11.2. ApplicationsThe first suggested use of keystroke characteristics for identification appeared by 1975,[3] but observations about the uniqueness of an individual's typing characteristics stretch as far back as the end of the 19th century when telegraph operators observed that they could often identify one another by listening to the rhythm of each individual's Morse code keying pattern.[4] For a more complete introduction to research leading up to the invention of keystroke biometrics, see Leggett et al.[5] In this section, we highlight some of the most pertinent and interesting ways in which keystroke patterns can be applied.
11.2.1. AuthenticationHarnessing a user's typing patterns for authentication is highly attractive because it can be layered transparently onto existing systems. Applications involving financial transactions are excellent candidates for utilizing keystroke pattern authentication systems. Gartner Group estimates that online retailers in the U.S. lost $1.64 billion to fraudulent sales in 2002 and rejected another $1.82 billion in legitimate sales that looked suspicious.[6] Not only are these applications among the most likely to be targeted by attackers, but also consumers' tolerance for inconvenient security solutions is tempered by laws and regulations that frequently place the burden of financial loss on retailers. Because users would not perceive the difference between a traditional username/password login and one that had been modified to use keystroke biometrics , financial applications could add this type of authentication with little fear of user rejection.
Figure 11-1. Digraph latencies for the typed sequence "no"; the most commonly used metric of a digraph is the time between the pressing of the first key and the pressing of the second key, but there are a total of six such metrics, as illustratedAnother likely candidate for this type of authentication is digital rights management. Here, the interests of consumers and content providers are not entirely aligned. Content providers desire to discourage individuals from sharing accounts, but without alienating legitimate users through additional complexity. Keystroke biometrics-based access controls to digital media accounts could largely eliminate account sharing without imposing additional hurdles to legitimate user access. A compelling space for implementing password-based typing pattern authentication is the World Wide Web, where it is infeasible to outfit client machines with traditional biometrics devices. While other multifactor solutions exist,[7] they come with significantly higher infrastructure and usability costs. A web-based authentication solution incorporating keystroke biometrics replaces a standard form-based login with one that is capable of collecting keystrokes. The feasibility of implementing a Java applet to perform this function has been demonstrated by several research studies,[8], [9], [10] and source code is available.[11] Besides being supported by all recent browsers and operating systems, an applet can keep keystroke timing information private by sending it through an encrypted SSL connection to the server, which performs the processing. Any server responses can then be redirected back to the browser just as if a normal form-based login had occurred.
The first, and currently the only, commercial product suite that offers the ability to enhance authentications with keystroke patterns is BioPassword , distributed by BioNet Systems, LLC (http://www.biopassword.com/). The company's flagship product targets the standard Windows login, and has been deployed by several dozen customers. A related software development kit (SDK) allows developers to integrate the technology into their own Windows applications. A web authentication product, as well as multiplatform implementations of the BioNet SDK, are expected soon. An interesting issue that has yet to be addressed by existing research is the degree to which keystroke dynamics-based authentication solutions scale as the number of users increases. The largest research study conducted to date collected samples from fewer than 200 users. The largest installation of BioPassword has fewer than 3,000 users. The user base of most consumer web applications is undoubtedly orders of magnitude larger. Policy decisions abound in authentication, and they directly impact a system's usability and effectiveness. A primary concern is what to do when the check on the password text succeeds, but the check on the typing pattern fails. Should the user be rejected outright, or should some additional authentication step be performed? A successful supplemental check, such as requiring the user to answer a secret question, could lead to relaxing or adapting the thresholds on matched keystroke patterns, attempting to collect keystroke data once again, or simply allowing access and alerting administrators to watch the account closely. Frequent additional checks carry additional usability costs, so it is important that systems be built with high levels of accuracy to begin with. 11.2.2. Identification and MonitoringClosely related to the problem of authentication is the identification of a user from a set of potential candidates. One can imagine a scenario where physical access to a system is restricted to a set of users, and the system is able to decipher which one of those users is at the keyboard solely by observing typing patterns. An identification scheme can also monitor when one user takes over for another on a given machine. The idea of detecting changes in identity through continuous monitoring of freely typed text has been touched upon in existing research, but tested empirically only with a very limited sample size.[12] The benefit of monitoring is in its ability to prevent an intruder from taking over a previously authenticated session. A user who forgets to lock down his machine before leaving it could, for example, rely upon the automatic lock-down by the monitoring system when it detects someone with a significantly different typing pattern.
Keystroke monitoring can also allow a system to detect uncharacteristic typing patterns of valid users caused by drowsiness, distraction, stress, or other factors.[13] In a task where alertness matters, for example, such an application could automate or augment monitoring tasks currently performed by human supervisors.
The allure of biometrics systems for use in monitoring and surveillance has become increasingly popular among law enforcement and security-sensitive private businesses in recent years. Public sentiment is becoming more sympathetic to these uses after a worldwide increase in terrorist activities, making it likely that even keystroke dynamics have been or will be deployed in the name of safety. A number of privacy issues arise for any system designed to constantly monitor users. We discuss these in greater detail in the later "Privacy and Security Issues" section. Of course, usability questions abound here as well; too many alerts because of the typing inconsistencies of a single individual would be a significant hindrance to productivity. 11.2.3. Password HardeningA hardened password based on typing patterns can be used to create long-term, cryptographically stronger secrets for login and encryption. Monrose, Reiter, and Wetzel have defined a scheme for creating and storing such a hardened password that requires the user not only to know the correct password, but also to type it with the correct timings (within some threshold).[14] Their solution thwarts attempts to decipher the password using the server's stored content by a multiplicative factor and also prevents an attacker from gaining access to the system with knowledge of the password text alone.
11.2.4. Beyond KeyboardsThe concept behind keystroke typing patterns is not limited to the traditional keyboard. Any interface where keys need to be pressed can benefit from similar techniques. Application domains include authenticating personal identification numbers (PINs) at automatic teller machines and phone numbers entered through cellular devices. Early studies indicate that there is potential for authenticating users from input on a numerical keypad, although levels of accuracy are, as one might expect, worse than with a keyboard.[15], [16] Advances in identification of users through keypads and other button-dependent devices may lead to greater accuracy in typing pattern identification systems; the variety of keyboard types, shapes, and sizes surely affects user classification accuracy.
|