The future of identity verification through keystroke dynamics

When someone mentions biometrics, the first (and sometimes the only) thing that comes to mind to many people are physical characteristics on the basis of which people can be unequivocally differentiated and identified: DNA, finger and palm prints, iris shape, and more. All in all, characteristics that people don’t have control over.

But as useful for verification and identification as these characteristics are in the real world, the online one is another matter. The technology behind their exploitation for online authentication is still simply too difficult and too obtrusive to integrate and use and, let’s face it, too costly.

Still, there is another class of biometrics that can prove to be useful and way easier to use for this particular purpose – behavioral biometrics. The term is self explanatory: it’s the biometrics that are related to a person’s behavior.

We all have a way of walking and talking that is typical for us, and the same goes for the way we type. Typing is something we all must do in order to interact with the computer and, through it, with people and online services. Our typing behavior is much easier to record and store, and that process doesn’t require special (read: expensive) devices.

It’s no wonder, then, that a lot of companies have set their sights on developing a solution that will use keystroke dynamics for identifying or verifying users, often in conjunction with other authentication factors.

But, to my knowledge, a German firm by the name of TM3 Software is the only one so far that has been able to develop a solution that works with any text entered by the user, which means that the user’s workflow does not have to be disrupted and that the user can even be unaware of the authentication or identification process – perfect for thwarting fraud attempts.

The name of the solution is KeyTrac, and has been available to the public only for the last four-five months. The solution and the company are a direct result of the work that Dr. Thomas Wolfl – the company founder and CEO – and his team of software development and artificial intelligence experts have been doing at the University of Regensburg.

How does KeyTrac work?
As with all biometric solutions, the first step is to collect the data and use it to create a profile. The KeyTrac recording module can be integrated into an existing form – whether it’s a registration form, a form for entering address and banking data, product descriptions, forum posts, and more – or into a standalone application (e-mail programs, Office solutions, etc.)

The module records the way that the user types and not what the user types, and turns the collected information into biometric keystroke data:

The best part of it is that the collected data does not contain any type of personal information or information that can be used to draw conclusions about the user. The text becomes anonymous as its being typed, and the contents of the text can’t be reconstructed by the system operator or by KeyTrac.

It also doesn’t matter in what language the user types, it only matters that he is familiar with it. It even doesn’t matter what keyboard the user uses, since every key is assigned a keycode and it is the keycode that gets recorded, which allows the solution to be used with any international keyboard layout.

Once the collected keystroke data is sent to the KeyTrac Core Engine, a user profile is calculated on the basis of several attributes that are extracted from it and stored in a database, to be used after in the identification process.

The identification process starts when an unknown user types in text into a form or an application. The keystroke data is collected again and sent to the KeyTrac Core Engine, which compares that information with the information in the user profiles collected in the database.

If the goal is to check if the registration is a duplicate – for example, if the user has forgot his login credentials and is creating a new account – the data will be compared to all the profiles in the database. If the aim is to detect an intruder with stolen credentials, the data will be compared only to the profile of the user whose account the fraudster is trying to hijack.

Among the things that KeyTrac can be used for is also online fraud prevention. Fraudsters could be recognized by their typing pattern, regardless of whether they are using stolen credentials or have opened a new account with bogus information. If a central database of online fraudsters and their typing behavior is set up, the data can also be compared against the profiles in that particular database, preventing, for example, the initiation of fraudulent transactions.

There are other authentication solutions using keystroke dynamics out there, but the fact that the process can be performed without the user knowing about it or without the requirement of typing in a predefined text is the feature that differentiates Keytrac from them.

“All other traditional keyboard biometrics solutions can only be used for password hardening or authentication with always the same fixed text (for enrollment and for authentication),” points out Dr. Florian Dotzler, TM3 Software’s Head of Product Management. “KeyTrac can identify the user by any typed text.” And this is what makes it perfect for e-payment providers, online retailers and banks for securing online banking.

KeyTrac can also be used to prevent subscription or account sharing – very handy for software providers who offer Software-as-a-Service or use the “named user” license model. Furthermore, it can also be utilized to verify the identity of the individual taking an online test, of the author of a digital document, and even to digitally sign emails or documents (click on the screenshot to enlarge it):

Seems like a dream come true, doesn’t it? And what’s more, the integration of the various KeyTrac solutions is easy.

“It takes only one or two days to integrate it in web environments,” explains Dr. Dotzler. “In web scenarios, you only have to integrate a short JavaScript in the header of the website in order to record the typing samples, and then deploy a WAR-File (KeyTrac core system) on the webserver or you integrate our web service.”

“Integration in legacy systems also needs two-three days,” he adds. “But this depends on the use case.”

Is it effective?
When it comes to authentication, behavioral biometrics are usually considered less reliable than physical biometrics because they are different in nature. With physical biometrics, you’re dealing with absolutes – pass or fail. But behavioral biometrics are more about statistics and percentages.

For example, when I tested the KeyTrac online demo, I was consistently identified, but I never achieved a 100% acceptance of reference profile.

It is actually practically impossible even for the same person to replicate the exact pattern recorded and used as reference. But, a 98,96% probability that the I am the person that created the reference pattern was high enough for the system to let me “pass”.

I don’t know what percentage is the set cut off point on this demo, but I know that when I tried to pass off two of my colleagues as me and have them type in a text, they were rejected. And the same happened when I changed my typing pattern by slowing it down and pausing between letters in a word.

The point is, keystroke dynamics is probably not accurate enough to be used as the only identification and authentication method, but combining it with others might just prove to be the missing ingredient for a foolproof solution.

Dr. Dotzler points out that every biometric system has false positives, and that one can lower their number but one can never completely avoid them. The issue can be resolved in a number of ways which depend on the use case.

Keystroke dynamics does present one significant benefit over other authentication methods: keystrokes can be captured constantly, making situations like someone forcing a person to login into a service by typing his password and then taking over the keyboard easily detectable.

But what about the fact that the way one types changes with the time of day, emotional or physical state?

“The system works with algorithms from artificial intelligence,” explains Dr. Dotzler. “These algorithms learn the different characteristics when a user uses different keyboards. During that learning process, there is a lowering of quality of the method.”

But, there are ways to solve this problem. “You can create a second profile for the user (for the second keyboard),” he says. “Also, if the user brakes an arm, his keystroke dynamics will differ so much that the system must be retrained. But small injuries are not a problem.”

Every technology has its weak spot. As we recently witnessed, the RSA breach has showed that even proven technologies such as the SecurID tokens can be bypassed and misused if one knows where to look and what to do.

The saved reference patterns needed for KeyTrac to work could probably be stolen somehow, but can they be used to recreate the typing pattern and execute an successful attack? If the technology itself proves effective and begins to be used by many, there is no doubt in my mind that, in time, someone will figure out how to trick it.

In the meantime, a number of e-payment and e-commerce providers have started using KeyTrac. It may be too early to tell if it is the missing piece of the puzzle that will solve the issue of digital identity verification, but it certainly looks promising.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss