User Authentication Through Typing Patterns

USER AUTHENTICATION THROUGH TYPING PATTERNS

ABSTRACT

The argument surrounding this research topic is that the use of keystroke rhythm is a natural choice for computer security. This argument stems from observations that similar neuro-physiological factors that make written signatures unique are also exhibited in a user's typing pattern. The keystroke dynamics of a computer user's login string provide a characteristic pattern that can be used for verification of the user's identity. Keystroke patterns combined with other security schemes can provide a very powerful and effective means of authentication and verification of computer users. Keystroke dynamics are rich with individual mannerism and traits and they can be used to extract features that can be used to authenticate/verify access to computer systems and networks. The methods used to prove the theory that typing patterns can be used as a means of verification is the many scholarly articles and findings of individuals that have taken an interest in this method of identification. Through these findings we are able to understand the pitfalls and work on implementing this form of identification.

INTRODUCTION

There are a multitude of biometric techniques either widely used or under investigation. These include, facial imaging, hand and finger geometry, eye based methods, signature, voice, vein geometry, keystroke, finger- and palm-print imaging and DNA. The strength of DNA as a biometric identification tool lies primarily in the uniqueness of the DNA sequence. DNA, as a tool for identity verification and management, is considered to be very strong.

Personal identification is a process of associating a particular individual with an identity. Knowledge-based and token-based automatic personal identification approaches have been the two traditional techniques widely used. Token-based approaches use something you have to make a personal identification, such as a passport, driver's license, ID card, credit card, or keys. Knowledge-based approaches use something you know to make a personal identification, such as a password or a personal identification number (PIN). Because knowledge -based and token-based approaches are unable to differentiate between an authorized person and an imposter who fraudulently acquires the token or knowledge of the authorized person, they are unsatisfactory means of achieving the security requirements of our electronically interconnected information society.

Biometric Identification refers to identifying an individual based on his or her distinguishing physical and/or behavioral characteristics. An imposter may attempt to spoof the biometric trait of a legitimately enrolled user in order to circumvent the system. This type of attack is especially relevant when behavioral traits such as signature and voice are used. However Physical traits like fingerprints, palm prints and eye based methods are also susceptible to spoof attacks [2]. Because many physiological or behavioral characteristics are distinctive to each person, biometric identifiers are inherently more reliable and more capable than knowledge-based and token-based techniques in differentiating between an authorized person and a fraudulent imposter. The ideal biometric should be universal, where each person possesses the characteristics; unique, where no two persons should share the characteristic; permanent, where the characteristics should neither change nor be alterable; and collectable, where the characteristics is readily presentable to a sensor and is easily quantifiable [1].

Some systems incorrectly assume that biometric measurements are secret and grant access to any user presenting matching measurements. Such systems cannot handle situations in which user's biometric measurements are disclosed, because biometrics cannot be changed (unless the user has an organ transplant). Moreover, users would not know that their biometrics had been disclosed. People leave fingerprints on everything they touch. And see others' irises almost anywhere they look. As sensitive data, biometrics should be properly protected, but they cannot be considered secret. The primary advantage of biometric authentication methods is that they really do what they should: they authenticate the user. Biometric characteristics are essentially permanent and unchangeable; thus, users cannot pass them to other users as easily as they do cards or passwords. Although biometric objects cannot be stolen as can traditional user authentication objects, they can be stolen from computer systems and networks. Most biometric techniques are based on features that cannot be lost or forgotten. Another advantage of biometric authentication systems is their speed [3].

Biometric Comparison

1: Low 2: Low/Medium 3: Medium 4:High 5: Very High

Cost Accuracy

Hand Geometry 1 3

Face 1 4

Iris 2 5

Keystroke 1 3

Retina 4 5

DNA 4 5

METHODOLOGY

Keystroke dynamics is the process of analyzing the way a user types at a terminal by monitoring the keyboard inputs thousands of times per second in an attempts to identify users based on habitual typing rhythm patterns. It has already been shown that keystroke rhythm is a good sign of identity. Moreover, unlike other biometric systems which may be expensive to implement, keystroke dynamics is almost free - the only hardware required is the keyboard.

The materials used were a simple keyboard and program designed to measure the latencies between each keystroke in a predefined password. The keystroke duration and interval times were captured at the accuracy of milliseconds. The user would input a password a number of times in this case 30 times if you were a user and 15 times if you were an attacker.

Keystroke dynamics are rich with individual mannerism and traits and they can be used to extract features that can be used to authenticate/verify access to computer systems and networks. The keystroke dynamics of a computer user's login string provide a characteristic pattern that can be used for verification of the user's identity. Keystroke patterns combined with other security schemes can provide a very powerful and effective means of authentication

...