Keystroke dynamics or typing biometrics refers to the automated method of identifying or confirming the identity of an individual based on the manner and the rhythm of typing on a keyboard. Keystroke dynamics is a behavioral biometric, this means that the biometric factor is ‘something you do’.
Already during the second world war a technique known as The Fist of the Sender was used by military intelligence to distinguish based on the rhythm whether a morse code message was send by ally or enemy. These days each household has at least one computer keyboard, making keystroke dynamics the easiest biometric 2FA solution to implement in terms of hardware.
How it works
With keystroke dynamics the biometric template used to identify an individual is based on the typing pattern, the rhythm and the speed of typing on a keyboard. The raw measurements used for keystroke dynamics are dwell time and flight time.
- Dwell time is the time duration that a key is pressed
- Flight time is the time duration in between releasing a key and pressing the next key
When typing a series of characters, the time the subject needs to find the right key (flight time) and the time he holds down a key (dwell time) is specific to that subject, and can be calculated in such a way that it is independent of overall typing speed. The rhythm with which some sequences of characters are typed can be very person dependent. For example someone used to typing in english will be quicker at typing certain character sequences such as ‘the’ than a person with french roots.
There exists software which combines keystroke dynamics with other interactions the user has with the computer, such as mouse movements (acceleration time, click frequency).
Application of keystroke dynamics
Keystroke dynamics can be used for authentication, then it is used mostly together with user ID / password credentials as a form of two-factor authentication.
Another use is as a very specific form of surveillance. There exist software solutions which, often without end-users being aware of it, track keystroke dynamics for each user account. This tracking, historization of keystroke dynamics is then used to analyse whether accounts are being shared or in general are used by people different from the genuine account owner. Reasons for such an implementation could be verification of users following security procedures (password sharing) or to verify that no software licenses are being shared (especially for SAAS applications).
Companies which develop software products applying keystroke dynamics are:
- TypingDNA built and AI engine able to match any two typing patterns with unprecedented accuracy. Its easy to use keystroke dynamics authentication API is suitable for securing logins, enforcing reset passwords, detecting intruders and online biometric authentication for user behaviour analytics, multifactor authentication, user identification, eLearning and fraud prevention. They also provide a continuous authentication app, for Windows and Mac, also based on keystroke dynamics.
- ID Control is a dutch company developing strong but affordable authentication solutions, some of which use keystroke dynamics. Their software integrates with MS Windows logon, Citrix, VPN and many others.
- BehavioSec is a swedish company specialized in continuous authentication systems, this is software which monitors activity on a computer to make sure that it is the genuine account owner who is using the computer. BehavioSec uses not only keystroke dynamics but also mouse dynamics and the general way in which the user interacts with the computer.
Suitability of keystroke dynamics
In general behavioral biometrics such as keystroke dynamics are less reliable than physiological biometrics. We use the following 7 criteria to evaluate the suitability of keystroke dynamics:
Universality | This biometric solution can be used by all individuals that are able to use a keyboard. |
Uniqueness | Unlike physiological biometric factors, there can be no such thing as an absolute match with behavioral biometrics. Therefore it is difficult to discuss uniqueness of a typing pattern. It must be clear that with keystroke dynamics it is not possible to have FAR and FRR as low as for the better physiological biometric factors, therefore it cannot be the sole factor to identify or authenticate a subject. |
Permanence | A major problem with keystroke dynamics is that a subject’s typing rhythm varies considerably in between days and even within the same day. There are numerous reasons for this: tiredness, switching computers / keyboards, mood, influence of alcohol and medications, etc. |
Collectability | An important advantage of keystroke dynamics is that there is no special hardware needed as with other biometrics, a standard computer keyboard is sufficient. It is also possible to capture the keyboard dynamics in the background, during longer periods without causing any additional overhead for the subject. This might allow to trigger an alarm when another subject takes over the session on a logged in workstation. |
Acceptability | Depending of the country or state you are in using key logging software might be a direct violation of local laws. Even if the actual typed text is not analyzed or retained, applicable legislation is sufficiently unclear to be in your disadvantage when you intend to actually use keystroke dynamics. Request legal advise before implementing or experimenting without written consent from people on the keyboard. |
Circumvention | It is certainly difficult, if not impossible to mimic another person’s typing rhythm. Electronically capturing using keylogging software is possible, thus implementing this biometric solution requires that data security is guaranteed from the input (keyboard) to the matching algorithm. |
Performance | Behavioral biometrics have higher variations because they depend on a lot of (external) factors such as ergonomics, fatigue, mood, etc. This causes higher FAR and FRR when compared to solutions based on a physiological biometric factor such as fingerprint recognition. |