Is a secure password all in the typing?

At some point, everyone finds out that it's not just what you say, it's how you say it. The same thing could apply to secure passwords.

A text password – no matter how many times you change it or how many illogical symbols you incorporate into it – is always going have some inherent weaknesses. It can be stolen via keystroke software or broken into by password-recovery programs, and it can fall into the wrong hands if written down or shared with a co-worker.

All of this drives IT managers crazy, and fed the movement toward two-factor authentication in logical access control. A group of researchers at the American University in Beirut have come up with an unusual biometric that could be used as for that second factor: your typing pattern.

That’s right. The process, called key-pattern analysis, records timing with which a user types in his password and then compares that template to the timing every person uses when trying to gain access to the digital asset. Upon enrollment, a user has to type the password in several times, to allow for all the variations possible.

The field of key-pattern analysis has actually been around for a few decades, but this new research advances it into the realm of the useable. Previous researchers had failed to take into account the fact that quick typists sometimes press more than one key at a time. This effort at producing an effective key-pattern analysis authenticator looked at the length of time for which a user presses the key, which the researchers say gives a better – and more robust – picture of typing patterns.

One of the study’s authors, Ravel Jabbour, points out that, as key-pattern analysis doesn’t require any extra equipment, it is much less costly than solutions such as card readers, which would be required at every work station. And, Jabbour said, key-pattern analysis programs should work almost as well as sophisticated biometrics, such as iris or fingerprint scans.

 “If the profile-building phase is conducted with care, there should be no real problem with key-pattern analysis,” he said.

About the Author

Laura Williams is content development editor for Security Products magazine, an 1105 Media publication.

inside gcn

  • cybersecure new york city

    Cybersecurity for smart cities: Changing from reactionary to proactive

Reader Comments

Mon, Aug 15, 2011

Authenware has been offering this solution for quite some time now.

Tue, Jun 7, 2011

Though a clever idea, I can confirm that it is not new. I first read about it in the 1970s.

Wed, Jun 1, 2011 Mokhtar Ottawa, Canada

Graphology used a similar approach by looking not only at the shape of the characters, but also at the pressure exercised by indivuduals when writing.

Thu, May 26, 2011

This could lock someone out if their key stroke pattern changed for some reason, such as if they returned to work after arm or hand surgery, or perhaps after a brain injury. I realize this doesn't invalidate the technique and a "fix" could be as simple as an administrator re-setting the password.

Wed, May 25, 2011 John Cambridge (USA)

I agree with the prior posted comment. I saw another company called Delfigo Security, which launched their keystroke and device ID technology out of the media lab at MIT back in 2008

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group