Keystroke dynamics

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages) This article's tone or style may not reflect the encyclopedic tone used on Wikipedia. See Wikipedia's guide to writing better articles for suggestions. (January 2014) (Learn how and when to remove this template message) This article includes a list of general references, but it lacks sufficient corresponding inline citations. Please help to improve this article by introducing more precise citations. (February 2014) (Learn how and when to remove this template message) This article possibly contains original research. Please improve it by verifying the claims made and adding inline citations. Statements consisting only of original research should be removed. (February 2014) (Learn how and when to remove this template message) (Learn how and when to remove this template message)

Keystroke dynamics, keystroke biometrics, typing dynamics, and typing biometrics refer to the collection of

Science

The behavioral biometric of keystroke dynamics uses the manner and rhythm in which an individual types characters on a keyboard or keypad.^[4][5][6] The user's keystroke rhythms are measured to develop a unique biometric template of the user's typing pattern for future authentication.^[7] Keystrokes are separated into static and dynamic typing, which are used to help distinguish between authorized and unauthorized users.^[8] Vibration information may be used to create a pattern for future use in both identification and authentication tasks.

History

During the late nineteenth century,

Keyboard dynamics received attention as a potential alternative to short PIN numbers, which were widely used for authentication early in the expansion of networked computing.[12]

Collection and potential use of keystroke dynamics data

The behavioral biometric of keystroke dynamics uses the manner and rhythm in which an individual types characters on a keyboard or keypad.^[13][14][15] The user's keystroke rhythms are measured to develop a unique biometric template of the user's typing pattern for future authentication.^[16] Keystrokes are separated into static and dynamic typing, which are used to help distinguish between authorized and unauthorized users.^[17] Vibration information may be used to create a pattern for future use in both identification and authentication tasks.

Keystroke dynamic information could be used to verify or determine the identity of the person producing the keystrokes.

.

The time to seek and depress a key (seek-time) and the time the key is held down (hold-time) may be characteristic of an individual, regardless of the total speed at which they type. Most people take longer to find or get to specific letters on the keyboard than their average seek-time for all letters. Which letters require more time vary dramatically and consistently for different people.

people may be statistically faster in getting to keys they hit with their right-hand fingers than with their left-hand fingers. Index fingers may be faster than other fingers, consistent for a user, regardless of their overall speed.

In addition, sequences of letters may have characteristic properties for a user. In English, the use of "the" is very common, and those three letters may be known as a rapid-fire sequence. Common endings, such as "ing", may be entered far faster than the same letters in reverse order ("gni") to the degree that varies consistently by user. This consistency may hold and reveal common sequences of the user's native language even when they are writing entirely in a different language.

Common "errors" may also be quite characteristic of a user. There is a taxonomy of errors, such as the user's most common "substitutions", "reversals", "drop-outs", "double-strikes", "

", "homonyms" and hold-length-errors (for a shift key held down too short or too long a time). Even without knowing what language the user is working in, these errors may be detected by looking at the rest of the text and what letters the user goes back and replaces.

Authentication versus identification

Keystroke dynamics is part of a larger class of biometrics known as behavioral biometrics, a field in which observed patterns are statistical in nature. Because of this inherent uncertainty, a commonly held belief is that behavioral biometrics are not as reliable as biometrics used for authentication based on physically observable characteristics such as

. behavioral biometrics use a confidence measurement in replacement of the traditional pass/fail measurements. As such, the traditional benchmarks of False Acceptance Rate (FAR) and False Rejection Rates (FRR) no longer have linear relationships.

The benefit to keystroke dynamics (as well as other behavioral biometrics) is that FRR/FAR can be adjusted by changing the acceptance threshold at the individual level. This allows for explicitly defined individual risk mitigation that physical biometric technologies could not achieve.

One of the major problems that keystroke dynamics runs into is that a user's typing varies substantially during a day and between different days and may be affected by any number of external factors.

Because of these variations, any system will make false-positive and false-negative errors. Some successful commercial products have strategies to handle these issues and have proven effective in large-scale use in real-world settings and applications.

Legal and regulatory issues

Use of keylogging software may be in direct and explicit violation of local laws, such as the

wire-tapping

.

Patents

• US patent 9430626, John D. Rome, Bethann G. Rome and Thomas E. Ketcham II, "User authentication via known text input cadence", issued 2012 
• US patent 7509686, John C. Checco, "Method for providing computer-based authentication utilizing biometrics", issued 2009 
• US patent 7206938, S. Blender and H. Postley, "Key sequence rhythm recognition system and method", issued 2007 
• US patent 4621334, J. Garcia, "Personal identification apparatus", issued 1986 
• US patent 4805222, J.R. Young and R.W. Hammon, "Method and apparatus for verifying an individual's identity", issued 1989 
• P. Nordström, J. Johansson. Security system and method for detecting intrusion in a computerized system. Patent No. 2 069 993, European Patent Office, 2009.
• US patent 8230232, A. Awad and I. Traore, "System and method for determining a computer user profile from a motion-based input device", issued 2012 

Other uses

Because human beings generate keystroke timings, they are not well correlated with external processes. They are frequently used as a source of hardware-generated random numbers for computer systems.

Mental health symptoms such as depression and anxiety have also been correlated with keystroke timing features.^[19]

See also

• Fist (telegraphy)

References

Other references

• Checco, J. (2003). Keystroke Dynamics & Corporate Security. WSTA Ticker Magazine, [1]
• Bergadano, F.; Gunetti, D.; Picardi, C. (2002). "User authentication through Keystroke Dynamics". ACM Transactions on Information and System Security. 5 (4): 367–397.
  S2CID 507476
  .
• iMagic Software. (vendor web-site [2] May 2006). Notes: Vendor specializing in keystroke authentication for large enterprises.
• AdmitOne Security - formerly BioPassword. (vendor web-site home [Web Page]. URL [3]. Notes: Vendor specializing in keystroke dynamics
• Garcia, J. (Inventor). (1986). Personal identification apparatus. (USA 4621334). Notes: US Patent Office - [4]
• Bender, S and Postley, H. (Inventors) (2007). Key sequence rhythm recognition system and method. (USA 7206938), Notes: US Patent Office - [5]
• Joyce, R., & Gupta, G. (1990). Identity authorization based on keystroke latencies. Communications of the ACM, 33(2), 168-176. Notes: Review up through 1990
• Mahar, D.; Napier, R.; Wagner, M.; Laverty, W.; Henderson, R. D.; Hiron, M. (1995). "Optimizing digraph-latency based biometric typist verification systems: inter and intra typist differences in digraph latency distributions". International Journal of Human-Computer Studies. 43 (4): 579–592.
  S2CID 206564985
  .
• Monrose, Fabian; Rubin, Aviel (1997). "Authentication via keystroke dynamics". Proceedings of the 4th ACM conference on Computer and communications security - CCS '97. New York, New York, USA:
  ISBN 0-89791-912-2
  . much cited
• Monrose, Fabian; Rubin, Aviel D. (2000). "Keystroke dynamics as a biometric for authentication" (PDF). Future Generation Computer Systems. 16 (4). Elsevier BV: 351–359X.
  S2CID 1202473
  .
• Monrose, F. R. M. K., & Wetzel, S. (1999). Password hardening based on keystroke dynamics. Proceedings of the 6th ACM Conference on Computer and Communications Security, 73-82. Notes: Kent Ridge Digital Labs, Singapore
• Robinson, J.A.; Liang, V.W.; Chambers, J.A.M.; MacKenzie, C.L. (1998). "Computer user verification using login string keystroke dynamics". IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans. 28 (2). Institute of Electrical and Electronics Engineers (IEEE): 236–241.
  ISSN 1083-4427
  . The keystroke dynamics of a computer user's login string provide a characteristic pattern that can be used for identity verification. Timing vectors for several hundred login attempts were collected for ten "valid" users and ten "forgers", and classification analysis was applied to discriminate between them. Three different classifiers were applied, and in each case the key hold times were more effective features for discrimination than the interkey times. Best performance was achieved by an inductive learning classifier using both interkey and hold times. A high rate of typographical errors during login entry is reported. In practice, these are usually corrected errors-that is, they are strings which include backspaces to correct earlier errors-but their presence confounds the use of typing-style analysis as a practical means of securing access to computer systems.
• Young, J. R., & Hammon, R. W. (Inventors). (1989). Method and apparatus for verifying an individual's identity. 4805222). Notes: US Patent Office - [6]
• Vertical Company LTD. (vendor web-site [7] October 2006). Notes: Vendor specializing in keystroke authentication solutions for government and commercial agencies.
• Lopatka, M. & Peetz, M.H. (2009). Vibration Sensitive Keystroke Analysis. Proceedings of the 18th Annual Belgian-Dutch Conference on Machine Learning, 75-80.[8] Archived 2009-03-24 at the Wayback Machine
• Coalfire Systems Compliance Validation Assessment (2007) https://web.archive.org/web/20110707084309/http://www.admitonesecurity.com/admitone_library/AOS_Compliance_Functional_Assessment_by_Coalfire.pdf
• Karnan, M.Akila (2011). "Biometric personal authentication using keystroke dynamics: A review". Applied Soft Computing Journal. 11 (2): 1565–1573.
  doi:10.1016/j.asoc.2010.08.003
  .
• Jenkins, Jeffrey; Nguyen, Quang; Reynolds, Joseph; Horner, William; Szu, Harold (2011-05-13). "The physiology of keystroke dynamics". In Szu, Harold (ed.). Independent Component Analyses, Wavelets, Neural Networks, Biosystems, and Nanoengineering IX. Vol. 8058.
  doi:10.1117/12.887419
  .

Further reading

• Vaas, Lisa (30 July 2015). "Websites can track us by the way we type—here's how to stop it". Naked Security. Sophos. Retrieved 2018-02-01.
• Walsh, Ray (1 November 2016). "Keyboard Privacy: Building Profiles from How We Type". BestVPN. Retrieved 2018-02-01.