- By Corinna Wu
- May 27, 2007
In a famous cartoon from The New Yorker, a pooch sitting at a computer proclaims, 'On the Internet, nobody knows you're a dog.' That may be true, at least for the gifted canines among us. But if the typist is a human, 'they can tell if you're a left-handed female piano player with an ergonomic keyboard,' Neal Krawetz of Hacker Factor Solutions told attendees at a Black Hat Conference in Las Vegas last year.
Since the 1980s, research has shown that the way a person types is as unique as a fingerprint. How long someone holds down the keys and the time it takes to move from one key to another vary among individuals, and those variations can be measured and captured to produce a profile of a person's typing style.
The idea is not new. Morse code aficionados have long known that each operator has a unique rhythm of clicking out dots and dashes. It's called the operator's fist. But now, vendors are beginning to offer software that exploits this behavior, known as keystroke dynamics, to authenticate the identity of their customers and employees.
Conceivably, those systems could even be used to comply with Homeland Security Presidential Directive 12, which calls on agencies to authenticate network users in two ways. Keystroke dynamics could be an attractive form of authentication because, unlike other techniques such as biometrics, this form of authentication does not require new hardware.
And researchers are studying whether they can extend the technology into other realms, too. If keystroke dynamics can apply to more than just password verification, it will also offer a method of identifying and tracking the activity of criminals, terrorists or anyone who uses a keyboard.
Nowadays, almost every online transaction requires a password. But the security of that password can be compromised in many ways. People choose passwords that can be easily guessed, or they might use the same password for many Web sites to make it easier to remember.
And once that password falls into the wrong hands, anyone can take over that user's identity. Recognizing this, many organizations are adding a second layer of verification to increase security. For example, some banks are asking their customers to choose a picture password from a range of choices offered. Others are issuing tokens ' small devices that generate a series of one-time-use passcodes ' to customers who access their accounts via the Internet.
Another solution is biometric identification, which involves a host of technologies that rely on either physiological traits unique to a person ' a fingerprint or iris pattern, for example ' or behavioral traits. Typing rhythm falls into the latter category.
Identification via keystroke dynamics has the advantage of being relatively inexpensive and simple to implement. Physiological biometrics usually requires special hardware such as a fingerprint scanner, but keystroke dynamics software only needs a keyboard.
Parda Federal Credit Union, in Auburn Hills, Mich., adopted a password verification system based on keystroke dynamics late last year. Parda had been searching for a way to meet guidance issued by the Federal Financial Institutions Examination Council on authentication of customer identity on the Internet.
The FFIEC guidance did not endorse any particular technology, but it did cite multifactor identification ' that is, using one or more systems in addition to a password ' to reduce the risk of account fraud and identity theft.
The credit union explored several options but decided on a system from BioPassword. 'The real attractive piece is that our membership doesn't have to do anything different,' said Melissa Auchter, Parda's chief information officer. 'You don't want to surprise them. You're talking about people's money.'
Parda uses BioPassword's Internet Edition, which is designed for Web-based applications such as online banking, health care portals and business-to-business transactions. The software is installed on the institution's server and analyzes the keystrokes of users logging in from anywhere.
BioPassword also sells an Enterprise Edition for companies to verify the identity of employees and people using in-house computers. In that case, the software needs to be installed on every access point.
When someone enters his or her password, the system records how long the keys are held down and the time between presses, said Jared Pfost, BioPassword's vice president of security and product strategy. After a training period of about nine samples, it creates a statistical representation of that person's typing pattern. Then the next time that user logs in, the system compares the password entry to that template.
If there is a match, the user is granted access; if not, access is blocked. The level of security can be tailored to the organization's needs, Pfost said. On the Internet Edition, security can be dialed down so that 99 percent of the time, the system would not reject a customer logging in. On the other extreme, the Enterprise Edition can be adjusted to be 99 percent secure. The key is to strike a balance between security and usability, Pfost said.
Parda tested BioPassword on its own employees for about a month before introducing it to members of the credit union, Auchter said. All customers were asked to reset their passwords to take advantage of the new system, and no major problems have been reported so far, she said.
Once a person establishes a rhythm for typing a password, it's very hard for someone else to mimic, said Steven Bender, chief executive officer of iMagic Software, which makes a password verification system called Trustable Passwords, also based on keystroke dynamics. It uses technology that recognizes when typing goes from slow and unfamiliar to muscle memory, Bender said. At that point, the rhythm becomes stable and persistent.
Neither BioPassword nor iMagic Software has clients in the federal government. State and local governments, however, are considering keystroke dynamics products because they're cost effective, Bender said. Fingerprint scanners, smart cards and passcode-generating tokens are expensive platforms to set up, maintain and upgrade. On the other hand, password verification, which is purely a software solution, can be easily installed and updated.
It also helps alleviate the problems that lead to insecure passwords in the first place. People can choose a dictionary word instead of gibberish, Bender said. Also, 'with our product, you don't have to change your password anymore,' he added. The more typing samples it acquires, the more robust the template becomes. In fact, if someone does steal a password and tries to log in with it, the system will know because that thief's typing pattern will surely be different.Rhythm nation
Such password verification products don't record the actual keys pressed, only the timing, so they differ from keystroke logging software that can be used to spy on computer users. However, stretching the science of keystroke dynamics beyond what's currently possible could offer a way to do just that.
Daniele Gunetti and Claudia Picardi of the University of Torino in Italy are applying the technology to long stretches of text, seeing if typists can be identified when writing a memo or e-mail, and not just when entering a password. Then, a user's identity could be verified even after he or she has gained access to the system.
Their technique monitors the relative speed of typing particular combinations of letters. For example, one person might type 'a' and 's' quicker than 'a' and 'b,' while another person might do the opposite. By recording these speeds, the researchers can get a picture of the typist's global rhythm, Picardi said.
The longest text the researchers have tested is 2,500 characters, and with that they get 0.5 percent false alarms ' that is, instances of the system marking a legitimate user as an impostor.
Picardi sees this as a way for law enforcement to track people ' criminals or terrorists ' as they move across the Web typing e-mail messages and posting on message boards. The caveat is that their keystrokes would have to be monitored as they are typing, so law enforcement would have to get the cooperation of Web sites or Internet service providers to spy on their users. A person's typing pattern cannot be reconstructed from existing text.
The system could also be used for more mundane purposes, such as password recovery. Now, if someone forgets a password, it has to be sent by e-mail or reset by a call to a help desk. With keystroke dynamics, Picardi said, that person could just type some text and have the system verify his or her identity.
Their keystroke analysis system is still in the research stage, so it is not available commercially. Other groups would eventually have to take the initiative to develop it into a product, Picardi said. However, the researchers do have a prototype on their Web site. Anyone can subscribe and provide samples of his or her typing. The person can then test the software to see if it identifies them correctly or flags them as an unwelcome threat.