If one hundred people were to type “The quick brown fox jumped over the lazy dog,” it would yield one hundred unique digital identity specimens. Even if the screen output might be outwardly identical, analysis of the keystrokes would reveal markedly different ways in which the text was inputted and could be tied to the individuals who made them.
Keystrokes are as unique and idiosyncratic as signatures. This means that vast differences will always be observed in the style of typing -- speed, rhythm, capitalization (left or right shift key), fluidity or hesitancy in the strokes, or incidences of misspelling and subsequent correction, among others. Unlike password authentication, keystroke dynamics does not care what is typed, but the way it’s typed.
Interestingly, it was as early as the 19th century when people first cottoned on to the idea of keystrokes as identity. Telegraph operators realized, to their amazement, that they could recognize each other based on individual tapping signatures.
In World War II, Morse code operators had learned that “the way the Morse code is sent is almost as distinctive as the voice”. This discovery proved helpful as it enabled Allied military intelligence to distinguish messages from allies and enemies. Using a methodology called "The Fist of the Sender," the military found out that an individual had a unique way of keying in a message's "dots" and "dashes", creating a pattern that could help tell the friendlies from enemies.
In more recent times, keystroke dynamics was first proposed as a biometric modality for use in digital identity in a 1980 paper by researcher R.S. Gaines whose experiments on touch typists suggested that everyone possessed unique typing signatures which could be used as identifiers.
A recent Polish study explains how keystroke dynamics recognition works, and lists the most frequently used characteristics in the modality, which include “the duration of a specific keypress and intervals between keypresses, typing speed (the average number of keystrokes in a given time), overlapping of a certain key combinations, ratio of Shift or Capslock buttons usage to type upper/lowercase letters, number of errors, error correction methods, and the use of the navigation (arrow) keys for the cursor.”
The paper goes on to discuss the following feature which are analyzed -- 1. Interval (the time between the release of one key and pressing the next, 2. Dwell time—the time between pressing and releasing the same key, 3. Latency—the time between pressing one key and releasing the next one,4. Flight time—time between pressing one and the next key,5. Up to up—the time between releasing the first and next key.
Already, keystroke dynamics is showing its value as a digital identity modality. Online education giant Coursera uses keystroke dynamics to authenticate students in its courses. In order to confirm their identity, students are required to type out a specific sentence at the start and end of the course which would then be matched against each other.
“We created Signature Track to allow students to verify their identity and show that they did the work, and thus provide a more valuable credential, without detracting from the experience of our free courses,” Coursera co-founder Andrew Ng said.
Other industries such as banking, financial services, retail, healthcare, education and defense, have also started adopting keystroke dynamics for multimodal biometrics in a bid to be one step ahead of cybercriminals.
One of the big benefits of keystroke biometrics recognition is its non-intrusive nature, meaning data can be collected with the least effort for all parties. In fact, it could be done as part of the user’s normal login process. Keystroke dynamics is also very cheap to implement as it does not need additional hardware, with all that’s required already inherently built into the system.
Moreover, keystroke dynamics also require just a small amount of data to train a recognition system, resulting in a shorter processing time. It is impervious to external environmental conditions, making the authentication process easier.
Perhaps most importantly, typing habits are virtually impossible to spoof, making keystroke dynamics an excellent addition to the digital security arsenal.
Yet keyboard dynamics is not without drawbacks, the most notable of which the fact that typing patterns can be erratic and inconsistent. Cramped muscles and sweaty hands can potentially alter a person’s typing pattern. The type of keyboard also governs the typing patterns, which could affect verification. Keystroke dynamics also shows sensitivity to the position of the user which implies that if the system was trained when the user was standing up, logging in while in a different position such as sitting down or walking may affect the performance of the verification process, possibly leading to false rejection by the system.
As concerning as these issues are, they do not appear to be fatal flaws as sophisticated algorithms can easily remedy such effects.