Whether is the way we type onto our keyboard on our office or home computer, or even our smartphone, there is a distinct way in which we type. This uniqueness comes from most specifically in the rhythm in which we type, for how long we hold the keys down on our smartphone or computer keyboard, and the succession of keys used overall in the typing process.
In this absolute regard, keystroke recognition can actually be considered to be the oldest biometric technology around, even much more so than hand geometry recognition or fingerprint recognition. This is primarily so because the interest in unique typing patterns dates all the way back to the 19 th century, when the Morse Code first came out.
By World War II, the United States military intelligence department could actually identify enemy Morse Code operators by their unique typing patterns. Although the Morse Code is only, technically speaking, a series of dots and dashes, some distinctiveness could still be established.
The first keystroke recognition device came out in 1979, and by 1980, the National Science Foundation scientifically validated it the technology of keystroke recognition, and by 2000, it was finally accepted as a commercial biometric technology, which could be used in either the public or private sector.
Keystroke Recognition: How It Works
To start the enrollment process, an individual is required to type a specific word or group of words (text or phrases). In most cases, the individual’s user name and password are used. It is very important that the same words or phrases are used during both the enrolment and verification processes. If not, the behavioral typing characteristics will be significantly different, and, as a result, a mismatch will arise between the enrolment and verification templates.
To create the enrolment template, the individual must type his or her user name and password (or text/phrase) about 15 times. Ideally, the enrolment process covers a period of time, rather than taking place all at once. This way, the capture of behavioral characteristics will be more consistent.
With keystroke recognition, the individual being enrolled should type without making any corrections (for example, using the backspace or delete key to correct any mistakes). If the individual does make corrections, the keystroke recognition system will prompt the individual to start again from scratch. The distinctive, behavioral characteristics measured by keystroke recognition include:
- The cumulative typing speed;
- The time that elapses between consecutive keystrokes;
- The time that each key is held down (also known as the Dwell Time);
- The frequency with which other keys, such as the number pad or function keys, are used;
- The key release and timing in the sequence used to type a capital letter (whether the shift or letter key is released first);
- The length of time it takes an individual to move from one key to another (also known as the Flight Time);
- Any error rates, such as using the backspace key.
These behavioral characteristics are subsequently used to create statistical profiles, which essentially serve as enrolment and verification templates. The templates also store the actual user name and password. The statistical profiles can either be ‘global’ or ‘local’. Whereas a ‘global’ profile combines all behavioral characteristics, a local profile measures the behavioral characteristics for each keystroke.
The statistical correlation between the enrolment and verification templates can subsequently be modified, depending on the desired security level. An application which requires a lower level of security will permit some differences in typing behavior. However, an application which requires a higher level of security will not permit any behavioral differences.
It is important at this point to make a distinction between static and dynamic keystroke verification. In case of the former, verification takes place only at certain times when the individual logs in to his or her computer, for example. With the latter, the individual’s keystroke and typing patterns are recorded for the duration of a given session.
Keystroke Recognition: The Advantages & The Disadvantages
Keystroke recognition has several strengths and weaknesses. Arguably its biggest strength is that it doesn’t require any additional, specialized hardware. As previously indicated, keystroke recognition is purely software-based, allowing the system to be set up very quickly.
Second, keystroke recognition can be easily integrated with other, existing authentication processes. The adoption of other biometric technologies requires the implementation of a new process within an existing process. This calls for individuals who are properly trained in the use of contemporary biometric devices, which can greatly increase costs.
Third, everybody is familiar with typing their user name and password. As a result, there is very little training required for an individual to use a keystroke recognition system properly. Fourth, the templates that are generated by the system are specific only to the user name and password used. Should this user name and/or password be tampered with, the individual only needs to select a new user name and password to create a new set of enrolment and verification templates.
The weaknesses of a keystroke recognition system are the same as those suffered by other systems that rely on a user name/password combination. For example, passwords can be forgotten or compromised while users will have to remember multiple passwords in order to gain access to, for example, a corporate network. It should be noted that keystroke recognition still requires users to remember multiple passwords (the administrative costs of having to reset passwords will also continue to be incurred).
As such, it only enhances the security of an existing user name/password-based system. Second, keystroke recognition is not yet a proven technology. As a result, it has not been widely tested. And finally, keystroke recognition is not necessarily a convenient system to use.
Just like signature recognition, keystroke recognition is not widely implemented as some of the other biometric technologies, such as fingerprint recognition and iris recognition. It too, can be evaluated against the seven criterion:
- Universality: This is a key strength of keystroke recognition, even people whom are “one-finger” typists or not even familiar with typing at all can still be accommodated;
- Uniqueness: At the present time, keystroke recognition only possesses enough unique features to be used for verification applications and for not for identity applications;
- Permanence: In this regard, this is one of keystroke recognition’s biggest weaknesses, as the typing pattern of an individual can change due to injuries, disease, increased typing proficiency, fatigue, lack of attention, or even using a different keyboard can cause an individual to have a different typing pattern and rhythm;
- Collectability: It can take many typing samples until enough unique features can be extracted;
- Performance: When the proper security threshold setting is established by the systems administrator, keystroke recognition can produce an FRR (False Rejection Rate) of up to 3%, and an FAR (False Acceptance Rate) of up to .01%. As mentioned, keystroke recognition does not require any additional hardware, enrollment and verification can happen remotely, and it can even be used to further security harden passwords, and the template size is quite small;
- Acceptability: There are no privacy rights issues with keystroke recognition, and there are no negative correlations associated with typing;
- Resistance to circumvention: Any typing data which is not encrypted can be used maliciously by a third party, and even be used to spoof the keystroke recognition system. Also, key loggers can be established onto the computer itself to record the various keystroke patterns and rythms.
Compared with other physical biometrics, keystroke recognition is easier and cheaper to implement. However, it is unlikely to be used for applications such as physical access control, document verification, passport verification, etc. Instead, it will be used for computer security (where fingerprint and iris recognition solutions are already used as a substitute for user names and passwords). Keystroke recognition is also well suited to e-commerce applications. Here, a user would be able to access an internet banking or e-commerce site by typing in the same text or phrase several times (rather than having to remember different user names and passwords). Moreover, the same text or phrase can be used to log into multiple e-commerce sites. Keystroke recognition could additionally be the security tool of choice for Multi Modal Security applications, where it can be used to provide 3rd, 4th, or even 5th tier security.
While small to medium-sized enterprises (SMEs) will probably not adopt keystroke recognition, it is well suited to large businesses and organizations, including major banks and financial institutions. It’s also quite conceivable that keystroke recognition will be adopted by governments around the world.