You may have obtained my password, but you can’t type it like me!

This could be the summary of the excellent article, titled Identify and verify users based on how they type by Nathan Harrington, which demonstrates how it is possible to enhance a computer system’s security by using a special algorithm which, in addition to the validity of the password, checks whether the keyboard buttons have been pressed/released in the user’s pre-recorded and unique way of typing that particular password. The author provides all the necessary code in order to add this biometric technique to the GNOME Display Manager (GDM).

It may sound like a relatively easy implementation, but, taking into account that it is almost impossible for our neuro-myo-skeletal system to produce two identical patterns while performing a complicated action such as typing, user identification and verification using this biometric technique becomes a real challenge. The article author notes:

As a biometric, keystroke dynamics are relatively imprecise. Unlike Iris scans or fingerprints, even the most highly repetitive individuals make subtle variations in their typing patterns. The challenge in using keystroke dynamics in an authentication or verification context is to discern acceptable variations from incorrect credentials.

One could say that the pros and cons of such an implementation are quite obvious.

• Unlike iris or fingerprint scanners, this biometric does not require any special hardware equipment. It is just an algorithm that can be compiled and run on any computer system. This generally means: cheap biometric methods.
• It can be added on top of the currently used authentication systems without requiring any extra action from the users at all.
• The combination of such a biometric method with the existing user/password authentication scheme greatly enhances security.

On the other hand::

• It is extremely easy for anyone who has privileged access to the computer system to record each user’s typing pattern. This could be done by using keylogging software or, worse, using a specially crafted keyboard in case of physical access to the system.
• It requires that the users are actually familiar with the keyboard, at least to the extend that they are able to repeat the password typing pattern without big variations.
• Depending on the strictness of the algorithm, false negatives might occur.

I didn’t have the necessary free time to patch GDM with the provided code, compile it and test the algorithm’s effectiveness.

I mainly found this article very interesting because it is proof that we have just scratched the surface of biometrics. The simplicity of the concept behind this biometric method indicates that there are many new human identification techniques to be discovered and implemented (not only in computer systems), possibly at a cost in terms of personal freedom as a result of misuse of such technologies. But, I guess this has always been the problem with the technological progress, so, once again, we will have to deal with and resolve any issues that may arise in the future.

Update: At the time of writing this post, a link to the paper that researched keystroke dynamics as a biometric method for authentication was not available in full text. Recently, I did some more research on this and I hereby attach a link to the paper:

• Keystroke dynamics as a biometric for authentication by Fabian Monrose and Aviel D. Rubin, released on March 3rd, 1999.

The paper contains an introduction to biometrics and information about how pattern recognition, representation, extraction and classification can help to improve and personalize the user authentication process.

Cheap Biometrics – Use Keystroke Dynamics to Identify and Verify Users by George Notaras is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © 2008 - Some Rights Reserved