Keystroke dynamics
Encyclopedia
Keystroke dynamics, or typing dynamics, is the detailed timing information that describes exactly when each key was pressed and when it was released as a person is typing at a computer keyboard
.
Data needed to analyze keystroke dynamics is obtained by keystroke logging
. Normally, all that is retained when logging a typing session is the sequence of characters corresponding to the order in which keys were pressed and timing information is discarded. When reading email, the receiver cannot tell from reading the phrase "I saw 3 zebras!" whether:
" was sent by telegraph from the U.S. Capitol in Washington, D.C.
to the Baltimore and Ohio Railroad
"outer depot" in Baltimore, Maryland
, a new era in long-distance communications had begun. By the 1860’s the telegraph revolution was in full swing and telegraph operators were a valuable resource. With experience, each operator developed their unique “signature” and was able to be identified simply by their tapping rhythm.
As late as World War II
the military transmitted messages through Morse Code
. Using a methodology called "The Fist of the Sender," Military Intelligence identified that an individual had a unique way of keying in a message's "dots" and "dashes," creating a rhythm that could help distinguish ally from enemy.
or a signature
. The techniques used to do this vary widely in power and sophistication, and range from statistical techniques to neural-nets to artificial intelligence.
In the simplest case, very simple rules can be used to rule out a possible user. For example, if we know that John types at 20 words per minute
, and the person at the keyboard is going at 70 words per minute, it's a pretty safe bet that it's not John. That would be a test based simply on raw speed uncorrected for errors. It's only a one-way test, as it's always possible for people to go slower than normal, but it's unusual or impossible for them to go twice their normal speed.
Or, it may be that the mystery user at the keyboard and John both type at 50 words per minute; but John never really learned the numbers, and always has to slow down an extra half-second whenever a number has to be entered. If the mystery user doesn't slow down for numbers, then, again, it's a safe bet this isn't John.
The time to get to and depress a key (seek-time), and the time the key is held-down (hold-time) may be very characteristic for a person, regardless of how fast he is going overall. Most people have specific letters that take them longer to find or get to than their average seek-time over all letters, but which letters those are may vary dramatically but consistently for different people. Right-handed people may be statistically faster in getting to keys they hit with their right hand fingers than they are with their left hand fingers. Index fingers may be characteristically faster than other finger
s to a degree that is consistent for a person day-to-day regardless of their overall speed that day.
In addition, sequences of letters may have characteristic properties for a person. In English, the word "the" is very common, and those three letters may be known as a rapid-fire sequence and not as just three meaningless letters hit in that order. Common endings, such as "ing", may be entered far faster than, say, the same letters in reverse order ("gni") to a degree that varies consistently by person. This consistency may hold and may reveal the person's native language's common sequences even when they are writing entirely in a different language, just as revealing as an accent might in spoken English.
Common "errors" may also be quite characteristic of a person, and there is an entire taxonomy of errors, such as this person's most common "substitutions", "reversals", "drop-outs", "double-strikes", "adjacent letter hits", "homonyms", hold-length-errors (for a shift key held down too short or too long a time). Even without knowing what language a person is working in, by looking at the rest of the text and what letters the person goes back and replaces, these errors might be detected. Again, the patterns of errors might be sufficiently different to distinguish two people.
s or retinal scans or DNA
. The reality here is that behavioral biometrics use a confidence measurement instead of the traditional pass/fail measurements. As such, the traditional benchmarks of False Acceptance Rate (FAR) and False Rejection Rates (FRR) no longer have linear relationships.
The benefit to keystroke dynamics (as well as other behavioral biometrics) is that FRR/FAR can be adjusted by changing the acceptance threshold at the individual level. This allows for explicitly defined individual risk mitigation–something physical biometric technologies could never achieve.
Another benefit of keystroke dynamics: they can be captured continuously—not just at the start-up time—and may be adequately accurate to trigger an alarm to another system or person to come double-check the situation.
In some cases, a person at gun-point might be forced to get start-up access by entering a password or having a particular fingerprint, but then that person could be replaced by someone else at the keyboard who was taking over for some bad purpose. In other less dramatic cases, a doctor might violate business rules by sharing his password
with his secretary
, or by logging onto a medical system but then leaving the computer logged-in while someone else he knows about or doesn't know about uses the system. Keystroke dynamics is one way to detect such problems sufficiently reliably to be worth investigating, because even a 20% true-positive rate would send the word out that this type of behavior is being watched and caught.
Researchers are still a long way from being able to read a keylogger session from a public computer in a library or cafe somewhere and identify the person from the keystroke dynamics, but we may be in a position to confidently rule out certain people from being the author, who we are confident is "a left-handed person with small hands who doesn't write in English as their primary language."
tray to a new location, or use a virtual keyboard
, or be pasting in information from another source (cut-and-paste), or from a voice-to-text converter. Even while typing, a person, for example, may be on the phone or pausing to talk.
And some mornings, perhaps after a long night with little sleep and a lot of drinking, a person's typing may bear little resemblance to the way he types when he is well-rested. Extra doses of medication or missed doses could change his rhythm. There are hundreds of confounding circumstances.
Because of these variations, there will be error rates to almost any system, both false-positives and false-negatives. A valid solution that uses keystroke dynamics must take these elements into account.
Note: Some of the commercial products (the successful ones) have strategies to counter these issues and have proven effective in large-scale use (thousands of users) in real-world settings and applications.
.
Intensity Analytics (http://www.intensityanalytics.com) - is based near Washington, DC, and has a patent-pending solution called CVMetrics which uses a variety of hyperaccurate methods for identifying and validating users on a continuous basis across applications. The CVMetrics application delivers a number of different statistical weights and measures for implementation in different environments from compliance and documentation, to authentication, to forensics, to field intelligence applications, and others.
AdmitOneSecurity - formerly BioPassword (http://www.admitonesecurity.com) is a patented commercial system which uses keystroke dynamics - in addition to other transparent authentication factors - to associate a user to their digital identity and detect online fraud — see the References section below for a link to a review from PC Magazine
as well as a research report from Coalfire Systems on how the product enables PCI, FFIEC, and HIPAA compliance.
KeyTrac (http://www.keytrac.de) - unlike traditional methods, KeyTrac works with any text the user enters (not only passwords or always-the-same-text methods), thus making it the first method able to analyze any text input in the background, without disrupting the work flow of the end user. The concealed background keystroke recording, combined with the high level of security, offer a number of attractive options for implementing the system in e-commerce applications — something that would not be possible using traditional keyboard biometrics.
iMagic Software (http://www.imagicsoftware.com) makes Trustable Passwords, a patented commercial system which is designed for both web authentication and large-scale enterprise authentication in conjunction with eSSO and supports all platforms (Windows, Mac, Linux) and major enterprise infrastructure. Trustable Passwords is being used by websites to authenticate customers and in enterprises including multi-hospital health systems for user authentication and interfaces with other authentication technologies including Knowledge-Based, Device forensic, and out-of-band authentication.
ID Control (http://www.idcontrol.net) delivers keystroke dynamics with KeystrokeID which offers an impressively low FRR and FAR for verification and identification. KeystrokeID is easy to enroll and manage through their fully integrated and centralized identity and access management solution called ID Control Server.
Deepnet Security (http://www.deepnetsecurity.com) has also developed a keystroke biometric authentication system, TypeSense. It is claimed that their product employs advanced new algorithms such as auto-correlative training and adaptive learning, and achieve better result than other similar products.
Psylock (http://www.psylock.com) is a method for biometric authentication based on a user's typing behavior. Therefore the user is authenticated by the way he types on a conventional keyboard and depending on the result of the analysis he gets access to certain data. Psylock was a finalist in the Global Security Challenge
award 2007 and third in the German IT-Security Award 2008. Concerning the error rates (FAR/FRR
), Psylock claims to be the technological leader for keystroke dynamics.
Authenware Corp. (http://www.authenware.com) provides the highest security levels to enterprise applications, the web, and any form of transaction that engages a software artifact. Founded in 2006 and is headquartered in Miami, Florida (USA). Certified by International Biometric Group (http://www.biometricgroup.com) in 2009. AuthenWare Corp. is a global company with more than 14 technical & Commercial Offices around the world and a Research & Development Laboratory in Mendoza, Argentina.
bioChec™ (http://www.bioChec.com) has a patented implementation which uses keystroke dynamics for ubiquitous web-based login as well as workstation authentication. It is the recipient of the "BiometricTech Best of Show 2003" award as well as receiving "SC Magazine Global Awards 2005 Finalist".
DiBiSoft (http://www.dibisoft.com) has an implementation which uses keystroke dynamics for Windows authentication in hidden mode.
Probayes (http://www.probayes.com) has developed a unique keystroke dynamics solution for web applications. The solution leverages one of Probayes's patents on probabalistic computing.
Delfigo Security (http://www.delfigosecurity.com) provides multi-factor risk-based authentication
to prevent identity theft and fraud. The solution from Delfigo Security uses keystroke biometrics and other behavioral characteristics in an AI based algorithm to create unique digital identity of an individual. Delfigo's solution easily integrates out-of-band capability to in-band authentication methods.
BehavioSec (http://www.behaviosec.com) provide behaviometric solutions encompassing keystroke, mouse, & environment dynamics for both windows continuous authentication and client-less web based to aid fraud prevention. BeahvioSec are headquartered in Sweden.
Anyone considering building a new product using keystroke dynamics should understand the legal issues (see below), and figure out as well how to have an authorized program's use of keystroke interception survive the removal efforts of multiple anti-spyware programs. In this case, the security enhancing programs may be fighting with each other.
On top of that, if the desired result for a web-based product is to use keystroke dynamics to decide whether to cause a pop-up window to appear, asking for re-entry of a password or other verification question, new pop-up blockers may prevent that feature from functioning.
for a better description of user-consent issues and various fraud statutes. Spyware and its use for illegal operations such as bank-fraud and identity theft are very much in the news, with even Microsoft issuing new spyware defense products, and tougher laws in the near future being very likely.
Competent legal advice should be obtained before attempting to use or even experiment with such software and keystroke dynamic analysis, if consent is not clearly obtained from the people at the keyboard, even though the actual residual "content" of the message—the resultant text—is never analyzed, read, or retained. The status of the "dynamic context" of the text is probably in legal limbo.
There are some patents in this area. Examples:
s for computer systems.
Computer keyboard
In computing, a keyboard is a typewriter-style keyboard, which uses an arrangement of buttons or keys, to act as mechanical levers or electronic switches...
.
Science of Keystroke Dynamics
The behavioral biometric of Keystroke Dynamics uses the manner and rhythm in which an individual types characters on a keyboard or keypad. The keystroke rhythms of a user are measured to develop a unique biometric template of the users typing pattern for future authentication. Raw measurements available from most every keyboard can be recorded to determine Dwell time (the time a key pressed) and Flight time (the time between “key up” and the next “key down”). The recorded keystroke timing data is then processed through a unique neural algorithm, which determines a primary pattern for future comparison. Similarly, vibration information may be used to create a pattern for future use in both identification and authentication tasks.Data needed to analyze keystroke dynamics is obtained by keystroke logging
Keystroke logging
Keystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...
. Normally, all that is retained when logging a typing session is the sequence of characters corresponding to the order in which keys were pressed and timing information is discarded. When reading email, the receiver cannot tell from reading the phrase "I saw 3 zebras!" whether:
- that was typed rapidly or slowly
- the sender used the left shift key, the right shift key, or the caps-lock key to make the "i" turn into a capitalized letter "I"
- the letters were all typed at the same pace, or if there was a long pause before the letter "z" or the numeral "3" while you were looking for that letter
- the sender typed any letters wrong initially and then went back and corrected them, or if he got them right the first time
Origin of Keystroke Dynamics
On May 24, 1844, the message "What hath God wroughtWhat hath God wrought
"What hath God wrought" is a phrase from the Book of Numbers and may refer to:*"What hath God wrought", a message in American Morse code sent by Samuel F. B...
" was sent by telegraph from the U.S. Capitol in Washington, D.C.
Washington, D.C.
Washington, D.C., formally the District of Columbia and commonly referred to as Washington, "the District", or simply D.C., is the capital of the United States. On July 16, 1790, the United States Congress approved the creation of a permanent national capital as permitted by the U.S. Constitution....
to the Baltimore and Ohio Railroad
Baltimore and Ohio Railroad
The Baltimore and Ohio Railroad was one of the oldest railroads in the United States and the first common carrier railroad. It came into being mostly because the city of Baltimore wanted to compete with the newly constructed Erie Canal and another canal being proposed by Pennsylvania, which...
"outer depot" in Baltimore, Maryland
Maryland
Maryland is a U.S. state located in the Mid Atlantic region of the United States, bordering Virginia, West Virginia, and the District of Columbia to its south and west; Pennsylvania to its north; and Delaware to its east...
, a new era in long-distance communications had begun. By the 1860’s the telegraph revolution was in full swing and telegraph operators were a valuable resource. With experience, each operator developed their unique “signature” and was able to be identified simply by their tapping rhythm.
As late as World War II
World War II
World War II, or the Second World War , was a global conflict lasting from 1939 to 1945, involving most of the world's nations—including all of the great powers—eventually forming two opposing military alliances: the Allies and the Axis...
the military transmitted messages through Morse Code
Morse code
Morse code is a method of transmitting textual information as a series of on-off tones, lights, or clicks that can be directly understood by a skilled listener or observer without special equipment...
. Using a methodology called "The Fist of the Sender," Military Intelligence identified that an individual had a unique way of keying in a message's "dots" and "dashes," creating a rhythm that could help distinguish ally from enemy.
Use as Biometric Data
Researchers are interested in using this keystroke dynamic information, which is normally discarded, to verify or even try to determine the identity of the person who is producing those keystrokes. This is often possible because some characteristics of keystroke production are as individual as handwritingHandwriting
Handwriting is a person's particular & individual style of writing with pen or pencil, which contrasts with "Hand" which is an impersonal and formalised writing style in several historical varieties...
or a signature
Signature
A signature is a handwritten depiction of someone's name, nickname, or even a simple "X" that a person writes on documents as a proof of identity and intent. The writer of a signature is a signatory. Similar to a handwritten signature, a signature work describes the work as readily identifying...
. The techniques used to do this vary widely in power and sophistication, and range from statistical techniques to neural-nets to artificial intelligence.
In the simplest case, very simple rules can be used to rule out a possible user. For example, if we know that John types at 20 words per minute
Words per minute
Words per minute, commonly abbreviated wpm, is a measure of input or output speed.For the purposes of WPM measurement a word is standardized to five characters or keystrokes. For instance, "I run" counts as one word, but "rhinoceros" counts as two...
, and the person at the keyboard is going at 70 words per minute, it's a pretty safe bet that it's not John. That would be a test based simply on raw speed uncorrected for errors. It's only a one-way test, as it's always possible for people to go slower than normal, but it's unusual or impossible for them to go twice their normal speed.
Or, it may be that the mystery user at the keyboard and John both type at 50 words per minute; but John never really learned the numbers, and always has to slow down an extra half-second whenever a number has to be entered. If the mystery user doesn't slow down for numbers, then, again, it's a safe bet this isn't John.
The time to get to and depress a key (seek-time), and the time the key is held-down (hold-time) may be very characteristic for a person, regardless of how fast he is going overall. Most people have specific letters that take them longer to find or get to than their average seek-time over all letters, but which letters those are may vary dramatically but consistently for different people. Right-handed people may be statistically faster in getting to keys they hit with their right hand fingers than they are with their left hand fingers. Index fingers may be characteristically faster than other finger
Finger
A finger is a limb of the human body and a type of digit, an organ of manipulation and sensation found in the hands of humans and other primates....
s to a degree that is consistent for a person day-to-day regardless of their overall speed that day.
In addition, sequences of letters may have characteristic properties for a person. In English, the word "the" is very common, and those three letters may be known as a rapid-fire sequence and not as just three meaningless letters hit in that order. Common endings, such as "ing", may be entered far faster than, say, the same letters in reverse order ("gni") to a degree that varies consistently by person. This consistency may hold and may reveal the person's native language's common sequences even when they are writing entirely in a different language, just as revealing as an accent might in spoken English.
Common "errors" may also be quite characteristic of a person, and there is an entire taxonomy of errors, such as this person's most common "substitutions", "reversals", "drop-outs", "double-strikes", "adjacent letter hits", "homonyms", hold-length-errors (for a shift key held down too short or too long a time). Even without knowing what language a person is working in, by looking at the rest of the text and what letters the person goes back and replaces, these errors might be detected. Again, the patterns of errors might be sufficiently different to distinguish two people.
Authentication versus identification
Keystroke dynamics is part of a larger class of biometrics known as behavioral biometrics; their patterns are statistical in nature. It is a commonly held belief that behavioral biometrics are not as reliable as physical biometrics used for authentication such as fingerprintFingerprint
A fingerprint in its narrow sense is an impression left by the friction ridges of a human finger. In a wider use of the term, fingerprints are the traces of an impression from the friction ridges of any part of a human hand. A print from the foot can also leave an impression of friction ridges...
s or retinal scans or DNA
DNA
Deoxyribonucleic acid is a nucleic acid that contains the genetic instructions used in the development and functioning of all known living organisms . The DNA segments that carry this genetic information are called genes, but other DNA sequences have structural purposes, or are involved in...
. The reality here is that behavioral biometrics use a confidence measurement instead of the traditional pass/fail measurements. As such, the traditional benchmarks of False Acceptance Rate (FAR) and False Rejection Rates (FRR) no longer have linear relationships.
The benefit to keystroke dynamics (as well as other behavioral biometrics) is that FRR/FAR can be adjusted by changing the acceptance threshold at the individual level. This allows for explicitly defined individual risk mitigation–something physical biometric technologies could never achieve.
Another benefit of keystroke dynamics: they can be captured continuously—not just at the start-up time—and may be adequately accurate to trigger an alarm to another system or person to come double-check the situation.
In some cases, a person at gun-point might be forced to get start-up access by entering a password or having a particular fingerprint, but then that person could be replaced by someone else at the keyboard who was taking over for some bad purpose. In other less dramatic cases, a doctor might violate business rules by sharing his password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
with his secretary
Secretary
A secretary, or administrative assistant, is a person whose work consists of supporting management, including executives, using a variety of project management, communication & organizational skills. These functions may be entirely carried out to assist one other employee or may be for the benefit...
, or by logging onto a medical system but then leaving the computer logged-in while someone else he knows about or doesn't know about uses the system. Keystroke dynamics is one way to detect such problems sufficiently reliably to be worth investigating, because even a 20% true-positive rate would send the word out that this type of behavior is being watched and caught.
Researchers are still a long way from being able to read a keylogger session from a public computer in a library or cafe somewhere and identify the person from the keystroke dynamics, but we may be in a position to confidently rule out certain people from being the author, who we are confident is "a left-handed person with small hands who doesn't write in English as their primary language."
Temporal variation
One of the major problems that keystroke dynamics runs into is that a person's typing varies substantially during a day and between different days. People may get tired, or angry, or have a beer, or switch computers, or move their keyboardKeyboard (computing)
In computing, a keyboard is a typewriter-style keyboard, which uses an arrangement of buttons or keys, to act as mechanical levers or electronic switches...
tray to a new location, or use a virtual keyboard
Virtual keyboard
A virtual keyboard is a software component that allows a user to enter characters. A virtual keyboard can usually be operated with multiple input devices, which may include a touchscreen, an actual keyboard and a computer mouse.- Types :...
, or be pasting in information from another source (cut-and-paste), or from a voice-to-text converter. Even while typing, a person, for example, may be on the phone or pausing to talk.
And some mornings, perhaps after a long night with little sleep and a lot of drinking, a person's typing may bear little resemblance to the way he types when he is well-rested. Extra doses of medication or missed doses could change his rhythm. There are hundreds of confounding circumstances.
Because of these variations, there will be error rates to almost any system, both false-positives and false-negatives. A valid solution that uses keystroke dynamics must take these elements into account.
Note: Some of the commercial products (the successful ones) have strategies to counter these issues and have proven effective in large-scale use (thousands of users) in real-world settings and applications.
Commercial products
There are several home software and commercial software products which claim to use keystroke dynamics to authenticate a userAuthentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
.
Intensity Analytics (http://www.intensityanalytics.com) - is based near Washington, DC, and has a patent-pending solution called CVMetrics which uses a variety of hyperaccurate methods for identifying and validating users on a continuous basis across applications. The CVMetrics application delivers a number of different statistical weights and measures for implementation in different environments from compliance and documentation, to authentication, to forensics, to field intelligence applications, and others.
AdmitOneSecurity - formerly BioPassword (http://www.admitonesecurity.com) is a patented commercial system which uses keystroke dynamics - in addition to other transparent authentication factors - to associate a user to their digital identity and detect online fraud — see the References section below for a link to a review from PC Magazine
PC Magazine
PC Magazine is a computer magazine published by Ziff Davis Publishing Holdings Inc. A print edition was published from 1982 to January 2009...
as well as a research report from Coalfire Systems on how the product enables PCI, FFIEC, and HIPAA compliance.
KeyTrac (http://www.keytrac.de) - unlike traditional methods, KeyTrac works with any text the user enters (not only passwords or always-the-same-text methods), thus making it the first method able to analyze any text input in the background, without disrupting the work flow of the end user. The concealed background keystroke recording, combined with the high level of security, offer a number of attractive options for implementing the system in e-commerce applications — something that would not be possible using traditional keyboard biometrics.
iMagic Software (http://www.imagicsoftware.com) makes Trustable Passwords, a patented commercial system which is designed for both web authentication and large-scale enterprise authentication in conjunction with eSSO and supports all platforms (Windows, Mac, Linux) and major enterprise infrastructure. Trustable Passwords is being used by websites to authenticate customers and in enterprises including multi-hospital health systems for user authentication and interfaces with other authentication technologies including Knowledge-Based, Device forensic, and out-of-band authentication.
ID Control (http://www.idcontrol.net) delivers keystroke dynamics with KeystrokeID which offers an impressively low FRR and FAR for verification and identification. KeystrokeID is easy to enroll and manage through their fully integrated and centralized identity and access management solution called ID Control Server.
Deepnet Security (http://www.deepnetsecurity.com) has also developed a keystroke biometric authentication system, TypeSense. It is claimed that their product employs advanced new algorithms such as auto-correlative training and adaptive learning, and achieve better result than other similar products.
Psylock (http://www.psylock.com) is a method for biometric authentication based on a user's typing behavior. Therefore the user is authenticated by the way he types on a conventional keyboard and depending on the result of the analysis he gets access to certain data. Psylock was a finalist in the Global Security Challenge
Global Security Challenge
The Global Security Challenge runs international business plan competitions to find and select the most promising security technology startups in the world. The GSC holds regional selection events and a Security Summit in London to bring together innovators with government, industry and investors...
award 2007 and third in the German IT-Security Award 2008. Concerning the error rates (FAR/FRR
Biometrics
Biometrics As Jain & Ross point out, "the term biometric authentication is perhaps more appropriate than biometrics since the latter has been historically used in the field of statistics to refer to the analysis of biological data [36]" . consists of methods...
), Psylock claims to be the technological leader for keystroke dynamics.
Authenware Corp. (http://www.authenware.com) provides the highest security levels to enterprise applications, the web, and any form of transaction that engages a software artifact. Founded in 2006 and is headquartered in Miami, Florida (USA). Certified by International Biometric Group (http://www.biometricgroup.com) in 2009. AuthenWare Corp. is a global company with more than 14 technical & Commercial Offices around the world and a Research & Development Laboratory in Mendoza, Argentina.
bioChec™ (http://www.bioChec.com) has a patented implementation which uses keystroke dynamics for ubiquitous web-based login as well as workstation authentication. It is the recipient of the "BiometricTech Best of Show 2003" award as well as receiving "SC Magazine Global Awards 2005 Finalist".
DiBiSoft (http://www.dibisoft.com) has an implementation which uses keystroke dynamics for Windows authentication in hidden mode.
Probayes (http://www.probayes.com) has developed a unique keystroke dynamics solution for web applications. The solution leverages one of Probayes's patents on probabalistic computing.
Delfigo Security (http://www.delfigosecurity.com) provides multi-factor risk-based authentication
Risk-based authentication
Risk-based authentication is a non-static authentication system which takes into account the profile of the agent requesting access to the system to determine the risk profile associated with that transaction. The risk profile is then used to determine the complexity of the challenge...
to prevent identity theft and fraud. The solution from Delfigo Security uses keystroke biometrics and other behavioral characteristics in an AI based algorithm to create unique digital identity of an individual. Delfigo's solution easily integrates out-of-band capability to in-band authentication methods.
BehavioSec (http://www.behaviosec.com) provide behaviometric solutions encompassing keystroke, mouse, & environment dynamics for both windows continuous authentication and client-less web based to aid fraud prevention. BeahvioSec are headquartered in Sweden.
Anyone considering building a new product using keystroke dynamics should understand the legal issues (see below), and figure out as well how to have an authorized program's use of keystroke interception survive the removal efforts of multiple anti-spyware programs. In this case, the security enhancing programs may be fighting with each other.
On top of that, if the desired result for a web-based product is to use keystroke dynamics to decide whether to cause a pop-up window to appear, asking for re-entry of a password or other verification question, new pop-up blockers may prevent that feature from functioning.
Legal and regulatory issues
Surreptitious use of key-logging software is on the rise, as of this writing. Use of such software may be in direct and explicit violation of local laws, such as the U.S. Patriot Act, under which such use may constitute wire-tapping. This could have severe penalties including jail time. See spywareSpyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
for a better description of user-consent issues and various fraud statutes. Spyware and its use for illegal operations such as bank-fraud and identity theft are very much in the news, with even Microsoft issuing new spyware defense products, and tougher laws in the near future being very likely.
Competent legal advice should be obtained before attempting to use or even experiment with such software and keystroke dynamic analysis, if consent is not clearly obtained from the people at the keyboard, even though the actual residual "content" of the message—the resultant text—is never analyzed, read, or retained. The status of the "dynamic context" of the text is probably in legal limbo.
There are some patents in this area. Examples:
- S. Blender and H. Postley. Key sequence rhythm recognition system and method. Patent No. 7 206 938, U.S. Patent and Trademark Office, 2007.
- J. Garcia. Personal identification apparatus. Patent No. 4 621 334, U.S. Patent and Trademark Office, 1986.
- J.R. Young and R.W. Hammon. Method and apparatus for verifying an individual’s identity. Patent No. 4 805 222, U.S. Patent and Trademark Office, 1989.
Other uses
Because keystroke timings are generated by human beings, they are not well correlated with external processes, and are frequently used as a source of hardware-generated random numberRandom number
Random number may refer to:* A number generated for or part of a set exhibiting statistical randomness.* A random sequence obtained from a stochastic process.* An algorithmically random sequence in algorithmic information theory....
s for computer systems.
See also
- Fist (telegraphy)