Most people are familiar with the three factors of authentication: Something you know, something you have and something you are. But there’s also a lesser-known fourth factor: something you do. One type of behavioral biometrics — keystroke dynamics — evaluates the way users type.
Keystroke dynamics promise a low-cost, additional layer of authentication beyond a simple user identification and password. By authenticating users based on their typing rhythms, organizations don’t need to make large investments in new access control technology.
“Users don’t have to learn anything new to use keystroke dynamics, and organizations can deploy the technology unobtrusively without bringing attention to the IT security staff,” says Greg Cannon, chief technology officer for Crossmatch Technologies, an identity management company.
E-commerce, mobile banking and other transaction-based applications are driving interest in keystroke dynamics to better protect digital identities, according to market research company Global Industry Analysts. GIA expects the size of the market to nearly double, to $796.5 million by 2020.
The genesis of keystroke dynamics dates back to World War II, when the military began using dots and dashes based on the syncopation of telegraph keys. In the 1980s, the National Science Foundation asked Rand to test keystroke dynamics for use as a computer security technology.
While the tests were successful, it wasn’t until 2000 when keystroke dynamics passed the Financial Services Technology Consortium/International Biometric Group comparative testing program, making it a potential candidate for use in IT security and e-commerce.
Cannon says there was a peak of activity following 9/11, but by 2003, interest in keystroke dynamics had decreased. “One big problem was that the competing companies couldn’t find common ground on interoperability,” he explains. “There were also high error rates reported on some tests, so there was not a lot of confidence in the technology among the large systems integrators.”
Another recent challenge is the rise of malware based on keyloggers, resulting in organizations seeking to lock down this vulnerability. “The whole idea in defeating keyloggers is not to open up the keystroke buffer, so it presents a problem for keystroke dynamics,” Cannon says.
Eddie Schwartz, chair of ISACA’s Cybersecurity Task Force, believes there’s a place for keystroke dynamics with desktops and PCs. But with mobility playing such a large role in computing, he’s not sure what the future holds.
“The acceptance hasn’t caught on over time the way other forms of biometrics such as the fingerprint or iris have,” Schwartz says. “But I do think the technology is viable and I understand that some startup companies are working out the behavioral issues.”
Crossmatch’s Cannon thinks keystroke dynamics may wind up being embedded in popular operating systems. “If Microsoft Windows, Mac OS or Chrome provide a built-in capability for keystroke authentication, then users would not have to do anything special, and the OS could still keep the keystrokes away from the keylogger malware.”
KeyTrac CEO Thomas Wölfl says most of his customers are comfortable with his KeyTrac product integrating the keystroke software on a web server. He’s not concerned about keylogger malware because nobody can type the same way twice, indicating that identical keystrokes must have been made by a keylogger. And second, KeyTrac integrates with CAPTCHA applications that can be read only by humans, not computers.
“It’s also really important to remember that keystroke dynamics learns your typing patterns over time,” Wölfl explains. “While we guarantee 96 percent reliability for keystroke dynamics based on password text input when a person registers, that number goes up significantly over several weeks and months.”
Wölfl also claims that for text input longer than a password, KeyTrac has the same reliability as a biometric fingerprint reader.