning User Keystroke Latency Patterns" (April 2000); http://pel.cs.byu.edu/~alen/ personal/CourseWork/cs572/KeystrokePaper/.

[11] X. Ke, R. Manuel, M. Wilkerson, and L. Jin, "Keystroke Dynamics: A Software-Based Biometric" (2004); http://web.mit.edu/xke/Public/kd/.

The first, and currently the only, commercial product suite that offers the ability to enhance authentications with keystroke patterns is BioPassword , distributed by BioNet Systems, LLC (http://www.biopassword.com/). The company's flagship product targets the standard Windows login, and has been deployed by several dozen customers. A related software development kit (SDK) allows developers to integrate the technology into their own Windows applications. A web authentication product, as well as multiplatform implementations of the BioNet SDK, are expected soon.

An interesting issue that has yet to be addressed by existing research is the degree to which keystroke dynamics-based authentication solutions scale as the number of users increases. The largest research study conducted to date collected samples from fewer than 200 users. The largest installation of BioPassword has fewer than 3,000 users. The user base of most consumer web applications is undoubtedly orders of magnitude larger.

Policy decisions abound in authentication, and they directly impact a system's usability and effectiveness. A primary concern is what to do when the check on the password text succeeds, but the check on the typing pattern fails. Should the user be rejected outright, or should some additional authentication step be performed? A successful supplemental check, such as requiring the user to answer a secret question, could lead to relaxing or adapting the thresholds on matched keystroke patterns, attempting to collect keystroke data once again, or simply allowing access and alerting administrators to watch the account closely. Frequent additional checks carry additional usability costs, so it is important that systems be built with high levels of accuracy to begin with.

11.2.2. Identification and Monitoring

Closely related to the problem of authentication is the identification of a user from a set of potential candidates. One can imagine a scenario where physical access to a system is restricted to a set of users, and the system is able to decipher which one of those users is at the keyboard solely by observing typing patterns.

An identification scheme can also monitor when one user takes over for another on a given machine. The idea of detecting changes in identity through continuous monitoring of freely typed text has been touched upon in existing research, but tested empirically only with a very limited sample size.[12] The benefit of monitoring is in its ability to prevent an intruder from taking over a previously authenticated session. A user who forgets to lock down his machine before leaving it could, for example, rely upon the automatic lock-down by the monitoring system when it detects someone with a significantly different typing pattern.

[12] D. Song, P. Venable, and A. Perrig, "User Recognition by Keystroke Latency Pattern Analysis" (April 1997); http://citeseer.nj.nec.com/song97user.html.

Keystroke monitoring can also allow a system to detect uncharacteristic typing patterns of valid users caused by drowsiness, distraction, stress, or other factors.[13] In a task where alertness matters, for example, such an application could automate or augment monitoring tasks currently performed by human supervisors.

[13] F. Monrose and A. D. Rubin, "Keystroke Dynamics As a Biometric for Authentication," Future Generations Computing Systems 16:4 (2000), 351359.

The allure of biometrics systems for use in monitoring and surveillance has become increasingly popular among law enforcement and security-sensitive private businesses in recent years. Public sentiment is becoming more sympathetic to these uses after a worldwide increase in terrorist activities, making it likely that even keystroke dynamics have been or will be deployed in the name of safety.

A number of privacy issues arise for any system designed to constantly monitor users. We discuss these in greater detail in the later "Privacy and Security Issues" section. Of course, usability questions abound here as well; too many alerts because of the typing inconsistencies of a single individual would be a significant hindrance to productivity.

11.2.3. Password Hardening

A hardened password based on typing patterns can be used to create long-term, cryptographically stronger secrets for login and encryption. Monrose, Reiter, and Wetzel have defined a scheme for creating and storing such a hardened password that requires the user not only to know the correct password, but also to type it with the correct timings (within some threshold).[14] Their solution thwarts attempts to decipher the password using the server's stored content by a multiplicative factor and also prevents an attacker from gaining access to the system with knowledge of the password text alone.

[14] F. Monrose, M. K. Reiter, and S. Wetzel, "Password Hardening Based on Keystroke Dynamics," Proceedings of the 6th ACM Conference on Computer and Communications Security (ACM Press, 1999), 7382.

11.2.4. Beyond Keyboards

The concept behind keystroke typing patterns is not limited to the traditional keyboard. Any interface where keys need to be pressed can benefit from similar techniques. Application domains include authenticating personal identification numbers (PINs) at automatic teller machines and phone numbers entered through cellular devices. Early studies indicate that there is potential for authenticating users from input on a numerical keypad, although levels of accuracy are, as one might expect, worse than with a keyboard.[15], [16] Advances in identification of users through keypads and other button-dependent devices may lead to greater accuracy in typing pattern identification systems; the variety of keyboard types, shapes, and sizes surely affects user classification accuracy.

[15] T. Ord and S. M. Furnell, "User Authentication for Keypad-Based Devices Using Keystroke Analysis," Proceedings of the Second International Network Conference (INC 2000), (Plymouth, UK), IEE (July 2000), 263272.

[16] N. L. Clarke, S. M. Furnell, P. L. Reynolds, and P. Rodwell, "Advanced Subscriber Authentication Approaches for Third Generation Mobile Systems," Third International Conference on 3G Mobile Communication Technologies, 489 (May 2002), 319323.



Security and Usability. Designing Secure Systems that People Can Use
Security and Usability: Designing Secure Systems That People Can Use
ISBN: 0596008279
EAN: 2147483647
Year: 2004
Pages: 295

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net