Article

Keystroke Cops: Authentication by Typing Patterns

In the early days of World War II, Army Signal Corps officers made a startling discovery about intercepted Nazi telegraph transmissions. Though they weren’t able to understand the messages, which were in an encrypted version of Morse code, they were able to determine that the “dots” and “dashes” came in highly distinctive speeds and rhythms.

Using a methodology that came to be known as “The Fist of the Sender,” the Allies were able to identify the unique typing styles of individual enemy telegraph operators. Armed with that information, they were able to triangulate signals and trace the operators’ movements across the continent, thus tracking the movement of their specific military units.

That same basic technique is being used today in biometric authentication solutions that help verify the identity of the person who is typing on a keyboard. The technique known as keystroke dynamics leverages the fact that each person has a unique typing style that can be defined based on the time between key presses and releases.

Keystroke dynamics offers a solution that could turn the tide in the war against cybercrime. Most organizations are recognizing that a simple username and password combination does not provide adequate security, and are looking to add a second factor such as a biometric, a one-time passcode…or a simpler solution based on keystroke dynamics.

Researchers have been working on keystroke dynamics technology for more than 20 years. Early solutions focused on passwords, the idea being that people type passwords so frequently, it becomes an almost unconscious activity. As a result, password typing has a nearly identical rhythm every time a person does it. Password-related solutions required users to type their ID and password a few times to create a signature, which was stored in a database. The next time the user logged in, the system would compare the keystrokes to the user’s typing signature.

Until recently, keystroke dynamics solutions used statistics to analyze typing patterns, with less than 70 percent accuracy. Now, however, advances in artificial intelligence (AI) have made keystroke dynamics a viable authentication tool. The latest AI-based solutions don’t just look at typing signatures for passwords. They can match a user’s typing patterns over time with 99 percent or greater accuracy.

Keystroke dynamics has a number of benefits over other biometric technologies. Fingerprint, voice, and face recognition require a user to record and submit biometrics. Typing patterns in keystroke dynamics, on the other hand, can be recorded automatically when a user accesses an application or website. Companies can set the threshold for accuracy depending on the security level desired.

Keystroke dynamics technology can also enhance security through a new technique called “continuous authentication.” As the name implies, continuous authentication is an ongoing process for validating a user to prevent account takeover and other fraudulent activity during a user session. It might look at how the user moves the mouse or swipes on a mobile device as well as keystroke dynamics to ensure a session hasn’t been hijacked by another person, malware, or a bot. The user doesn’t have to do anything to reauthenticate; it happens automatically as he or she works.

European banks, which face some of the most stringent regulations for user authentication, have been early adopters of continuous authentication. This technology also has applications in government, healthcare, and other sectors that have long user sessions and require high levels of security.

Most organizations are recognizing that a simple username and password combination does not provide adequate security, and are looking to add a second factor such as a biometric or one-time passcode. Keystroke dynamics offers a simpler solution that could turn the tide in the war against cybercrime.

____________________________________________

If you would like more information about keystroke dynamics or preventing cybercrime, send us an email at info@dtec.com.

Leave a Comment