Keystroke recognition is a behavioral biometric technology that identifies us by the way we type on computer and smartphone keyboards. Although we might not be aware of it, we each have unique styles of typing with variations in rhythm such as how long we hold the keys down, and the succession of keys we use overall.
Researchers have identified several metrics that help distinguish people based on how they type. Keystroke recognition can, therefore, be used similarly to other biometrics to add another layer of security to commercial applications.
Come Join Us
Interested in working with innovative technologies? We're hiring!
How Keystroke Recognition Works
Like all biometric tools, keystroke recognition devices first need to enroll their users to verify at a later stage. To enroll, an individual must type a specific word or phrase in most cases, their username, and password.
The individual must type the enrollment phrase about 15 times. Ideally, the user completes this process over a large period of time, rather than all at once, for the system to produce an accurate enrollment template.
Typing pattern inconsistencies also arise if users make errors and try to correct them. if users attempt to change what they have already typed (for example, if they backspace to correct a spelling error), the system will prompt the user to start the enrollment process again.
Whatever the user types as their enrollment phrase must be used for all future verifications. Using different words or phrases in verification can affect the behavioral typing characteristics, causing variations to arise between the same user’s enrollment and verification templates.
The distinctive, behavioral characteristics measured by keystroke recognition include:
1) The cumulative typing speed.
2) The time interval between consecutive keystrokes.
3) The dwell time i.e. the duration the user holds down each key.
4) The frequency with which one uses the number pad or function keys.
5) The key release and timing in the sequence used to type a capital letter (whether the user releases the shift or letter key first).
6) Flight time - the length of time an individual takes to move from one key to another.
7) Error rates - using the backspace key (although, as mentioned, many systems don’t allow for corrections).
The graphic below illustrates the dwell and flight times:
With the behavioral characteristics above, the system creates statistical profiles to serve as the enrollment and verification templates. The statistical profiles can either be global or local. Global profiles consider all the typing patterns for the enrollment phrase, and local profiles measure the unique patterns for each keystroke.
When the statistical correlation between the enrollment and verification templates exceeds an established similarity level, the system makes a match. System administrators can adjust this similarity threshold depending on how secure they need the system to be.
An application that requires less security will permit some differences in typing behavior. Though, an application that requires high security will not permit any behavioral differences.
Keystroke recognition systems can also use either static or dynamic verification. Static verification takes place only periodically, typically when the individual logs in to his or her computer. Dynamic verification, on the other hand, involves recording the individual’s keystroke patterns for the entire duration of typing.
Keystroke Recognition Advantages
In contrast to a lot of biometric technologies, keystroke recognition provides the key advantage of being easily set up and put into use. Let's take a look at how.
Ease of installation & integration
Keystroke recognition is purely software-based, requiring no additional, specialized hardware other than a physical or digital keyboard. Consequently, organizations can deploy keystroke recognition cheaply with a single installation.
Keystroke recognition also integrates well with other existing authentication processes. For example, organizations often pair keystroke recognition with traditional password inputs as an extra level of security.
Ease of use
Everyone is familiar with typing their username and password. As a result, properly using a keystroke recognition system requires no extra training or complicated instructions. A user must simply type their password several times for enrollment and, then, only once for each verification.
Keystroke Recognition Disadvantages
Keystroke recognition systems have similar weaknesses to traditional username/password authentication. If a user forgets the password, for example, they will need to reset it and re-enroll themselves in the system with their new password.
Issues with keystroke recognition
The main issue with keystroke recognition is that researchers have not yet proven it to be a reliable method of identification. Although it can produce accurate results, an individual’s typing patterns may vary greatly with time, and the probability that two people have near-identical typing characteristics is unknown. Though, as of now, the accuracy of keystroke recognition has not been thoroughly explored.
Because of the uncertainty regarding the long-term reliability of these systems, few businesses have incorporated keystroke recognition technology into commercial applications. The lack of attention towards this technology has also slowed its development, as more businesses instead focus on other biometrics such as fingerprint recognition.
Although Keystroke Recognition is easier and cheaper to implement than other biometrics, it lacks the reliability to be used for applications such as physical access control, document verification, or passport verification. Instead, organizations prefer to use it as a form of Multifactor Authentication (MFA).
With more development, however, keystroke recognition could suit e-commerce applications. For instance, instead of having to remember different usernames and passwords, a user would be able to access an internet banking or e-commerce site by typing in the same text or phrase several times.
Conclusions on Keystroke Recognition
Although keystroke recognition has a long history, many businesses remain unsure about its effectiveness and reliability. What we do know is that there are several measurable typing characteristics that, if analyzed properly, could allow software systems to identify us with decent accuracy.
Currently, many organizations wish to wait for more research on keystroke recognition before implementing it in commercial applications. However, some businesses have begun using the technology to enhance already existing user-verification methods.
As we research and develop this technology more, we may see it improve in accuracy and be used for applications, such as user authentication for e-commerce transactions.