diploma thesis secure alternatives to password-based authentication … · 2015-07-28 · diploma...
TRANSCRIPT
Diploma thesis
Secure Alternatives toPassword-based
Authentication Mechanisms
submitted by
Patrick Elftmann
Examiners:
Prof. Dr.-Ing. Felix Freiling
Prof. Christian Bischof, Ph.D
Advisor:
Dipl.-Inform. Martin Mink
Laboratory for Dependable Distributed Systems
RWTH Aachen University
Aachen, Germany
October 2006
Erklarung
Hiermit versichere ich, dass ich die Arbeit selbstandig verfasst und keine anderen als die
angegebenen Quellen und Hilfsmittel benutzt sowie Zitate kenntlich gemacht habe.
Aachen, im Oktober 2006.
_______________________________________
(Patrick Elftmann)
Abstract
Today it is not unusual that one has to authenticate oneself on several IT systems. Most
of the time, these systems require a password or a PIN, but faced with the requirement
to remember such information, many users encounter difficulties, which tends to result
in poor choices or other bad practices. For example, passwords are often based upon
dictionary words or personal information, resulting in vulnerability to brute force attacks
or social engineering. To address this problem, researchers have developed alternative au-
thentication mechanisms, ranging from password enhancement techniques, to token-based
authentication systems and biometrics. In particular, graphical passwords and keystroke
dynamics are promising alternatives to password-based authentication.
This study presents requirements the alternative authentication mechanisms should meet
and reviews and analyzes graphical passwords and keystroke dynamics from a usability
and security point of view. Very little research has been done to analyze graphical pass-
words and keystroke dynamics concerning security.
Graphical passwords use pictures instead of textual passwords and are partially motivated
by the fact that humans can remember pictures better than a string of characters. Graph-
ical passwords can be classified into three categories: pure recall-based, cued recall-based
and recognition-based. For each category, existing techniques are presented and their
strengths and weaknesses are pointed out.
The term keystroke dynamics is used to describe an individual’s typing pattern including
latencies, key depress durations and keystroke pressure. Keystroke-based authentication
is a relatively new method of biometric identification and provides a comparatively inex-
pensive method of authentication or hardening the normal login and password process.
A comprehensive survey of existing keystroke dynamics methods and metric is conducted
in this study.
Zusammenfassung
Das bekannteste und weitverbreiteste Verfahren zur Authentifizierung ist die Verwendung
von Passwortern und PINs. Neben sicherheitskritischen Aspekten fallt es den meisten Be-
nutzer schwer sich Passworter einzupragen. Dies fuhrt dazu, dass Benutzer kurze und
schwache Passworter wahlen, die leicht zu erraten und anfallig fur Brute Force Angriffe
sind. Auf dieses Problem eingehend, wurden alternative Verfahren wie z.B. die Authenti-
fizierung mittels grafischer Passworter oder das Tastaturanschlagsdynamikverfahren ent-
wickelt.
In dieser Arbeit werden Anforderungskriterien fur alternative Authentifizierungsverfahren
aufgestellt und die Verfahren auf ihre Sicherheit und Benutzerfreundlichkeit uberpruft.
Bisher gibt es sehr wenige Untersuchungen, die sich mit der Sicherheit dieser Systeme
beschaftigen.
Grafische Passwortverfahren basieren auf der Fahigkeit des menschlichen Gehirns, sich
Bilder und Fotos besser einpragen zu konnen als Buchstabenkombinationen. Grafische
Passwortsysteme konnen in drei Kategorien klassifiziert werden: Erinnern ohne Hinweis-
reiz, Erinnern nach Hinweisreiz und Wiedererkennung. Basierend auf diesen Techniken
werden verschiedene existierende grafische Passwortverfahren zur Authentifizierung vor-
gestellt und auf Anforderungskriterien sowie auf ihre Benutzungs- und Sicherheitsmerk-
male untersucht.
Das Verfahren zur Messung des Tastaturanschlags oder Tippverhaltens ist eine relativ
neue und noch wenig verbreitete Methode. Sie basiert auf der Idee, dass bestimmte Ver-
haltensweisen beim Schreiben auf einer Tastatur typisch fur eine Person sind. Dabei wer-
den beispielsweise die Anschlagdauer und der zeitliche Abstand zwischen den Tasten-
anschlagen gemessen. Verschiedene Methoden und Metriken der Tastaturanschlagsdyna-
mikverfahren werden in dieser Arbeit vorgestellt und die Authentifizierungsverfahren auf
Anforderungskriterien, Sicherheit und Benutzerfreundlichkeit uberpruft.
Contents
1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Goal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Password-based Authentication Mechanism 7
2.1 The Password Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Security of Password-based Authentication Mechanisms . . . . . . . . . . . 10
2.2.1 Snooping and Spying . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.2 Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.3 Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.4 Guessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.5 Brute Force . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.6 Dictionary Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.7 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3 Requirements for an Alternative Authentication Mechanism 13
4 Graphical Password-based Authentication 17
4.1 Pure recall-based Graphical Password Systems . . . . . . . . . . . . . . . . 18
4.1.1 Draw-A-Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.2 Cued recall-based Graphical Password Systems . . . . . . . . . . . . . . . . 20
ii CONTENTS
4.2.1 Passlogix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.2.2 PassPoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.3 Recognition-based Graphical Password Systems . . . . . . . . . . . . . . . 22
4.3.1 Deja Vu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.3.2 Passfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5 Keystroke Dynamics-based Authentication 27
5.1 Identification and Verification . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.2 Methods and Metrics for Keystroke Analysis . . . . . . . . . . . . . . . . . 30
5.3 Performance Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.4 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.5 BioPassword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
6 Other Authentication Systems 39
7 Analysis 45
7.1 Analysis of Graphical Passwords . . . . . . . . . . . . . . . . . . . . . . . . 45
7.1.1 Analysis of Draw-A-Secret . . . . . . . . . . . . . . . . . . . . . . . 45
7.1.2 Analysis of Passlogix . . . . . . . . . . . . . . . . . . . . . . . . . . 47
7.1.3 Analysis of PassPoints . . . . . . . . . . . . . . . . . . . . . . . . . 47
7.1.4 Analysis of Deja Vu . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
7.1.5 Analysis of Passfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.1.6 Security of Graphical Passwords . . . . . . . . . . . . . . . . . . . . 51
7.1.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
7.2 Analysis of Keystroke Dynamics . . . . . . . . . . . . . . . . . . . . . . . . 56
7.2.1 BioPassword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
7.2.2 Security of Keystroke Dynamics . . . . . . . . . . . . . . . . . . . . 57
7.2.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
CONTENTS iii
8 Passwords Remain Prevalent 63
9 Conclusion 65
Acknowledgments 69
List of Figures 71
List of Tables 73
Bibliography 75
Chapter 1
Introduction
1.1 Motivation
The regulation of access to computer systems, networks and programs is becoming
increasingly important as the type of data and capabilities of these systems becomes
more sensitive and of greater significance. One of the core requirements of modern
computing is the need to allow access to these computer systems and networks while
preventing unauthorized access. With this increased accessibility and availability of
information comes the need for more robust safeguards and system security. The basic
problem is to be able to accurately authenticate the identity of an individual and then
allow them access to defined resources. Entity authentication is defined as being the
process of verifying a claimed identity [26].
The most common computer authentication method is a password-based authentication
mechanism which uses alphanumerical usernames and passwords. Even though this
method is easy to implement and to use it has shown to have significant drawbacks.
For example, users tend to choose passwords which can be easily guessed. On the other
hand, if a password is hard to guess, then it is often hard to remember. Additionally,
many users forget their passwords [74], and with the number of passwords increasing per
user, the rate of forgetting further increases [1]. A visible consequence is that password
users require extensive support. Passwords must be reseted by IT support. Despite the
costs for the support, password mechanisms are often not as secure as expected. The
passwords chosen by most users are relatively easy to crack [2]. The continuing increase
of networked systems introduces an additional risk, since passwords sent across networks
in plain text can be intercepted through mechanisms such as packet sniffing.
There is a need for secure alternatives to password-based authentication mecha-
2 1.1 Motivation
nisms to address the problems with traditional password authentication. There are
several alternative authentication systems to choose from, for example, biometrics and
token-based mechanism. However, most of these authentication mechanisms are not
widely adopted for reasons such as costs for additional hardware, low security or a com-
plex authentication process. Therefore, as a part of this study requirements, alternative
authentication mechanisms have to comply with, are composed. These requirements
include no additional hardware, higher security, better ability to memorize the alternative
password, a simple and easy to execute authentication process as well as a large area of
application. Researchers have developed alternative authentication mechanisms such as
graphical passwords or keystroke dynamics which fulfill the requirements on first sight.
Graphical passwords are partially motivated by the fact that humans can remember
pictures better than text. Generally, pictures are easier to remember or recognize
than text. This assumption is supported by psychological studies [58]. In addition, if
the number of possible pictures is sufficiently large, the possible password space of a
graphical password scheme may exceed that of text-based schemes and thus presumably
offers better resistance to dictionary attacks. Graphical passwords can be applied to
workstations, web applications, ATM machines and mobile devices. Because of these
presumed advantages, there is a growing interest in graphical password authentication
methods.
Recently, the Bank of America introduced a new online security system known as Sitekey
[50] which uses some kind of graphical secret. The basic idea of Sitekey is to provide an
extra layer of security in case an unknown person attempts to access an online account.
It allows customers to select one of a thousand different images, write a brief phrase, and
select three challenge questions. The information is then passed back and forth between
the customer and Bank of America to confirm each other’s identity. Phishers, who try
to deceive users into divulging confidential financial information such as bank and credit
account numbers, typically use faux websites that only look legit. A Bank of America
customer registered with Sitekey, for instance, would immediately know that a phishing
site was bogus when it was not able to provide the proper picture.
Steganos Safe 2007 [62] enables users to create any number of secure virtual drives, in
which data is safely stored and encrypted. Its features include the ability to use picture
sequences as passwords. Steganos introduces an alternative to the traditional password
with the so-called Steganos PicPass. A user can create a sequence of pictures from a
database of 36 images. This sequence is entered to unlock the data. The pictures can
be set so as to never appear in the same place twice and so that a mouseclick recorder
cannot log the password.
Keystroke dynamics is a relatively new method of biometric identification and provides
a comparatively inexpensive and unobtrusive method of replacing or hardening the
1 Introduction 3
normal login and password process. It does not require additional hardware as it uses
the existing keyboard to measure keystroke dynamics. The term keystroke dynamics
describes an individual’s typing pattern including latencies, key depress durations and
keystroke pressure. This pattern is fairly unique to each individual. Furthermore, under
the same circumstances a user will consistently have similar keystroke dynamics for
a given sample. Keystroke biometrics seem to be a good alternative technology for
strengthening access to computer systems.
1.2 Goal
The scope of this study is to present and review alternatives to password-based authenti-
cation mechanisms. A special focus will be on graphical passwords and keystroke dynam-
ics. Firstly, the goal is to verbalize requirements which these alternative authentication
schemes need to satisfy. After reviewing the alternative methods from a security and
usability point of view, the result should be to answer the question whether the presented
schemes are capable of being alternatives to password-based authentication mechanisms
or not.
1.3 Results
Graphical password schemes have been proposed as a possible alternative to text-based
schemes because humans can remember images better than a string of characters. Graphi-
cal password systems are based either on (1) pure recall, (2) cued recall, or (3) recognition.
Using recall-based techniques, a user is asked to reproduce something that he created or
selected earlier during the enrollment phase. With cued recall there is a hint, for example
a picture, which helps the user to remember the graphical password. Recognition involves
identifying whether one has seen an image before. The user must only be able to recognize
previously seen images, not generate them unaided from memory.
Draw-A-Secret (DAS) [34], is a pure recall-based graphical password scheme, which allows
the user to draw a unique password on a 2D grid. The full password space of DAS is larger
than that of the full text password space in a 5×5 grid. DAS passwords of length eight or
larger on a 5×5 grid are less susceptible to dictionary attack than textual passwords [66].
However, the registration and the authentication process with DAS takes much longer
than with text-based passwords. Typing in a password can be done very fast, while draw-
ing a picture, depending on its complexity, is likely to be more time-consuming.
Passlogix [14] and PassPoints are both cued recall-based graphical password systems.
4 1.3 Results
They follow the first idea of graphical passwords described by Blonder [13]. His approach
was to let the user click on a few previously chosen regions with a mouse or stylus in an
image that appeared on the screen. The problem with Passlogix is that the number of
predefined regions is small; just a few dozen in a picture. The password may have several
clicks for adequate security and more clicks than characters in a secure password. The
PassPoints system extended Blonder’s idea by eliminating the predefined boundaries. As
a result, a password can be any arbitrarily chosen sequence of pixels in the image. This
guarantees a very large password space, larger than the password space of alphanumeric
passwords.
Deja Vu [23] and Passfaces [6] are recognition-based authentication techniques. The user
must recognize previously chosen images in several rounds. Deja Vu uses random im-
ages whereas Passfaces uses pictures of faces. Results from a user study [24] showed that
90% of all participants succeeded in the authentication using graphical authentication
mechanism of Deja Vu, while only 70% succeeded using text-based passwords and PINs.
However, the probability for a brute force search to be successful is greater than with text-
based passwords. Passfaces, which has shown to be very memorable over long intervals
[69], has similar security issues. To obtain security similar to that of an eight-character
alphanumeric password over an alphabet of 94 characters, 16 or 17 rounds with nine faces
each would be required. This would make the log-in slow and tedious.
Every graphical password scheme has its strengths and weaknesses. Speaking of security,
most graphical passwords are more difficult to break using the traditional attack methods
such as brute force search, dictionary attack, and spyware.
Keystroke dynamics is a biometric authentication mechanism and defined as the process of
analyzing the way users type by monitoring keyboard inputs and identifying them based
on patterns in their typing rhythm. Keystroke dynamics can be used for verification and
identification. In case of verification the identity of the user is verified by measuring
the typing pattern when writing the username and the password and comparing measure-
ments to a previously stored profile. In the identification case a larger amount of keystroke
dynamics data is collected, and the user of the computer is identified based on previously
collected information of keystroke dynamics profiles of all users. Verification is easier to
implement than identification and is far more studied. Over the last two decades many
keystroke dynamics schemes using different methods and metrics have been developed.
The most common used keystroke dynamic metric is digraph latency which measures la-
tency periods between two keystrokes. Initial work required demanding input, whereas
more recent work has attempted to minimize such input requirements relying only on
username and/or passwords. There is also a relatively wide range in performance with
published False Accept Rates ranging from 0 to 8% and False Reject Rates ranging from
0 to 45%. Currently, the most common and widely-known application that uses keystroke
1 Introduction 5
dynamics technology is BioPassword. It is designed to replace the default log-in sys-
tem used in Windows NT/2000/XP operating systems. Username and password must
be input and only if typing pattern matches the stored template the user is allowed to
log-in. However, this is not an alternative to password-based authentication mechanism
since username and password are still required. Thus, keystroke dynamics enhance the
traditional authentication scheme and provide an additional layer of security.
Graphical passwords and keystroke dynamics are promising authentication mechanisms
but do not fulfill all requirements for an alternative authentication mechanism presented
in this study. Finally, textual passwords will probably stay the most used authentication
system at least for some time, and cannot be replaced by other alternative authentication
mechanisms in every area of application.
1.4 Organization
The remaining sections of this thesis are subdivided as follows. Chapter 2 represents the
well-known password-based authentication scheme, points out the major problems with
passwords and provides an overview of traditional attack techniques to break passwords.
Chapter 3 covers the requirements a secure alternative authentication method should
meet. Chapter 4 focuses on graphical passwords, categorizes these in three different
categories and reviews existing authentication mechanisms. Chapter 5 presents a litera-
ture review providing introductions in keystroke dynamics, identification and verification
mode and performance measures within biometrics. Chapter 6 looks at further alterna-
tive authentication mechanisms. Chapter 7 reviews if graphical passwords and keystroke
dynamics meet the requirements presented before. For this, both authentication mech-
anisms are analyzed from a security and usability point of view and considerations and
limitations of each authentication system are offered. Chapter 8 suggests that passwords
will remain prevalent in the near future. Finally, Chapter 9 provides the conclusions that
are made as a result of the study and how they apply to the related fields.
Chapter 2
Password-based Authentication
Mechanism
The majority of user authentication mechanisms in operating systems, applications and
websites involve the use of passwords. The user is simply asked to input a username and
a password. Passwords remain the method of choice in spite of recognized vulnerabilities,
many of which arise from the behavior of users. Since the first computers were created in
the early 1960’s, passwords have been the method to authenticate in computer systems. In
the last two decades, other aspects of computer interfaces have changed significantly. For
example, the arrival of graphical user interface (GUI) environments, but security systems
remained the same. As a result, an authentication method inherited from the command
line age is still in use.
Studies have shown that the end users’ behavior introduces the majority of the password
weaknesses, by sharing passwords or by choosing passwords that are easy to remember.
For an attacker these passwords can easily be guessed or cracked [15]. For example, a
previous study has shown that on a sample of 15,000 passwords nearly 25% of them could
be cracked in less than a week [37]. Today, parallelized programs which use hundreds of
CPUs are able to break passwords even faster and crack more complex passwords in the
same time respectively. By the early 1990’s an Internet Engineering Task Force (IETF)
request for comments (RFC) was already taking the matter as a serious security threat,
and proposing the minimum requirements that a password must comply with: It should
have the minimum length of six characters and should consist of characters drawn from
mixed case alphabetic, punctuation symbols and digits [30]. In order to increase the
security, some administrators provide passwords to the users, but then other problems
arise. People will start writing the password down, because the password is no longer
simple to remember and the effect becomes even worse [15]. The problem that secure
8 2.1 The Password Problem
passwords are difficult to remember and easy-to-remember passwords are easy to break
in most cases, is referred to as the Password Problem [73].
2.1 The Password Problem
The password problem arises because passwords are expected to comply with two con-
flicting requirements, namely:
1. Passwords should be easy to remember, and the user authentication protocol should
have the ability to be executed quickly and easily by humans.
2. Passwords should be secure, i.e. they should look random, be hard to guess and
changed frequently. Passwords should be different on different accounts of the same
user and not be written down or stored in plain text.
It is almost impossible for users to fulfill both requirements [73]. Today, from a security
point of view, the ideal password is a string of eight or more random characters, includ-
ing digits, letters with a mixture of upper and lower case, and special characters, is not
a dictionary word and is not related to relevant data, such as social security number,
street address, or birth date. A random password has no content, context, and should
not be familiar. It can only be learned by using it over and over again. However, since
repetition is a weak way of remembering, users often completely ignore the recommenda-
tions for pseudo-random passwords. Surveys show that frequent passwords are the word
‘password’, personal names of family members, names of pets, and dictionary words [56].
Passwords also tend to be too short.
The password problem arises mainly from fundamental limitations of human long-term
memory. Once a password has been chosen and learned the user must recall it to log
in. However, people regularly forget their passwords. The “Power Law of Forgetting”
states that people rapidly forget soon after having learned something, followed by very
slow drop-off thereafter [73]. Psychological theories have attributed to forgetting to decay
through the passage of time and to interference, in which new items in memory dis-
rupt existing ones (retroactive interference) or, conversely, are disrupted by existing ones
(proactive interference).
The fact that people often forget passwords can be explained by decay and interference.
Users are expected to learn a password and remember it over time. However, other items
in memory compete with the password and make it more difficult to recall correctly. If
a password is not used regularly it will be especially vulnerable to forget. Research has
shown that when users fail to recall a password, they are still often able to recall parts
2 Password-based Authentication Mechanism 9
of it correctly [56]. However, recalling of only parts of the password has no value for
authentication.
Moreover, today’s users have to remember many passwords for computers, networks, web-
sites, and much more. A survey of over 3,000 IT workers found out that the average IT
worker has to remember approximately five to six passwords and almost 25% of the IT
worker has to manage eight or more passwords [4]. The more passwords a person has to
remember, the chances for remembering any specific password decreases. Having multi-
ple passwords also increases the chance of interference among similar passwords. This is
especially true for systems that are not used frequently.
In addition, some computer systems require frequent password changes, with the endeav-
our to increase security. Passwords that change frequently are more difficult to crack
by brute force search because of the time such attacks require. If the intruder does not
act immediately, the password may soon become worthless, even if the user does not
know that the password has been stolen. Common techniques require that passwords are
changed every 30 or 90 days. However, the more frequently a password has to be changed,
the harder it will be to remember. These frequent password changes increase potential in-
terference and are likely to lead either to forgetting passwords or forgetting which system
a password is associated with. Secondary, frequent password changes create additional
workload. Users must think of new passwords that conform to all of the organization’s
requirements but that are also easy to remember. System-enforced password policies,
however, cannot guarantee password secrecy. There are no systems that can prevent a
user from writing down their password.
To a single user in an office environment, the costs of forgetting a password are fairly
slight. The user will call the helpdesk and ask to have his password reseted. Many
systems will allow users to reset their own passwords by asking for additional other in-
formation, for example the mother’s maiden name or the city of birth, and sending the
new password to a known e-mail address. No matter how easy the process, the user will
experience some frustration and loose some productivity. However, to the whole organi-
zation forgotten passwords have significant costs. In a report published by Gartner [17],
the number of password-related helpdesk calls per user per year is estimated at 3.8 using
their most conservative scenario. According to them up to 30% of all helpdesk calls are
password-reset requests taking an average of 20 minutes to resolve and costing more $20
in helpdesk costs. In a study by the Aberdeen Group [31] the labour costs for configuring
and maintaining password systems averages between $100 and $150 for a small company
with up to 100 users, equating to $15,000 a year. A mid-tier company of 1,000 users will
experience $200 per user, equating to a massive $200,000 per year.
To “solve” the password problem, users will try to decrease the memory burden at the
expense of security. Most commonly, the user will write down passwords, raising the po-
10 2.2 Security of Password-based Authentication Mechanisms
tential of compromise of the passwords. In the case of multiple systems, users may choose
only one password for all systems. This reduces security and if the password is broken
for one computer system, every single computer system is compromised. Alternatively,
users create their own rules to generate multiple passwords that have something in com-
mon, for example adding a digit to a base word for each new password, which is also an
unsafe method. Weak passwords can be broken by dictionary attacks or attacks based on
knowledge about the password owner. Because of password-cracker programs, users need
to create unpredictable passwords, which are more difficult to memorize.
Before reviewing and later analyzing alternative authentication mechanisms from a secu-
rity point of view, it is important to understand how passwords are endangered and why
various password policies are not obeyed. In the sections that follow, several methods
that intruders use to illegitimately obtain passwords and access to computer systems are
described.
2.2 Security of Password-based Authentication
Mechanisms
The security of password based-authentication systems is directly proportional to the
difficulty of cracking the passwords. When using a standard US keyboard, 26 lowercase
letters, 26 uppercase letters, 10 digits, and 32 symbols are available. If all of these
characters are available for use in a random, eight-character password, the password space
is 948 = 6.1 × 1015.
There are several ways for attackers to break a user’s password. The following gives a
brief overview of different techniques to break or to obtain passwords:
2.2.1 Snooping and Spying
A simple way to obtain a user’s password is to watch them during authentication - so
called shoulder surfing. Computers located in public area are especially susceptible, for
example, in internet cafes, or a laptop on an airplane. Of course, snooping can also be
done electronically by a small video camera which records finger movements. Spyware is
also able to record a user’s keystrokes and interactions.
2 Password-based Authentication Mechanism 11
2.2.2 Spyware
Spyware is software that records information about users, usually without their knowledge.
In a typical case, users unintentionally install spyware when they visit certain websites or
install unapproved software. Spyware may be used in conjunction with social engineering
techniques to trick users into installing the spyware. The software then spies on the user’s
sensitive data.
2.2.3 Social Engineering
Social engineering is the practice of obtaining confidential information by manipulation
of legitimate users. A social engineer will commonly use the telephone or internet to
trick people into revealing sensitive information or getting them to do something that is
against typical policies. Using this method, social engineers exploit the natural tendency
of a person to trust his or her word, rather than exploiting computer security holes.
Phishing is social engineering via e-mail or other electronic means. It is characterized
by attempts to get sensitive information, such as passwords and credit card details, by
masquerading as a trustworthy person or business in an apparently official electronic
communication. The term phishing is derived from password harvesting and the use of
increasingly sophisticated lures to ‘fish’ for users’ financial information and passwords.
A spoofing attack is a situation in which one person or program successfully masquerades
as another by falsifying data and thereby gains an illegitimate advantage. Spoofing is
often used in conjunction with phishing. In a typical spoof, the target receives an e-
mail alleging to be from a trusted source. The e-mail may look completely legitimate,
containing graphics and logos from the trusted source.
2.2.4 Guessing
Despite being prohibited by most password security policies, people use common words
for their passwords. The words they choose are often easy to guess, such as the name of
a family member, a birth date, or even just ‘password’. A potential intruder may try to
break into a system by guessing several likely candidates.
2.2.5 Brute Force
In a brute force attack, an intruder tries all possible combinations of cracking a password.
The more complex a password is, the more secure it is against brute force attacks. Even if
12 2.2 Security of Password-based Authentication Mechanisms
an intruder could try 100 million combinations per second, it could take almost two years
to obtain a password by brute force if the full password space is used. Though, according
to the laws of probability, the intruder has a decent chance of finding the password within
the first year. However, users often use weak passwords. As a result, the search space for
the brute force attack is actually much smaller.
2.2.6 Dictionary Attack
A dictionary attack is a technique for defeating authentication mechanism by trying to
determine its passphrase by searching a large number of possibilities. In contrast to a
brute force attack, where all possibilities are searched through exhaustively, a dictionary
attack only tries possibilities which are most likely to succeed, typically derived from a
list of words in a dictionary. Protection against dictionary attacks is the main reason that
many security policies prohibit the use of words. Avoiding dictionary attacks also inspires
policies to break up words with numbers or symbols as in ‘myp8ssword’. Dictionary
attacks are mainly successful because of cognitive pressures on the users. It is easier to
remember a word than it is to remember random letters, so users naturally choose words.
2.2.7 Solutions
The majority of solutions to the problems of weak passwords fall into three main
categories: (1) The first types of solutions are proactive security measures that aim at
identifying weak passwords before they are broken, by constantly running a password
cracking programs. (2) The second type of solution is also technical in nature, which
utilizes techniques to increase the computational overhead of cracking passwords. (3) The
third class of solutions involves user training and education to raise security awareness
and establish security guidelines and rules for users to follow.
However, the mismatch between the requirements for good passwords and human
capabilities remains. In fact, most knowledge-based user authentication systems rely
on perfect memorization. A better way to solve the password problem is to develop
authentication systems which reduce fundamental memory problems while preserving
security.
Before looking at alternative authentication systems, the next chapter verbalizes
the requirements these authentication schemes should fulfill.
Chapter 3
Requirements for an Alternative
Authentication Mechanism
Alternatives to password-based authentication mechanisms already exit, but, however, are
not widely accepted and adopted in today’s computer systems. There are several reasons
for this, such as user resistance to change, costs for additional hardware or a poor level
of security. Therefore, in the following, requirements are composed which are believed to
be important for an authentication mechanism in order to be considered as an alternative
to a password-based authentication system.
Talking about secure alternatives to password-based authentication mechanisms the most
important question is what the ideal or perfect authentication system would look like.
The ideal solution to strong authentication is built primarily around two factors: End
user requirements and effective security. The ideal solution should meet the following
criteria:
(R1) No additional hardware required – It is unreasonable to assume that users will
embrace the idea of carrying multiple tokens with them everywhere they go. Nor
will the average user feel comfortable adding hardware such as smart card readers
or biometrics to all of their systems.
Biometric-based authentication techniques, such as fingerprints, iris scan, or facial
recognition, are not yet widely adopted. The major drawback of this approach is
that such systems are expensive since they need additional hardware. Not only are
there high initial costs associated with buying the hardware and implementation,
there are ongoing maintenance and support expenses. Lost or broken hardware must
be replaced. But even more important, users with broken authentication devices
cannot access their accounts. Hardware must be replaced or repaired immediately
and this burden will involve and affect the end user. Therefore the alternative
14
authentication mechanism should not require additional hardware.
(R2) Higher security – Text-password-based authentication schemes are popular
means of authenticating users in computer systems and are widely used. However,
standard security practices that were intended to make passwords more difficult to
crack, such as requiring users to have passwords that look random (high entropy)
and frequent password changes, have made password systems less usable and para-
doxically, less secure. Compared to password-based authentication mechanisms the
alternative scheme should be more secure. For example, it should have a larger
password space or be more resistant against brute force or dictionary attacks. Not
being able to write the alternative password down or passing it to somebody else
can also be considered as a gain of security. Therefore the alternative authentication
mechanism should provide a higher level of security.
(R3) Better memorability – From a human point of view, the problem of creating a
password is to make it memorable so that the user can retrieve it later. This is
especially difficult if one wants to create and memorize a secure password. Pointed
out as the password problem (section 2.1) it is impossible for a human to create secure
and memorable passwords at the same time. Therefore, the alternative password
should be easier to memorize or in the best case there should be no password to
memorize at all.
(R4) Simple and easy to use – Until recently the security problem has been formu-
lated as a technical problem. However, it is now becoming more and more recognized
that security is also fundamentally a human-computer interaction (HCI) problem
[52]. Security mechanisms cannot be effective without taking the user into account.
HCI functions in two ways: the usability of the security mechanisms themselves
and the interaction of the security mechanisms with user practices and motivations.
Therefore, the process of enrollment, training and authentication in the alternative
authentication mechanism should be easy and quick. The ideal solution is based on
something the user already knows or does, and is not overwhelmingly technical.
(R5) Large area of application – Password authentication systems are used widely,
to log-on to a PC, to switch on a mobile device, to access a banking application
on the internet, to retrieve email or to collect money from an ATM machine. The
traditional text-based password authentication scheme is used on different platforms
and is not limited to any special application or area. Therefore, the alternative
authentication mechanism should have the same large application area and should
not be limited to a special application or area.
3 Requirements for an Alternative Authentication Mechanism 15
The ideal alternative authentication mechanism should meet all above requirements
simultaneously. It is believed that only if all requirements are satisfied the authentication
scheme can be considered as an alternative to password-based authentication systems
and has the ability to be deployed to today’s computer systems.
To address the problems with traditional password authentication researchers have
developed alternative authentication mechanisms such as graphical passwords and
keystroke dynamics. The following chapter presents graphical password schemes which
later have to prove that they satisfy all requirements stated here.
Chapter 4
Graphical Password-based
Authentication
Knowledge-based schemes are predominantly used for user authentication in today’s
security systems. Despite their wide usage, passwords and PINs have a number of
shortcomings. Simple or meaningful passwords are easier to remember. At the same
time they are vulnerable to attacks. Passwords that are complex and arbitrary are more
secure, but are difficult to remember. Since users can only remember a limited number of
passwords, they tend to write them down or they use similar or even identical passwords
for different purposes.
One approach to improve user authentication systems is to replace the knowledge-based
authentication mechanism by using image-based authentication mechanisms, which are
considered better than passwords for several reasons. First of all, images are easier to
remember than a string of characters. This is due to the fact that the human brain
has difficulties in remembering information when it is not part of a context. On the
other hand, an image can easily provide a context by itself [9]. According to psychology
researchers, the human brain is good at recognizing images. Two studies substantiate
this ability. In the first test [61], 2,560 photos were presented to a group, with each
image shown for a few seconds. The users then had to examine a set of images composed
of new and already seen images. During the test, participants had to indicate the images
seen before. The result of this experiment was a 90% recognition rate. Another study
[60] was carried out and followed a similar principle. The audience saw 10,000 pictures
in two days and performed a recognition rate of 60%.
Graphical passwords were first described by Blonder [13]. In his description of the
concept, an image appears on the screen, and the user must click on a few previously
chosen regions of the image. The user is successfully authenticated, if the correct regions
18 4.1 Pure recall-based Graphical Password Systems
are clicked. From a human point of view, the problem of creating a password is to make
it memorable so that the user can retrieve it later. In a graphical password system, a user
choosing click locations in an image, needs to choose memorable locations [73]. There are
two issues in the capacity of remembering: the nature of the image itself and the sequence
of locations to click. In terms of the choice of image, studies of perception indicate that
in a mixed-up image people will be slow to recognize individual objects [10]. For high
memorability of click locations, images should have semantically-meaningful content,
since meaning for arbitrary things is poor [47]. This suggests that images of concrete
scenes are easier to remember than abstract images. The long-term memory stores
a meaningful interpretation of the image, rather than the image itself. Unimportant
visual details will be lost [42]. Thus, a user will be dependent on the encoding used
while learning to retrieve the locations. To store information in long-term memory the
information must be processed in a deep and meaningful way that creates a strong
memory [21].
Graphical password systems can be classified as either recognition-based, cued recall-based
or pure recall-based [73]. Recognition involves identifying whether one has seen an image
before. The user must only be able to recognize previously seen images, not generate
them unaided from memory. On contrast, pure recall is retrieval without external cues
to aid memory. Using recall-based techniques, a user is asked to reproduce something
that he or she created or selected earlier during the registration stage, for example,
remembering a textual password that one has not written down. Pure recall is a harder
memory task than recognition [47]. Between pure recall and pure recognition there is a
different form of recollection: cued recall. An example of cued recall within graphical
password systems is scanning an image to find previously chosen locations in it. Viewing
the image cues the user about the locations. This is easier than having to recall something
entirely from memory (i.e. free recall), but harder than simply recognizing whether a
particular image has been seen before or not (i.e. recognition) [73].
In the sections that follow, several graphical password authentication schemes based on
different techniques are reviewed.
4.1 Pure recall-based Graphical Password Systems
4.1.1 Draw-A-Secret
In the Draw-A-Secret (DAS) scheme by Jermyn et al. [34], the password is a simple
picture drawn on a G × G grid. This approach is alphabet independent, users do not
4 Graphical Password-based Authentication 19
have to remember any kind of alphanumeric string. Each grid cell is denoted by two-
dimensional coordinates (x, y) ∈ [1...G] × [1...G]. A completed drawing is encoded as a
sequence of coordinate pairs by listing the cells through which the drawing passes, in the
order in which it passes through them. Each time the pen is lifted from the grid surface,
this ‘pen-up’ event is represented by the distinguished coordinate pair (G+1,G+1). In
order for a user to authenticate he is asked to re-draw the picture, which must have the
same encoding. Two drawings having the same encoding which means crossing the same
sequence of grid cells with pen-up events in the same places in the sequence are considered
equivalent. The procedure of enrollment and authentication with a DAS implementation
on a PDA is shown in figure 4.1.
Figure 4.1: A password is created by drawing the secret on the display as shown in
(a). Both the internal representation of the input password showing the cells covered
by the user’s drawing and the derived key are depicted in (b) and (c) respectively. To
apply a symmetric cryptographic function to records in the database (shown in (d)), the
user selects the records and then re-inputs the DAS password. If the encryption of a
known cleartext with the input password matches the stored ciphertext created during
initialization, then the symmetric cryptographic routine, is applied to the selected records.
Otherwise, the user is prompted to re-enter the DAS secret [34].
20 4.2 Cued recall-based Graphical Password Systems
4.2 Cued recall-based Graphical Password Systems
4.2.1 Passlogix
Blonder [13] designed a graphical password scheme in which a password is created by hav-
ing the user click on several locations on an image. During authentication, the user must
click on the approximate areas of those locations. The image can assist users to recall their
passwords and therefore this method is considered more convenient than unassisted recall,
which is the case with a text-based password. As implemented by Passlogix Corporation
[14], the user chooses several predefined regions in an image as his or her password, as
shown in figure 4.2. In their implementation, users must click on various items in the im-
age in the correct sequence in order to be authenticated. Invisible boundaries are defined
for each item in order to detect whether an item is clicked by the computer mouse. The
Figure 4.2: In Passlogix’s graphical-password system, users click on various items in a
designated sequence within a detailed on-screen image to log on to a computer or network
[14].
Passlogix Corporation has also developed several graphical password techniques based on
repeating a sequence of actions. For example, its v-Go includes a graphical password
scheme where users can mix up a virtual cocktail and use the combination of ingredients
as a password. Other password options include picking a hand at cards or putting together
4 Graphical Password-based Authentication 21
a ‘meal’ in the virtual kitchen. However, this technique only provides a limited password
space and there is no easy way of preventing people from picking poor passwords, for
example, a full house in cards [64].
4.2.2 PassPoints
The PassPoints system by Wiedenbeck et al. [73], is a graphical password scheme based
on Blonder’s original idea which overcomes its limitations of needing simple, artificial
images, predefined regions, and consequently many clicks in a password. The cued recall-
based authentication mechanism allows any image to be used and does not need artificial
predefined click regions with well-marked boundaries – a password can be any arbitrarily
chosen sequence of points in the image (figure 4.3) [73]. In order to authenticate, the user
Figure 4.3: Every pixel on an image used in the PassPoints system can be used for the
password [73].
must click in the correct sequence within the tolerance of his previously chosen pixels.
The tolerance is needed because the user’s click point is literally a single pixel, which
is too precise for a user to click on successfully. The tolerance, which is adjustable in
the system, gives a margin of error around the click point, in which the user’s click is
recognized as correct. This technique is based on the discretization method proposed by
Birget et al. [11]. Because any picture can be used and because a picture may contain
hundreds to thousands of memorable points, the possible password space is very large.
Wiedenbeck et al. conducted a user study [73], in which one group of participants were
22 4.3 Recognition-based Graphical Password Systems
asked to use alphanumerical passwords, while the other group was asked to use graphical
passwords. The participants subsequently carried out three longitudinal trials to input
their password over the course of six weeks. The results showed that the graphical pass-
word users created a valid password with fewer difficulties than the alphanumeric users.
However, the graphical users took longer and made more invalid password inputs than the
alphanumeric users while practicing their passwords. In the longitudinal trials the two
groups performed similarly on memory of their password, but the graphical group took
more time to input a password. Later Wiedenbeck et al. also conducted a user study [72]
to evaluate the effect of tolerance of clicking during the re-authenticating stage, and the
effect of image choice in the system. The results from the study showed a high correlation
between memory accuracy and tolerance in use. Memory accuracy for the graphical pass-
word was strongly reduced if a smaller tolerance is used. The choices of images instead
did not differ significantly. The result showed that the system works for a large variety of
images [64].
4.3 Recognition-based Graphical Password Systems
4.3.1 Deja Vu
Dhamija and Perrig [24] developed, Deja Vu, a recognition-based authentication system,
which authenticates a user through his ability to recognize previously seen images. Simi-
lar to most other graphical password systems, it is based on the observation that people
have an excellent memory for images [27, 61].
In the Deja Vu system, the user is asked to create an image portfolio by selecting a certain
number of images from a set of random pictures generated by a program. Later, the user
will be required to correctly identify the images which are part of his portfolio in order to
be authenticated. Deja Vu has three phases: portfolio creation, training, and authentica-
tion. In the portfolio creation phase shown in figure 4.4, the user selects a specific number
of images from a larger set of images presented by a server. Deja Vu uses Andrej Bauer’s
Random Art [8] to generate random abstract images. Given an initial seed, Random Art
generates a random mathematical formula which defines the color value for each pixel on
the image plane. The image generation process is deterministic and the image depends
only on the initial seed. Dhamija and Perrig believe that if the system was based on
photographs, it would be easy for users to pick predictable portfolios, to describe their
portfolio images and to write down this information and share it with others. This is the
reason why they use random abstract images.
After the portfolio creation phase, there is a short training phase to improve the memo-
4 Graphical Password-based Authentication 23
Figure 4.4: In the portfolio creation phase of Deja Vu, the user selects Random Art images
from a larger set of the images stored in the server [24].
rability of the portfolio images. During training, the user must point out the pictures in
his portfolio from a challenge set containing decoy images. In the authentication phase,
a challenge set is created, consisting of portfolio and decoy images. If the user correctly
identifies all portfolio images, he is authenticated successfully.
The results of a user study showed that 90% of all participants succeeded in the authen-
tication using this technique, while only 70% succeeded using text-based passwords and
PINs. The average log-in time, however, is longer than the traditional approach [64].
4.3.2 Passfaces
Passfaces is a recognition-based authentication system developed by and commercially
available through Real User Corporation [20]. The basic idea is as follows: During
enrollment procedure the user will be asked to remember five images of human faces
from a face database as their future password – the so called ‘Passfaces’. Then the user
is directed to consider the characteristics of each picture. The user is then taken through
the Passfaces log-in procedure twice, with their Passfaces indicated to them, as shown
in figure 4.5. Enrollment is completed by correctly identifying the five Passfaces twice
in a row without prompting. In the authentication stage, the user sees a grid of nine
faces, consisting of one face previously chosen by the user and eight decoy faces. The
24 4.3 Recognition-based Graphical Password Systems
Figure 4.5: During authentication, the users are presented with a three face by three face
grid, each containing one of the Passfaces and eight decoy faces [20].
user recognizes and clicks anywhere on the known face. This procedure is repeated for n
rounds, where n is the number of Passfaces. The grids are presented on the screen one
at a time, and the order of presentation remains constant, as do the faces contained in
each grid. However, no grid contains faces found in the other grids, and the order of
faces within each grid is randomized. The user is authenticated if he correctly identifies
the five faces.
The Passfaces technique is based on the assumption that people can recall human
faces even easier than other pictures. The science behind Passface is complex but
somehow simple to understand: Face recognition is a dedicated process of the brain
which is different from general object recognition. Generally the right side of the brain
is concerned with pictures and spatial relationships. The left side of the brain focuses
on abstract processes like mathematics and language. The right parietal lobe (right side
upper middle) of the brain primarily controls face recognition but many other parts
are also involved in this complex process. In comparison, passwords use the left side
of the brain and Passfaces uses the right side of the brain. Both inference and direct
neurological measurement indicate that our brains have a special component whose sole
function is to recognize faces. Viewing and recognizing faces is not like looking at other
objects. For example, infants are already able to recognize their mother’s face two days
4 Graphical Password-based Authentication 25
Figure 4.6: The three by three grid gives users the ability to use a numeric keypad to
enter the number that corresponds to the position of their passface on the grid as well as
by mouse click or touch screen [20].
after birth. In an experiment people recognized schoolmates they had not seen for 35
years with over 90% accuracy [6]. Our brain stores pictures of people as a whole and
does not divide it into separate regions such as mouth, nose or eyes. The overall picture
is stored as a spatial image. This is why people can recognize totally different faces faster
than faces which look very similar. In addition, emotions help recognize faces. One
is more likely to recognize someone with a definite expression as opposed to a neutral
look. If emotions are connected to the image, these emotions will come up again when
looking at the image. This will fasten the process of recognizing the picture. The context
in which a person is met or recognized is also important and influences the ability of
recognizing them later. It is necessary that the context remains the same. Adults tend
to more easily recognize people who are perceived as important to them.
Faces of people that are well known can be recognized on the basis of only a few
characteristics. Even if the image quality is poor, distorted, or there are only a small
number of pixels, familiar faces are still easily recognized. The more often a picture is
seen, the more familiar it gets and the faster it will be recognized later.
Identifying to whom a face belongs to is a further and somewhat different process. There
appears to be no tie between faces and names, so an inability to put a name to a face
is a common occurrence. Passfaces do not require the user to identify a face – only to
recognize that it is familiar [6].
User studies by Valentine [69] have shown that Passfaces are very memorable. 77
participants went through the Passfaces enrollment procedure, and three conditions were
tested. The first condition had 29 participants logging-in every working day for two
26 4.3 Recognition-based Graphical Password Systems
weeks. Participants correctly recalled their Passfaces in 99.98% of logins. The second
condition had 29 participants log in approximately seven days after enrollment. On their
first attempt, 83% logged in successfully. Everyone in this condition logged-in on the
3rd attempt. The third condition had 19 participants log-in only once approximately 30
days after enrollment, with 84% of participants remembering their Passfaces on the first
attempt, and the remainder remembering their Passfaces on the third attempt.
Passfaces have also proved to be memorable over long periods without use. The partic-
ipants were contacted and asked to log in again on average 5.4 months after they had
last used their Passfaces. 56 participants completed the follow-up study. Overall, 72% of
participants remembered their Passfaces on the first attempt, and 84% remembered their
Passfaces by the third attempt. Participants who had originally been in the everyday use
condition remembered their Passfaces the best, with 87% remembering them on the first
attempt and 100% on the third attempt [70].
In the next chapter a different approach is made to replace knowledge-based au-
thentication systems. Keystroke dynamics is a promising biometric authentication
mechanism which relies on the keystroke pattern of the user.
Chapter 5
Keystroke Dynamics-based
Authentication
Keystroke dynamics is the process of analyzing the way users type by monitoring key-
board inputs and identifying them based on patterns in their typing rhythm. Keystroke
dynamics is a biometric authentication mechanism which is also known as keyboard
dynamics, keystroke analysis, typing biometrics and typing rhythms.
At the beginning of the 20th century, psychologists and mathematicians studied hu-
man actions. Psychologists demonstrated that human actions are predictable in the
performance of repetitive and routine tasks [68]. In 1895, observation of telegraph
operators showed that each operator had a distinctive pattern of keying messages over
telegraph lines [18]. Furthermore, an operator often recognized who was typing and
sending information at the other end of the wire simply by listening to the characteristic
pattern of dots and dashes [49]. Today, the telegraph keys have been replaced by other
input/output devices such as keyboard and mouse. It has been established that keyboard
characteristics are rich in cognitive qualities and may also be used as an individual
identifier. When sitting close to a typist or one has an office next to a typist, one is
usually able to recognize the typist by keystroke patterns.
Conceptually, the closest correspondence among biometric identification systems is
signature recognition. A person is identified by his writing dynamics which are assumed
to be unique to a large degree among different people in both signature recognition and
keystroke dynamics. It has been shown that the same neurophysiological factors that
make written signatures unique, are also exhibited in an individual typing pattern [35].
Once a computer-user types on the keyboard of a computer, he leaves a digital signature
in the form of keystroke latencies [49].
Human nature dictates that a person does not just sit in front of a computer and enters
28 5.1 Identification and Verification
a continuous stream of non-stop data. Instead, the person types for a while, pauses to
collect thoughts and ideas, pauses again to take a rest, continues typing, and so forth.
In developing a scheme for identity verification, a common baseline must be established
for determining which keystrokes characterize the individual’s key pattern and which do
not. Physiologists have studied human interface with computer systems and developed
several models describing the interface to computers. Research efforts in keystroke
dynamics have focused on attributes like stream of interkey times and key hold times
to provide a unique identifier for authenticating an individual’s identity. Interkey times
are referred to as latency periods between keystrokes. Key hold times are the durations
between the hit and release moments of key hold. Additionally, a possible metric is the
measurement of keystroke pressures. However, using this metric for keystroke analy-
sis, a special keyboard is required and therefore will not be discussed further in this study.
Note that unlike other biometric systems which may be expensive to implement
and have costs of additional hardware, keystroke dynamics is almost for free. The only
hardware required is the keyboard which comes with a regular personal computer.
5.1 Identification and Verification
Keystroke dynamics systems can run in two different modes: identification or verification.
Clearly, they have two different applications. Identification is the process of trying to find
out a person’s identity by examining a biometric pattern calculated from the person’s
biometric features. A larger amount of keystroke dynamics data is collected, and the
user of the computer is identified based on previously collected information of keystroke
dynamics profiles of all users. For each of the users, a biometric template is calculated
in this training stage. A pattern that is going to be identified is matched against every
known template, yielding either a score or a distance describing the similarity between
the pattern and the template. The system assigns the pattern to the person with the
most similar biometric template. To prevent impostor patterns (in this case all patterns
of persons not known by the system) from being correctly identified, the similarity has
to exceed a certain level. If this level is not reached, the pattern is rejected.
Identification with keystroke dynamics means that the user has to be identified without
additional information besides measuring his keystroke dynamics. There is constant
monitoring as a background task for collecting keystroke dynamics profile of the user’s
typing. Such an authentication system is not limited by short texts, but on the other
hand there is no possibility of using only some predefined texts for identification. Thus,
5 Keystroke Dynamics-based Authentication 29
more general keyboard dynamics statistics have to be gathered. For example, latencies
between all different key-pairs can be gathered.
A person’s identity is claimed a priori in the verification case. The pattern that is
verified is only compared with the person’s individual template. The identity of the user
is usually verified statically at login by measuring the typing pattern when writing the
username and the password and comparing measurements to a previously stored profile.
Authenticating the user is done on the basis of both what they typed and how they typed
it. Similar to identification, the similarity between pattern and template is checked to
find out if it is sufficient to provide access to the secured system or area.
Using keystroke dynamics in addition to normal password-based authentication is quite
straightforward. When a password is created for the first time or changed, the user
must type the new password several times. From that, a profile of keystroke dynamics
is created, for example, by measuring latencies between consecutive key presses and
calculating their averages and standard deviations. This profile is then stored together
with the encrypted password. When creating or changing, the user has to write the
new password several times anyway, usually twice, so the password creation procedure is
not changed much. Repeating the input twice may not be enough for creating a usable
profile, a few more repetitions may be needed. However, there are no user-visible changes
in the authentication procedure, even though internally the procedure has a few more
steps. Basically, keystroke dynamics are measured when the password is written and
measurements are compared to the formerly created profile. The system can additionally
do similar checks when writing the username. There have been a lot of studies on using
keystroke dynamics for user verification [12, 48, 28]. Most studies have used durations
between keystrokes as features for user verification, but some have also used key hold
times. All studies have a two phase concept common. In the first phase, the enrollment
phase, the system learns the user’s keystroke dynamics. The enrollment phase consists
of writing the username and password several times forming a profile. The type of
profile depends on the used classification method. Used classification methods include
traditional statistic techniques, Bayesian classifiers and neural networks. In phase two,
the system then compares new data collected with the profile stored in phase one.
Verification has more directly applicable uses with keyboard dynamics than identi-
fication and it is a far more studied subject. However, keystroke in the verification mode
is not an alternative to password-based authentication mechanisms since username and
password are still required.
30 5.2 Methods and Metrics for Keystroke Analysis
5.2 Methods and Metrics for Keystroke Analysis
Previous studies [25] have identified a selection of data acquisition techniques and typing
metrics upon which keystroke analysis can be based. The following section summarizes
the basic methods and metrics that can be used.
Static at login – Static keystroke analysis authenticates a typing pattern based on a
known keyword, phrase or some other predetermined text. The captured typing
pattern is then compared against a profile previously recorded during system en-
rollment. Static keystroke analysis is generally considered to be an initial login en-
hancement as it can supplement the traditional username/password login prompt,
by checking the digraph latencies (latency periods between two keystrokes) of the
username and/or password components.
Periodic dynamic – Dynamic keystroke analysis authenticates a user on the basis of
their typing during a logged session. The data which is captured in the logged
session is then compared to an archived user profile to determine deviations. In a
periodic configuration, the authentication judgment can be intermittent; either as
part of a timed supervision, or, in response to a suspicious event or trigger.
This method provides some advantages compared to the static approach. Firstly,
it is not dependent on the entry of specific text, and is able to perform authenti-
cation on the basis of any input. Secondly, in static keystroke analysis, the range
of digraphs and frequency of their occurrence is likely to be significantly limited
compared to a dynamic approach. Even an inexperienced typist is likely to produce
sufficient digraph pairs to allow an authentication judgment to be derived. This is
an important factor as it is necessary to have a statistically significant volume of
keystroke data in order to generate a user profile.
Continuous dynamic – Continuous keystroke analysis extends the data capturing to
the entire duration of the logged session. The continuous nature of the user mon-
itoring offers significantly more data upon which the authentication judgment is
based. Furthermore, an impostor may be detected earlier in the session than under
a periodically-monitored implementation. On the downside, however, the additional
processing required will add to the computational overhead of the supervision sys-
tem.
Keyword-specific – Keyword-specific keystroke analysis extends the continuous or pe-
riodic monitoring to consider the metrics related to specific keywords. Extra mon-
itoring is done to detect potential misuse of sensitive commands. For example, it
5 Keystroke Dynamics-based Authentication 31
may be useful to monitor the keystroke metrics of a user attempting to execute
the FORMAT or DELETE commands. Static analysis could be applied to specific
keywords to obtain a higher confidence judgment.
Application-specific – Application-specific keystroke analysis further extends the con-
tinuous or periodic monitoring. It may be possible to develop separate keystroke
profiles for different applications. For example, a user may be profiled separately
for their word processing application and their email client.
In addition to a range of implementation scenarios, there are also a variety of possible
keystroke metrics that can be profiled as the basis for subsequent comparison [25]:
Digraph latency – Digraph latency is the metric that is used most commonly and typ-
ically measures the delay between the key-up and the subsequent key-down events
which are produced during normal typing (e.g. T-H). In most cases, some form of
low and high pass filter is applied to remove irrelevant data from the session data.
Trigraph latency – Trigraph latency extends the digraph latency metric to consider the
timing for three successive keystrokes (e.g. T-H-E).
Keyword latency – Keyword latencies consider the overall latency for a complete word
or may consider the unique combinations of digraph/trigraphs in a word-specific
context.
Use of special keys – The habit of using additional keys on the keyboard, for example,
by writing numbers with the numpad.
Order of pressing keys – The order in which the users press keys when writing capital
letters, for example, if the shift or the letter key is released first.
Mean error rate – The mean error rate can be used to provide an indication of the
competence of the user during normal typing. While this may not be user specific,
it may be possible to classify users into a generic category, according to their typing
ability, which can then be used as an additional authentication method.
Mean typing rate – Individuals can be classified according to their mean typing rate
with the mean error rate.
Most of the applications measure only latencies between consecutive keystrokes or du-
rations of keystrokes. Figure 5.1 is an example of writing the word ‘password’ several
times and measuring latencies between keystrokes. Timings have been measured for three
32 5.3 Performance Measures
Figure 5.1: Latencies between keystrokes when writing word ‘password’ by three different
persons. The word was written several times. The lines represent average latencies,
errorbars represent standard deviations [32].
different persons. There are clear differences in latencies and their standard deviations.
Latencies between keystrokes and durations of keystrokes are popular measurements be-
cause they can be measured easily with normal PC hardware. Nevertheless, it should be
noted that all of the above techniques and metrics can be implemented on a standard PC
platform without the need of special hardware. Both key press and release events gen-
erate hardware interrupts from which information can be gathered. Gathering keystroke
dynamics data has, however, few complications. Several keys can be pressed at the same
time – the user presses the next key before releasing the previous one – which often hap-
pens when writing fast. Depending on what is measured, there might even be negative
time between releasing a key and pressing the next. It also slightly adds to complexity of
the keystroke dynamics system if it is wished to be known when the user presses SHIFT,
ALT and other special keys [59].
5.3 Performance Measures
Performance of biometric systems is typically measured in terms of various error rates,
namely False Accept Rate (FAR) and False Reject Rate (FRR). The FAR refers to the
errors the biometric system makes in which it incorrectly matches the features of the
biometric sample presented with those in the system database, smartcard, etc. From a
security point of view, it is the probability of an impostor posing as a valid user being
able to successfully gain access to a secured system. In statistics, this is referred to as
a Type II error. The FRR refers to the errors the biometric system makes in which
it incorrectly does not match the biometric sample presented with those in the system
database, smartcard, etc. In other words, it measures the percent of valid users who are
5 Keystroke Dynamics-based Authentication 33
rejected as impostors. In statistics, this is referred to as a Type I error. Both error rates
should ideally be 0%. From a security point of view, type II errors should be minimized
– no chance for a non authorized user to log-in. However, type I errors should also be
infrequent because valid users get annoyed if the system rejects them incorrectly.
The FAR and FRR can typically be traded off against each other by adjusting parame-
ters in biometric systems. One of the most common measures of biometric systems is the
rate at which both accept and reject errors are equal: the Equal Error Rate (EER), also
known as the Cross-Over Error Rate (CER). The value indicates that the proportion of
false acceptances is equal to the proportion of false rejections. The lower the equal error
rate value, the higher the accuracy of the biometric system (figure 5.2). Stated error rates
Figure 5.2: Equal Error Rate: the rate at which both accept and reject errors are equal.
The lower the EER or CER, the more accurate the system is considered to be.
sometimes involve specific or subjective elements. For example, one biometrics vendor
sets the acceptance threshold high, to minimize false accepts. In the trial, three attempts
were allowed, and so a false reject was counted for only if all three attempts failed. Com-
paring two biometric systems is only reasonable if both, the FAR and FRR, values are
given. One single value is not sufficient, otherwise it is possible for a system with the
lower FAR to have an unacceptable high FRR. But also when the values for FAR and
FRR are given, there still exists the problem, that those values are threshold-depending.
Assuming that the threshold of the systems is adjustable, there is no reasonable way to
decide if a system with a higher FAR and a lower FRR performs better than another
system with a lower FAR and a higher FRR value.
The EER of a system can be used to give a threshold independent performance measure-
ment. The lower the EER is, the better the system’s performance is, as the total error rate
which is the sum of the FAR and the FRR at the point of the EER, decreases. In theory
this works fine, if the EER of the system is calculated using an infinite and representative
34 5.4 Related Work
test set, which of course is not possible under real world conditions. To get comparable
results it is therefore necessary that the EERs be compared and calculated on the same
test data using the same test protocol.
5.4 Related Work
The idea of using keyboard characteristics for authentication is not new, and there have
been a number of previous published studies in this area. Most of the studies have focused
upon static or context-independent dynamic analysis, using the inter-keystroke latency
timing method. From the earliest studies in 1980 [19], the focus has been on the analysis of
digraph latencies. Later studies [41, 35] further enhanced the work, identifying additional
statistical analysis methods that provided more reliable results. The following will briefly
summarize some work researchers have conducted concerning keystroke dynamics.
One of the earlier works in the area of keystroke dynamics was accomplished by Umphress
and Williams [68] in 1985. They used the delays between keystrokes (digraphs) for the
captured keystroke biometric. Two sets of inputs were required in their process. The first
reference profile consisted of 1,400 characters of prose while the test profile consisted of
300 characters. The study showed that keystroke biometrics is a valid method for identity
verification. However, the study was limited by the fact that it required a large amount
of input text and despite the amount of text, it was only able to achieve a FAR of 6%.
In 1987, Williams and Leggett [39] further extended the work. By increasing the number of
users in the study, reducing experimental variables and discarding inappropriate digraphs
according to latency and frequency, they reduced the FAR to 5%. While the FAR was
still not acceptable using keystroke dynamics for identification, it showed that there was
the potential to use it as a static identity verifier in conjunction with a passphrase at login
[39].
An additional extension of the papers described above was conducted in 1990 by Leggett
et al. [40]. While the results of the static procedure of entering a reference and test profiles
achieved the same result of a 5% FAR, they were the first to take the concept of keystroke
dynamics into verification in a dynamic environment in an experiment. Verification of the
user occurs while typing the test profile and allows for continuous verification of identity
in realtime. This could be applied to verify identity throughout a login session and avoids
the problem of time of check to time of use. The problem occurs when a user’s identity is
checked only once at login, even though it uses the same identity to make access control
decisions later in the session when someone else may be using the terminal. They were
able to achieve a FAR rate of 12.8% and a FRR of 11.1% using sequential statistical
theory. These experiments proved that by dynamically identifying a user, it was possible
5 Keystroke Dynamics-based Authentication 35
and further refinement of the statistical analysis would achieve more accurate results.
In a study by Joyce and Gupta [35] the username was compared to the particular profile
for that user. The login had four components, username, password, first name and last
name. Digraphs were then calculated and basic statistical method of means, variances
and standard deviations were used to determine a match. Using this method the FAR
was just 0.25%, but, the FRR was, however, 16.67%.
Bleha et al. [12], in 1990, used a different statistical method: the Bayes classification
algorithm which makes use of the Gaussian probability density function. The study used
two sources of sample data, a user’s name to identify, and a fixed user-selected phrase to
verify. The verification system gave results of 8.1% for FRR and 2.8% for the FAR.
Regarding features collected, no significant additions occurred until 1997 Obaidat and
Sadoun [49] introduced key hold times as another feature of interest.
Currently, the most common and widely-known application that uses keystroke dynamics
technology is BioPassword [33]. Because BioPassword is one of the only products available
on the market and because of its relative wide usage, the following section will take a look
at this keystroke dynamics system in detail.
5.5 BioPassword
BioPassword Inc. [33] has commercialized keystroke dynamics technology based on a
patented algorithm resulting from US government research in the 1980s. Currently, the
technology is being used to provide a strong second-factor of user authentication when
logging onto Microsoft Windows and the Citrix environment. BioPassword is designed to
replace the default log-in system used in Windows NT/2000/XP operating systems. It is
not limited to a single computer, but it can be used in a Windows network environment
where user accounts are stored centrally. Also, a development kit exists which enables
easy implementation of a similar authentication system in other applications.
After the BioPassword software is installed on the server and the client workstations,
the user must enroll to use their workstation and the network. Enrollment is done by
typing the username and the password several times, 15 by default. The administrator
can set the amount from one to 20 times, but the more iterations, the better the user
profile. Then the biometric template is stored on the server. After enrollment, the user
can log-in as usual by typing the username and the password. The system checks the login
attempt against the stored template and only if the typing pattern matches the stored
template, the user is allowed to log-in. The administrator can establish the accuracy
required for each user with the security setting. The security setting ranges from one to
ten, with a default of three: The higher the number, the more accurate the user must be.
36 5.6 Summary
BioPassword uses latencies between keystrokes and keystroke durations for verifying users.
Figure 5.3: The BioPassword utility allows the administrator to adjust security settings.
Unfortunately, there are no details on the used method for comparing measurements of
a new login attempt to a stored profile. According to the patent, the method stores the
profiles of users in a way that would be usable for identifying users continuously. However,
continuous verification or identification is not apparently used in the product.
5.6 Summary
Over the last two decades many algorithms were used ranging from statistical based
techniques including t-tests, means, and standard deviations, to conventional distance
metrics such as Euclidean and Mahalanobis, to a Machine Learning algorithms such as
Neural Networks and Perceptron. Table 5.1 summarizes previous keystroke dynamics
schemes and studies.
Initial works required extremely demanding input requirements in terms of length of
characters ranging from large passages and word lists on the order of 100’s and sometimes
1,000’s of characters whereas more recent work has attempted to minimize such input
requirements relying only on username and or passwords on the order of 10’s of characters
[7]. There is also a relatively wide range in performance over the two decades with
5 Keystroke Dynamics-based Authentication 37
published FAR ranging from 0 to 8% and FRR ranging from 0 to 45%. Although these
ranges are indeed wide, some studies seem to offer perfect, if not near perfect performance
in both measures.
There are notable deficiencies across the board in that virtually all studies seem to have
been conducted over extremely small user populations or have only collected a limited
amount of inputs per user. Most of the papers admit that these deficiencies have a high
impact on conclusions that can be drawn from the performance results due to the limited
amount of data collected.
38 5.6 Summary
Author Method %FAR %FRR
Gaines & Lisowski (1980) Digraph 0% 4%
t-test
Umphress & Williams (1985) Digraph 6% 12%
Statistical
Garcia (1986) Digraphs + space key 0.01% 50%
Mahalanobis distance function
Legget & Williams (1988) Digraph 5% 5.5%
Statistical
Young & Hammon (1989) Digraph - -
Euclidean distance function
Joyce & Gupta (1990) Digraph 0.25% 16.67%
Mean and standard deviation
Bleha et al. (1990) Digraph 2.8% 8.1%
Statistical
Legget et al. (1991) Digraph 5%1 5.5%1
1Static, 2Dynamic Statistical 12.8%2 11.1%2
Obaidat & Macchiarolo (1993) Digraph - -
Neural Networks
Brown & Rogers (1993) Digraph 0% 4.2%
Neural Networks + Statistical
Bleha & Obaidat (1993) Digraph 8% 9%
Perceptron algorithm
Furnell et al. (1996) Digraph 8%1 7%1
1Static, 2Dynamic Neural Network1, Statistical2
Obaidat & Sadoun (1997) Digraph + key hold times 0% 0%
Machine-learning algorithms
Bergadano et al. (2002) Trigraph 0.04% 4%
Degree of disorder
BioPassword Digraph + key hold times - -
Patented by Young (1989)
Table 5.1: Previous keystroke analysis studies
Chapter 6
Other Authentication Systems
This chapter provides a greater overview of alternative authentication mechanisms. How-
ever, they do not comply with the methods analyzed in this study.
Access to special services, data or facilities at all times should only be granted to an
authorized group of people where authentication systems are necessary. The identity of a
process or a person must be verified, which means assuring the process or person trying
to get access, is the one he claims to be.
Fundamentally, there are three different ways of user authentication: examining what the
user knows, possesses or is.
• Knowledge-based authentication uses a secret word or phrase shared between
the user and the computer system, with the user revealing the secret to the computer
to prove their authenticity.
• Token-based authentication uses a physical token that is difficult to obtain or
falsify.
• Biometric-based authentication relies on the uniqueness of details in a person’s
anatomy or behavior – a user whose characteristics match the electronic equivalent
of those characteristics recorded in the computer is accepted as valid. Examples of
such characteristics used currently include fingerprints, retinal patterns, signatures,
keystroke dynamics in typing, and voice properties.
The salient feature of most token-based systems is the token itself. These are typically
small, handheld devices that either have a little screen with numbers or a plug you can
insert into the USB port of a typical computer. Each token has a unique serial number
and some kind of hidden secret. When the user tries to log in, the token uses that secret
to prove that it – and presumably the user – is legitimate. Once this proof is performed,
40
the user is allowed to log-in. Probably the best-known token is RSA Security’s SecurID
[54]. This token has a small LCD screen displaying eight digits, which change every
minute. To log in to a computer, one must type one’s username, a password, and the
digits that the token displays. The computer takes this information and looks up the
username and verifies the password, then executes mathematical algorithms to see if the
number typed is the number the token should have displayed. If this calculated number
matches the number typed in, permission is granted. Note that the SecurID does not
eliminate passwords. It just provides every user with a second password, one that changes
every minute. This is considered to be a form of two-factor authentication. Two-factor
authentication is any authentication protocol that requires two independent ways to
establish identity and privileges. This contrasts to traditional password authentication,
which requires only one factor, the knowledge of a password, in order to gain access to
a system. In this particular case it means that users will still have the disadvantage
of knowledge-based authentication of forgetting their passwords. In addition, tokens,
such as smart cards, magnetic stripe cards, photo ID cards, physical keys and so forth,
can be lost, stolen, duplicated, or left at home. Token-based authentication does not
fulfill the requirements for an alternative authentication mechanism stated in chapter 3 –
additional hardware is needed and most often a password or a PIN is required. The usage
of security tokens or smart cards requires more expense, more infrastructure support
and specialized hardware than authentication via password only. Still, these are cheaper
than biometric devices and, when used with a PIN or password, offer acceptable levels of
security.
Biometric-based authentication refers to technologies that measure and analyze
human physical and behavioral characteristics for authentication purposes. Examples
of physical characteristics include fingerprints, eye retinas and irises, facial patterns
and hand measurements, while examples of mostly behavioral characteristics include
signature, gait and typing patterns. Voice is considered a mix of both physical and
behavioral characteristics. Users do not have to remember a username or a password
with biometrics.
Biometric authentication has been widely regarded as the hardest to forge or spoof.
Since the early 1980s, systems of identification and authentication based on physical
characteristics have been available. These biometric systems were slow, intrusive and
expensive, but because they were mainly used for guarding mainframe access or restrict-
ing physical entry to relatively few users, they proved workable in some high-security
situations. Twenty years later, computers are much faster and cheaper. This, plus new,
less expensive hardware, has renewed the interest in biometrics.
Biometric authentication requires comparing a registered or enrolled biometric sample
6 Other Authentication Systems 41
(biometric template or identifier) to a newly captured biometric sample (for example, a
fingerprint captured during a login). During enrollment a sample of the biometric trait
is captured, processed by a computer, and stored for later comparison.
Because of its convenience and simple use, fingerprint authentication is used most often.
A growing number of notebooks and computer peripherals are coming onto the market
with built-in fingerprint readers. A lot of products are available, including keyboards,
mice, external hard drives, USB flash drives and readers built into PC card and USB
plug-in devices. These devices allow the user to maintain encrypted passwords that do
not need to be remembered, but instead, are invoked after the user puts his finger on the
reader.
However, remote biometric authentication is not trivial. The assumption that anyone
who can provide a person’s fingerprint can also use it on the person’s bank account
in the home-banking application is not a good idea. Remote biometric authentication
requires a trusted biometric sensor which must be sufficiently tamper-resistant and
provide trustworthy liveness tests. Although remote biometric authentication may work
in theory, few (if any) current devices are trustworthy enough to be used for remote
biometric authentication. In addition, biometrics may be good for user authentication,
but cannot be used to authenticate computers or messages. Biometric characteristics are
not secret and therefore they cannot be used to sign messages or encrypt documents. If
a person’s fingerprint is not secret there is no sense in adding it to documents he has
written. Any other single person could do the same.
Apart from keystroke dynamics, biometric authentication systems are more expensive
than password-based authentication systems. A standard keyboard can be used for
authentication with keystroke dynamics, other than with the biometric authentication
mechanisms mentioned before which require special hardware. The need of extra
hardware is the main reason why most of the biometric authentication mechanisms
do not satisfy the requirements for an alternative to password-based authentication
in this study. Smart cards, for example, require readers in PCs, and the readers are
not appearing in regular PCs. The drive is to smaller, cheaper PCs, and smart card
or biometric readers push in the opposite direction. The problem with the additional
hardware is that not only are there high initial costs associated with buying the hardware
and implementation, but there are ongoing maintenance and support expenses. If the
hardware is broken or lost, it must be replaced or repaired immediately, otherwise users
with broken authentication devices cannot access their accounts and work on their
computer system. In addition, the difficult tradeoff between impostor pass rate and false
alarm rate is another problem.
Alternative password schemes exist enhancing the usability of text-password sys-
42
tems without necessitating any modifications. These include for example, cognitive
passwords, pass-sentences and pass-phrases. In cognitive password authentication, the
system randomly selects a set of personal questions each time the user logs-in. Cognitive
passwords have high recall rates, but they may be impractical for widespread use.
Factual and opinion-based questions may be easy for family or friends to guess. Also,
every organization would need a unique set of questions to prevent reuse. Pass-sentences
and pass-phrases are textual passwords composed of long, grammatically correct phrases.
Personalized phrases are memorable and their length resists software cracking. However,
the increased length makes them impractical for repeated use. Other systems generate
mnemonic phrases for passwords. Given textual passwords, these systems return
grammatically correct phrases that users can use as memory aids for their passwords.
The memorability of these system-generated phrases is untested, but user-generated
passwords are generally more memorable than system-generated passwords.
Tools and plug-ins were developed to make life easier dealing with several pass-
words. Password managers such as KeePass [53] store all passwords in one secure, highly
encrypted database, which is locked with one master key or a key-disk. The user only
has to remember one single master password or insert the key-disk to unlock the whole
database. PasswordMaker [36] is a free extension for Internet Explorer, Firefox, Mozilla,
Netscape, Flock, and Yahoo! Widgets which creates unique, secure passwords that are
very easy for the user to retrieve but for no one else. No secret is stored anywhere, or
at any time, so there is nothing to be cracked, lost, or stolen. With a master password
and the URL of the website requiring a password, PasswordMaker calculates a digital
fingerprint, through one-way hash algorithms, which can be used as the password for the
website. Now, every time the user wants to log-in to a website, he only has to provide
the master password and PasswordMaker will fill in the secure password to that website.
There is a totally different and secure password for every website, but the user only has
to memorize his one master password.
Single sign-on solutions overcome the memory burden of memorizing several pass-
words for different applications. It enables a user to authenticate once and gain access
to the resources of multiple software systems. Many free and commercial single sign-on
products are currently available: Kerberos [51], Windows Live ID [43], RSA Sign-On
Manager [55] or OpenSSO [63]. Single-sign on systems definitely help users to deal with
the password problem but still it do not completely get rid of them. The downsides of
password-based authentication schemes remain. If one forgets the password, access to all
systems is denied or even worse, if the one password gets cracked or stolen, every system
is compromised.
6 Other Authentication Systems 43
S/Key [29] is a one-time password system developed for authentication in Unix-
like operating systems. The user’s secret password never crosses the network during login
and no secret information is stored anywhere, including on the host being protected, and
the underlying algorithm may be made public. The real password is combined with a
short set of characters and a decrementing counter to form a single-use password. As
the single-use password is only used once, passwords intercepted by a password sniffer or
keyboard logger are not useful to an attacker. Because the short set of characters does
not change until the counter reaches zero, it is possible to prepare a list of single-use
passwords, in order, to be carried by the user. Alternatively, the user can present
the password, characters and desired counter value to a local calculator to generate
the appropriate one-time password that can then be transmitted over the network in
cleartext. The latter form is more common and practically amounts to challenge-response
authentication. A cryptographic hash function is applied n times to a secret key w,
thereby producing n one-time passwords. This secret key can either be provided by the
user, or can be generated by a computer. Either way, if this secret is disclosed then the
security of S/KEY is compromised. The user is then provided with the n passwords in
reverse order and only the last password, which will later authenticate the user, is stored
on the server. The initial secret w and the n-1 passwords are discarded from the server.
For authentication the user provides the server with the second password of the list with
the n passwords. The server attempts to compute H(pwd) where pwd is the password
supplied. If H(pwd) produces the first password (the one the server has stored), then the
authentication is successful. The server will then store pwd as the current reference.
To my knowledge and to this point in time there are no secure alternatives to password-
based authentication mechanisms other than graphical passwords and keystroke dynamics
which fulfill the requirements for an alternative authentication scheme on first sight.
Most of the authentication schemes available use additional hardware, use text-based
usernames and passwords or use textual-passwords in some kind of way.
Chapter 7
Analysis
The following sections analyze if graphical passwords and keystroke dynamics fulfill the
requirements for an alternative authentication scheme, R1 to R5, described in chapter 3.
Graphical passwords and keystroke dynamics do not need any additional hardware, there-
fore both authentication schemes satisfy requirement R1. Very little research has been
done analyzing graphical passwords and keystroke dynamics concerning security. Be-
cause both technologies are not widely used in practice, there is no report on real cases of
breaking graphical passwords. From a security point of view the systems are compared to
text-based passwords regarding possible attack techniques mentioned in section 2.2 and
strengths and weaknesses are pointed out. A comparison of current graphical password
techniques mentioned here is presented in table 7.1.
7.1 Analysis of Graphical Passwords
7.1.1 Analysis of Draw-A-Secret
Jermyn et al. suggested that given reasonable length passwords in a 5×5 grid, the full
password space of DAS is larger than that of the full text password space. Thorpe
and van Oorschot [66] analyzed the memorable password space and found out that the
space of mirror symmetric graphical passwords is significantly smaller than the full DAS
password space. Since people recall symmetric images better than asymmetric images, it
is expected that a significant fraction of users will choose mirror symmetric passwords.
They also showed that DAS passwords of length eight or larger on a 5×5 grid may be less
susceptible to dictionary attack than textual passwords.
Nali and Thorpe [46] asked users to draw a DAS password on paper in order to determine
if there are predictable characteristics in the graphical passwords that people choose.
46 7.1 Analysis of Graphical Passwords
The study did not find any predictability in the start and end points for DAS password
strokes, but found that certain symmetries (e.g. crosses and rectangles), letters, and
numbers were common. This study showed that users choose graphical passwords with
predictable characteristics, particularly those proposed as memorable. If this study is
indicative of the population, the probability in which some of these characteristics occur
might reduce the entropy of the DAS password space. If so, the security of the DAS
scheme may be substantially lower than originally believed.
To improve security, Thorpe and van Oorschot proposed a “Grid Selection” technique.
The selection grid is an inertially large, fine-grained grid from which the user selects a
drawing grid, a rectangular region to zoom in on, in which they may enter their password
(figure 7.1). This would increase the DAS password space by up to 16 bits with an
expected negligible increase in input time. The registration and the authentication process
Figure 7.1: Grid selection: the user selects a drawing grid [67].
with DAS takes much longer than with text-based passwords. Typing in a password can
be done very quickly while drawing a picture, depending on its complexity, is likely to be
more time consuming.
All graphical password authentication mechanisms need a graphical interface to display
images, pictures or drawings. With the Draw-A-Secret scheme the user also needs a device
to input his drawing. There is an implementation of the DAS scheme for PDAs which
come with a touch sensitive graphical display, which allow inputs of drawing by pen. It
might also be possible to log-on to a computer with the DAS scheme using the mouse to
re-draw the DAS password. However, the application area is very limited compared to
textual-password authentication mechanisms.
7 Analysis 47
7.1.2 Analysis of Passlogix
Passlogix follows Blonder’s [13] design of a graphical password scheme in which a password
is created by having the user click on several locations on an image. The process of
authentication is easy to understand and can be done without any difficulties.
Nevertheless the problematic is the fact that the number of predefined regions is small, just
a few dozen in a picture. The password may have several clicks for adequate security, and
more clicks than characters in a secure password. Another problematic issue of this system
is the need for the predefined regions to be readily identifiable. In effect, this requires
artificial, cartoon-like images rather than complex, real-world scenes. This problem will
increase on small displays and the Passlogix graphical password authentication mechanism
is therefore, not suitable for example, on PDAs.
7.1.3 Analysis of PassPoints
A major advantage of PassPoints is its large password space compared to alphanumeric
passwords. Every pixel in the picture represents a possible password point. The large
password space is significant because it reduces the chance of guessing the passwords.
In addition, there is currently no efficient way of creating dictionary attacks and brute
force searches against the PassPoints system. Similarly, PassPoints has an advantage
in password space compared to Blonder-style graphical passwords such as Passlogix and
recognition-based graphical password such as Passfaces.
However, it is doubtful that the full range of pixels in an image is used. If the areas in
which users realistically click are limited, this reduces the entropy of passwords and makes
it easier for an attacker to guess a password. In most images there are undifferentiated
areas that are not good targets for a memorable password point, e.g. an area of an image
showing the sky. To increase the memorable click points, password images must be chosen
which do not have any large uniform areas.
Human usability is also an essential consideration. Wiedenbeck et al. [71] conducted a
study concerning human factors and compared an alphanumeric group typing in textual
passwords and a graphical group using PassPoints. The alphanumeric group took fewer
trials to achieve ten correct password inputs in the learning phase than did the graphical
group. This is also reflected in significantly longer total times to input the graphical
passwords. 70% of the participants in the alphanumeric group input the password ten
times without any errors, and all participants in the alphanumeric group were able to
achieve the criterion with a maximum of two incorrect password inputs. The participants
in the graphical group needed more trials and had more variability. 40% of the participants
in the graphical group achieved input of the password ten times without any errors, and
48 7.1 Analysis of Graphical Passwords
70% achieved the criterion with a maximum of three incorrect password inputs [71].
Further, Wiedenbeck et al. pointed out that the most common problem in graphical
password input was clicking outside the tolerance around the user’s click point. The
participants had difficulty being as precise as required. They were often close to, but
outside, the tolerance. The time for the correct input of the password showed that the
alphanumeric group was faster in all test trials. The longer input time for the graphical
group may be explained by extra time for mouse movement and selection of the target.
The PassPoints authentication system needs a graphical interface to display the password
image. As mentioned above, for some people it can be difficult to click the password
pixel within the given tolerance precisely enough. It is likely that users will even have
more difficulties if the display gets smaller. Therefore, this graphical password system is
not appropriate on PDAs or ATMs. However, the PassPoints system can be applied for
example on workstations or internet applications.
7.1.4 Analysis of Deja Vu
Results from a user study by Dhamija and Perrig [24] showed that 90% of all participants
succeeded in the authentication using graphical authentication mechanism of Deja Vu,
while only 70% succeeded using text-based passwords and PINs. The average log-in time,
however, is longer than with the traditional approach. Also, the process of selecting a set
of pictures from the picture database can be tedious and time consuming for the user.
A weakness of Deja Vu system is that the server needs to store the seeds of the portfolio
images of each user in cleartext. Workarounds similar to the hashed passwords in the
/etc/passwd file on UNIX systems do not work in this case, because the server needs to
present the portfolio to the user, hidden within the decoy images [24]. For this reason,
the server must be secure and trusted. To reduce the trust required from each server,
Dhamija et al. [24] proposed splitting the portfolio among multiple servers, and each
server contributes a part of the challenge set for each authentication.
Akula and Devisetty [3] extended the technique proposed by Dhamija and Perrig by
using hash function SHA-1, which produces a 20 byte output. Their algorithm makes
transmission more secure and requires less memory.
The probability that a brute force search succeeds is 1/(
nm
), which depends on the choice
of n, the number of images in the challenge set, and m, the number of portfolio images
shown. For example, for n = 20 and m = 4, the probability of a successful brute force
attack is 1/4854, which is even higher than for a four-digit PIN (1/10000). To prevent
brute-force attacks, it is necessary to deny access to the system after a small number of
failed authentication trails.
7 Analysis 49
To prevent guessing, Deja Vu uses random, abstract-looking images generated by Random
Art. This makes it difficult for an attacker to predict the portfolio images even if he knows
the user preferences. A user study by Dhamija et al. [24] showed that if photographs are
used instead of Random Art, it is easier to predict portfolio images.
The Deja Vu image authentication systems may be used with applications where text
input is difficult (ATMs or PDAs), for infrequently used passwords or in situations where
passwords have to be changed frequently.
7.1.5 Analysis of Passfaces
User studies by Valentine [69] have shown that Passfaces are very memorable over long
intervals. Comparative studies conducted by Brosthoff and Sasse [57] showed that Pass-
faces only had a third of the login failure rate of text-based passwords, despite having
about a third of the frequency of use. Their study also showed that the Passface-based
log-in process took longer than text passwords and was used therefore less frequently by
users.
Besides the good memorability of faces, an additional advantage of the Passfaces system
is that passfaces can not be written down easily and thus inhibits password sharing. The
Passfaces system can be used at ATM machines using the numpad or on the internet
using the mouse to select the recognized faces.
Despite the user studies that passfaces are very memorable and people recognize faces
easily, this is not true for everyone. There are people with Prosopagnosia which is a dis-
order of the visual cognition system. It is defined as the inability to remember faces. This
is derived from the Greek words ‘Prosopon’ (the face) and ‘agnosia’ (not recognizing).
The term ‘face blindness’ is also used for this disorder. It is more concise, but somewhat
misleading. Faceblind people see faces like everyone else does, but they cannot remember
them. A person who suffers from Prosopagnosia does not recognize other people by their
faces, because they cannot associate a face with a person. The brain structures respon-
sible for these associations are deficient, or they work differently in these people. About
2% of the population is believed to have Prosopagnosia [38]. Compared to other impaired
visions this is rather a small fraction and can be disregarded.
In general, passwords based on image (e.g. face) recognition have a significant disadvan-
tage. On each screen, only a small number of faces can be displayed, e.g. nine, one of
which is a pre-registered Passface. An attacker then has a 1-in-9 chance of guessing this
passface. To reduce the chance of an attacker guessing the password, the login process
requires several rounds of face recognition. The chance of guessing the password, i.e. all
the passfaces, if four rounds are used is (1/9)4 = 1.5×10−4. The probability that guessing
50 7.1 Analysis of Graphical Passwords
succeeds, is therefore higher than for a four-digit PIN (1×10−4). A few thousand random
guesses will suffice the attacker to find the password. To obtain security similar to that
of an eight-character alphanumeric password over an alphabet of 94 characters, 16 or 17
rounds with nine faces each would be required (917 = 1.6× 1016 > 948 = 6.1× 1015). This
would make the login slow and tedious, and most likely, the login would also be perceived
by the user as slow and tedious.
Davis, et al. [22] studied the graphical passwords created using the Passface technique
and found obvious patterns among these passwords. For example, most users tend to
choose faces of people from the same race. This makes the Passface password somewhat
predictable. This problem was later solved by arbitrarily assigning passfaces to users.
This might make it harder for people to remember the password but ensures security.
Thus, enrollment may be a major and difficult task. Procedures to enroll new users and
reset Passfaces must be put in place in a large company. This may prove to be quite a
large task with a large number of users, compared to sending out sealed envelopes with
passwords. There must also be a procedure to correctly identify users for password resets.
Note that at login, a passface is always seen in a grid with the same eight decoy faces.
Clearly, if the decoys varied between login sessions, then it would make it easy for an
attacker to identify the passface as the constant. This might present a problem since the
user eventually becomes familiar with the decoy faces and starts confusing them with his
passfaces.
Previous research has found graphical passwords to be more memorable than non-
dictionary or strong alphanumeric passwords. But concerns were expressed that this
increase in memorability could also lead to an increased susceptibility of graphical pass-
words to shoulder-surfing. Tari et al. [65] studied if graphical passwords increased mem-
orability necessarily leads to risks of shoulder-surfing. They examined the real and the
perceived vulnerability to shoulder surfing of two configurations of Passfaces compared to
non-dictionary and dictionary passwords. A laboratory experiment with 20 participants
asked them to try to shoulder-surf the two configurations of Passfaces (mouse versus key-
board data entry) and strong and weak passwords. Study participants both perceived
and experienced a higher level of vulnerability of Passfaces with mouse to shoulder surf-
ing. The very characteristics that allowed users to recognize faces with higher rates of
memorability in previous studies, led to an increased effectiveness in shoulder surfing [65].
Switching the configuration from mouse input to keyboard input decreased the vulner-
ability to shoulder surfing significantly. Passfaces with keyboard entry was by far the
least vulnerable to shoulder surfing, possibly because the attacker had to look at both the
screen and the keyboard at the same time.
7 Analysis 51
7.1.6 Security of Graphical Passwords
Requirement R2 demands for higher security, therefore some of the possible techniques
for breaking graphical passwords in general are examined and compared with text-based
passwords in this section. A comparison of the password space of each graphical password
system is presented in table 7.1.
Shoulder surfing
Most of the graphical passwords are vulnerable to shoulder surfing. A recent study by
Tari et al. [65] just examined the vulnerability of shoulder surfing in the Passfaces system
and showed that Passfaces is very susceptible to this attack technique when using a mouse
to select the passfaces. None of the recall-based techniques are considered should-surfing
resistant. One can easily remember the picture or region clicked on when looking someone
over the shoulder. With text-based passwords input can be done faster, but shoulder
surfing is also possible.
Spyware
Key-logging or key-listening spyware cannot be used to break most graphical password
systems, but ‘mouse tracking’ spyware might be an effective tool to break graphical pass-
words. However, mouse motion alone is not enough to break graphical passwords. Such
information has to be correlated with application information, such as window position
and size, as well as timing information.
However, spyware which takes screenshots of the display can be used to break cued and
recognition-based graphical password systems. For example, screenshots can be taken
whenever the user clicks the mouse. From this, an attacker can see the pre-registered im-
ages in Deja Vu, the click regions in Passlogix and the Passfaces in the Passfaces system.
Social Engineering
Compared to text-based passwords, it is very complicated or nearly impossible for a user
to share his graphical password with another person. For example, it is very difficult to
give away graphical passwords over the phone. Setting up a phishing web site to obtain
graphical passwords would be more time-consuming.
52 7.1 Analysis of Graphical Passwords
Guessing
It seems that graphical passwords are often predictable; a serious problem typically asso-
ciated with text-based passwords. For example, studies on the Passface technique have
shown that people often choose weak and predictable graphical passwords [22]. Therefore
the RealUser Corp. changed the enrollment process and one cannot choose the Passfaces
on one’s own anymore, they are assigned. Nali and Thorpe’s study [46] revealed similar
predictability among the graphical passwords created with the DAS technique. The re-
sults showed that user drawings contain predictable characteristics relating to symmetry,
number of composite strokes and centering within the grid.
Therefore, the used password space is smaller than the theoretical password space. This
is the same case with most textual passwords, because users often choose weak passwords,
for example, only capital letters, no numbers and no symbols.
Brute Force
The main defense against brute force search is to have a sufficiently large password space.
Text-based passwords have a password space of 94N , where N is the length of the password,
94 is the number of printable characters excluding SPACE. Some graphical password
techniques have been shown to provide a password space similar to or larger than that
of text-based passwords. Recognition-based graphical passwords tend to have smaller
password spaces than the recall-based methods [64].
However, it is more difficult to carry out a brute force attack against graphical passwords
than text-based passwords. The attack programs need to automatically generate accurate
mouse motion to imitate human input, which is particularly difficult for recall based
graphical passwords. If Passfaces is used with a keyboard instead of a mouse, for example
at an ATM machine, a brute force search attack be easily be applied. However, graphical
passwords are less vulnerable to brute force attacks than text-based passwords [64].
Dictionary Attack
If recognition-based graphical passwords involve mouse input instead of keyboard input,
it is impractical to carry out dictionary attacks against this type of graphical passwords.
For the DAS scheme, a recall-based graphical password, it is possible to use a dictionary
attack but an automated dictionary attack will be much more complex than a text-based
dictionary attack. Overall, graphical passwords are less vulnerable to dictionary attacks
than text-based passwords [64].
7 Analysis 53
Usability
The major argument for graphical passwords is that pictures are easier to remember than
text strings. Preliminary user studies presented in some research papers seem to support
this. However, current user studies are still very limited, involving only a small number
of users.
With graphical passwords the password registration and log-in process takes longer, es-
pecially in recognition-based approaches. For example, in the registration stage, a user
has to pick images from a large set of selections. During authentication stage, a user has
to scan many images to identify a few pass-images. Users may find this process long and
tedious. Users often find graphical passwords less convenient than text-based passwords
because of the long registration and enrollment phase and of course, they are not familiar
with this new authentication system [64].
Storage and Communication
Graphical passwords require much more storage space than text-based passwords. Hun-
dreds of pictures may have to be stored in a centralized database. Network transfer delay
is also a concern for graphical passwords, especially for recognition-based techniques in
which a large number of pictures may need to be displayed for each round of verification.
Similar to textual passwords, communication and storage of a user’s graphical database
must be secure. The database can be stolen from the server or data which is being
transmitted for authentication can be intercepted.
7.1.7 Conclusion
In the past there has been a growing interest in using graphical passwords as an alterna-
tive to the traditional text-based passwords. A comprehensive survey of the most popular
existing graphical password techniques has been conducted. The current graphical pass-
word techniques can be classified into three categories: recall-based, cued-recall-based
and recognition-based techniques. A comparison of the graphical password techniques is
presented in Table 7.1.
The main argument for graphical passwords is that they do not need additional hardware
(R1) and people are better at memorizing graphical passwords than text-based passwords
(R3). Suo et. al [64] suggest that it is more difficult to break graphical passwords using
the traditional attack methods such as brute force search, dictionary attack, or spyware
(R2). However, since there is not yet wide deployment of graphical password systems, the
vulnerabilities of graphical passwords are still not yet fully understood.
54 7.1 Analysis of Graphical Passwords
An important issue to explore is the retention of graphical and alphanumeric passwords
when users have multiple passwords. Interference can cause significant memory problems.
Security research [2] confirms that users have difficulty remembering multiple passwords
and develop unsafe practices to overcome the problem (writing passwords down, etc.). A
question to investigate about graphical passwords is whether interference occurs as much
with graphical passwords as with alphanumeric passwords, or indeed whether it occurs
more. Multiple graphical passwords could be created using one image or multiple images.
Using the same image for multiple passwords in the PassPoints system (e.g. two different
sets of password points on one image for logging into two different systems) would be likely
to lead to interference, because it would be difficult to associate the correct set of points
with a specific system. It is also reasonable to speculate that the content of the image
itself may have an important effect on interference, i.e. if there are similar objects in an
image they may become confusable when used in different passwords. Using a different
image for each password might lead to less interference, but it raises another problem of
remembering which image corresponds to which system.
Another problem might also be the portfolio creation when thinking of using a graphical
password system at an ATM. There is no problem when customers pick up their card at
the bank, since the portfolio selection and training can be done in a secure environment at
the bank. If the client receives the ATM card in the mail, the portfolio creation is a more
difficult problem. Sending all the images of the portfolio in the mail is not satisfactory,
because people should not posses a paper copy of their secret information. A possible
solution could be to send out a one-time PIN to bootstrap the system, which the user
can authenticate with initially at the ATM, which will then perform the portfolio creation
and training.
The enrollment and authentication process with graphical passwords is more time-
consuming than with textual-passwords. However, graphical password systems are not
too technical and simple and easy to use (R4). On the other hand, the area of application
with graphical passwords is limited (R5). A graphical user interface is always needed, for
example, graphical passwords cannot be used if only a command line is provided.
Overall, the current graphical password techniques are still immature and do not fully
satisfy the requirements mentioned in chapter 3.
7 Analysis 55
Scheme Usability Security
Authentication Memorability Password space Attack methods
Text-based Type in password. Depends on the 94N (N: length of Dictionary attack,password Typing the pass- complexity of the the password) brute force search,
word can be very password. The actual password guessing, spyware,fast Secure passwords space is usually much shoulder surfing,
are difficult to smaller etc.remember
DAS Draw DAS pass- Depends on the Password space is Dictionary attack,word on a 2D grid drawing. larger than with shoulder surfing,
User studies show text-based passwords. spywarethat the drawing The size of the DASsequence is hard password spaceto remember decreases significantly
with fewer strokes fora fixed passwordlength
Passlogix Click on several The picture gives KN (K: number of Brute force search,pre-registered a cue but the regions, N: number of shoulder surfing,locations of a sequence can be locations selected) guessing, spywarepicture in the hard to remembercorrect sequence
PassPoints Click on pixels on The picture gives KN (K: number of Brute force search,a picture within a a cue but the pixels, N: number of shoulder surfing,certain tolerance sequence can be pixels selected) spywarein the correct hard to remember. PassPoints passwordsequence More difficult than space is larger than
Passlogix because the password spacepixels have to be of Passlogixmemorized ratherthan regions
Deja Vu Select several Limited user studies(KN
)= K!
N !(K−N)! Brute force search,
images out of a show that people (K: total number of shoulder surfing,greater set of remember images images, N: number of guessing, spywareimages better than text- pre-registered images)
based passwords
Passfaces Recognize and Face recognition is KN (K: total number Brute force search,select pre- a dedicated process of pictures, N: number shoulder surfing,registered pictures of the brain. of passfaces/rounds) guessing, spyware
Faces are easier to K and N are smallremember thantext password
Table 7.1: Comparison of major graphical password schemes
56 7.2 Analysis of Keystroke Dynamics
7.2 Analysis of Keystroke Dynamics
7.2.1 BioPassword
Altman [5] reviewed BioPassword from a functional point of view. BioPassword was in-
stalled on a Windows 2000 server and a workstation. When logging in for the first time,
the new user was asked to write the username and password combination 15 times. After
that, the log-in procedure worked just as the default log-in dialog in Windows.
To investigate if keystroke dynamics with BioPassword adds security, the reviewers tested
whether they could log into each other’s accounts when they knew the username and the
password. With the default security setting they were not able to log in to other person’s
account even after watching the other person writing the login information and trying to
mimic the typing patterns. However, with a lower security setting, logging in to other
person’s account succeeded. On the other hand with the highest security setting, even
logging in to one’s own account was not always possible. For example, when the position
of the user was changed, when writing the login information standing up instead of sitting
down, logging in did not always succeed.
In another review [16] concerns about security were found. First, it was possible to bypass
BioPassword by using RunAs-functionality after logging in normally. When using RunAs
only the username and the password are needed; the typing template was not checked.
Of course, the RunAs-functionality can be disabled preventing this method of bypassing
BioPassword, though availability of the RunAs-service is useful in some cases. Secondly,
if 100% compliance is wanted and all the user accounts use BioPassword, then losing
administrator access to the network is possible. If there is only one administrator account
and the person using the account, for example, has an accident and breaks a finger, he will
not be able to log-in because the typing pattern will be different to the stored template.
The problem is reduced if there are many administrators, which is the normal case [32].
On the whole, the reviewers were quite content with the BioPassword system. It was no-
ticed to be non-obtrusive for the network and the users and it does not need any special
hardware [32]. After enrollment, users do not see any differences to the normal log-in
procedure. However, some concerns about security were mentioned. There were potential
routes for gaining access to user accounts. Currently, using other operating systems other
than Windows, is not possible with BioPassword.
Note that the BioPassword technology is currently deployed for verification, as a com-
panion to standard password authentication, providing true two-factor biometric authen-
tication. This is truly a significant improvement compared to passwords alone but it is
not an alternative to password-based authentication mechanisms. Users still have to their
memorize username and password.
7 Analysis 57
7.2.2 Security of Keystroke Dynamics
Very little research has been conducted to analyze keystroke dynamics concerning secu-
rity. The application of keystroke dynamics to computer access security is relatively new
and not widely used in practice. Reports on real cases of breaking keystroke dynamics
authentication system do not exist.
Keystroke dynamics schemes are analyzed regarding traditional attack techniques in the
following.
Shoulder Surfing
No matter if keystroke dynamics are used in the verification or identification mode, shoul-
der surfing is no threat for the authentication system. There is no password used in the
identification case and therefore, of course, the password cannot be stolen. Only the
keystroke pattern is important and decisive. In case of verification, an attacker may be
able to obtain the password by shoulder surfing. However, keystroke dynamics for verifi-
cation is a two-factor authentication mechanism. The keystroke pattern still has to match
with the stored profile.
Spyware
Spyware is probably the best and easiest way to crack keystroke dynamic-based authen-
tication systems. If a user unintentionally installs a trojan which records all of the user’s
typing, keystroke latencies and keystroke durations an attacker could use this information
to reproduce the user’s keystroke pattern. A program could simulate the user’s typing
and get access to the system from the keystroke pattern. Much more research in the area
must be done.
Social Engineering
On first sight, social engineering is not possible with keystroke dynamics. In the identifi-
cation case there is no password which can be given away, not even on purpose. Asking
for the password on the phone and pretending to be the authorized user, is not feasible.
Nevertheless, phishing, social engineering via internet, may be a way of tricking a user
to give away his keystroke pattern. The attacker might masquerade as a trustworthy
person or business in an apparently official question, asking the user to log-on to a primed
website. When the user logs-on to the website the attacker might record the keystroke
rhythm of the users. Like doing ‘reverse engineering’, the attacker could now use the
58 7.2 Analysis of Keystroke Dynamics
recorded keystroke latencies and durations to simulate the user’s input. However, the
success rate would probably be very low. The user must type his username and password
several times in order to have a meaningful keystroke pattern.
Guessing
The way of typing of a different user can hardly be simulated. There are just too many
varieties of ways of typing on the keyboard. A review of BioPassword [33] by Altman [5]
confirms this. The reviewers were not able to log in to other person’s account with the
default security setting even after watching the other person writing the login information
and trying to mimic the typing patterns.
Brute Force
The main defense against brute force search is to have a sufficiently large password space.
The password space of keystroke dynamic authentication schemes is quite large. There
are 94! possible of digraph combinations, where 94 is the number of printable characters
excluding SPACE. This is much larger than for a random password of eight characters
(948, cp. section 2.2).
In addition, it is nearly impossible to carry out a brute force attack against keystroke
dynamics. The attack programs need to automatically generate keystroke patterns and
imitate human input. If keystroke dynamics are used in a two-factor authentication
mechanism and a username and password is required too, it is almost impossible to
overpower the security system.
Dictionary Attack
As with brute force searches, it is impractical to carry out dictionary attacks against
keystroke dynamic authentication mechanisms. It is possible to use a dictionary attack
which consists of general keystroke patterns, but an automated dictionary attack will be
much more complex than a text based dictionary attack. Again the attack programs
need to automatically generate keystroke patterns and imitate human input. Overall
keystroke dynamics are less vulnerable to brute force and dictionary attacks than text-
based passwords.
7 Analysis 59
Usability
The major benefit with keystroke dynamics in the identification case is that there is no
password. No password can be forgotten, written down or stolen. Preliminary user studies
presented decent False Accept and False Reject Rates. Still, most of the time the error
rates are unacceptably high and current user studies are still very limited, involving only
a small number of users. There is no convincing evidence demonstrating that keystroke
dynamics work for all users in practice. From all keystroke dynamics schemes mentioned
above, there is only an implementation of BioPassword available on the market. Compared
to textual-passwords the registration or enrollment phase takes longer. In order for the
authentication system to create a keystroke pattern of the user, the user must type a
large number of sentences, or at least in the verification case, repeat the username and
password several times. After that the log-in process is not more time-consuming than
with text-based passwords.
Storage and Communication
Keystroke patterns require more storage space than hashes of a text-based passwords.
Several keystroke latencies and durations have to be stored. However, not all of the
digraph latencies have to be stored, only the characteristic ones. Keystroke dynamics
solutions are still very immature and there is no implementation for remote authentication
yet. This is a difficult task because the communication protocol must be able to transmit
keystroke information too. Thinking of HTTP authentication, a routine to verify the
keystroke pattern of a user might be necessary in every web-browser. Much more research
and investigation is needed is this area.
7.2.3 Conclusion
Keystroke dynamics is the process of analyzing the way users type by monitoring key-
board inputs and identifying them based on patterns in their typing rhythm. A standard
keyboard can be used and no additional hardware is required (R1). Several studies have
been presented in recent years that support the assumption that different individuals ex-
hibit characteristics in their typing rhythm that are strikingly individualistic, and that
these characteristics can be successfully exploited and used for identification verification
of computer users (R4) [45].
There are many different methods using keystroke dynamics for authentication: static
at login, dynamic or continuous dynamic. With static at login for example, keystroke
dynamics of a computer user’s login string is used to provide a characteristic pattern
60 7.2 Analysis of Keystroke Dynamics
that can be used for verification of the user’s identity. Especially when implemented in
conjunction with identification based on knowledge of a password, keystroke dynamics
are rich in individual mannerism and traits that can be used to authenticate access to
computer systems and networks. This is the case with keystroke dynamics used for verifi-
cation and can be considered more as user credential hardening rather than an alternative
authentication mechanism.
Continuous keystroke analysis authenticates a user on the basis of their typing during
the entire session. Data is continuously captured and compared with the user profile to
determine deviations. This method provides some advantages over the static approach.
It is not dependent on the entry of specific text, and is able to perform authentication
on the basis of any input. Another factor is that the range of digraphs and frequency of
their occurrence is likely to be larger than with a static approach. This is an important
factor as it is necessary to have a statistically significant volume of keystroke data in or-
der to generate a user profile. However, the most important feature verifying the identity
throughout a login session is to avoid the problem of time of check to time of use. An
attack will immediately be recognized as an unauthorized user.
As shown in Table 5.1, there have been many different keystroke dynamics schemes devel-
oped. The most common used keystroke dynamic metric is digraph latency, and typically
measures the delay between the key-up and the subsequent key-down events, which are
produced during normal typing. However, there is not any one pattern recognition al-
gorithm as yet. Obaidat and Sadoun [49] found out in their study that artificial neural
network paradigms are more successful than classical pattern recognition algorithms in
the classification of users.
Although the use of a behavioral trait – rather than a physiological characteristic – as
a sign of identity, has inherent limitations when implemented in conjunction with tradi-
tional schemes, keystroke dynamics allows for the design of more robust authentication
systems than traditional password-based alternatives alone.
The inherent limitations that arise with the use of keystroke dynamics as an authentication
mechanism are attributed to the nature of the reference ‘signature’ and its relationship
to the user. The habitual rhythm in a user’s typing pattern depends on the user and the
environment. The speed of typing can be totally different between different users. An
experienced touch-typist writes faster than a beginner using just one finger. Also, the
predictability of a fast writer is much greater – there is no need to stop and think about
where a letter is located on the keyboard. The typing can also be affected if the user
is on a lower level of alertness, for example, sleepy or ill. Users can have accidents in
addition and consequently write in an abnormal fashion for a few weeks when a finger is
bandaged, or type with one hand when holding a cup of coffee in the other hand, and so
on. Changing the keyboard to a different model or using a laptop computer instead of
7 Analysis 61
a normal PC can also effect keystroke dynamics tremendously. Presumably a user types
differently on a chat application than writing a business related letter .
Another problem with keystroke recognition is that unlike other non-static biometrics,
such as voice, there are no known features or feature transformations which are dedi-
cated solely to carrying discriminating information. Fortunately, in the past few years
researchers have shown that different individuals exhibit characteristics in their typing
rhythm that are strikingly individualistic and that these characteristics can successfully
be exploited and used for identification purposes. However, there are studies with a small
amount of participants.
The performance of the keystroke dynamics schemes also depend on the approach being
used. This is also supported by the observations of Mahar et al. [41] in that there is
significant variability with which a typist produces digraphs.
Traditional attack techniques such as shoulder surfing or social engineering do not work
with keystroke dynamics (R2). There is not such a thing as a password and therefore it
cannot be forgotten, written down, or given to somebody else (R3). This is clearly an
advantage and a gain of security. Probably helpdesk costs will be reduced too, because
resetting passwords will not be necessary any longer. However, timing attacks may be
feasible. When the user’s keystroke dynamics profile is known, it may be possible to guess
what is being written when only the latencies between keystrokes are measured. If the
communication protocol sends every user-written letter separately, then it is possible to
record their timings. It might be possible to guess which letters were written, or, in case
of cracking passwords, at least reduce the number of possible password choices to crack
with usual brute-force methods from the timing-data.
There are also legal and regulatory issues with keystroke dynamics. Keystroke dynamics
is a key-logging software which may be in direct and explicit violation of company policies
or local laws. In high security environments recordings of what is being typed it also not
eligible. However the area of application is almost as large as with text-based passwords
(R5).
In the case of verification keystroke dynamics cannot be thought of as an alternative
to password-based authentication mechanisms because username and passwords are still
required. In case of identification there are no products available which use continuous
keystroke analysis. The effectiveness of keystroke dynamic systems is not known since
the techniques used in these products are often confidential and very little research about
their effectiveness is available in the public domain.
Chapter 8
Passwords Remain Prevalent
Traditionally, alphanumeric passwords have been used for authentication, but they are
known to have security and usability problems. Computer users forget their passwords
and have trouble managing the large number of passwords they need for different
computer systems. Consequently, they write passwords down, breaking the most
elementary rule of knowledge-based authentication. From a security point of view this
is unacceptable. However, the cost of resetting forgotten passwords has reached such
proportions that in some organizations writing passwords down is regarded as the lesser
evil. Additionally, the number of applications requiring user authentication is increasing
rapidly. The average user must memorize five or more passwords, and each organization
adapts their own technology, which means that users are confronted with learning and
using several log-on systems [4]. There is even a larger problem for power internet users
with dozens of password protected accounts. These might include e-Bay, PayPal, an on-
line brokerage account, one or more online banking accounts, one or more e-mail accounts,
and several online shopping accounts. Unless usability of knowledge-based mechanisms
is improved, many individual and corporate users will face serious security problems.
Today other methods, including graphical passwords and keystroke dynamics have
become possible alternatives claiming to increase usability and security simultaneously.
Graphical passwords and keystroke dynamics, address the problem of knowledge-based
authentication systems, which is that the authentication task is based on precise recall
of the secret knowledge. Most graphical password authentication systems utilize cued
recall or recognition of images rather than recall of words. Keystroke dynamics, is a
biometric authentication scheme which identifies a person by his writing dynamics. In
both cases, the users do not have to memorize a username or password. Graphical
passwords and keystroke dynamics are very promising authentication mechanisms and
work very well in some applications. Graphical passwords can be applied to mobile
64
devices, web applications, ATM machines and workstations. Keystroke dynamics are
most commonly used for password-hardening. However, they have limitations and cannot
fully replace the traditional password-based authentication scheme. Text-password
based systems remain prevalent in the near future for reasons such as user resistance to
change, cost of modifying the existing systems and compatibility with legacy systems.
New authentication systems also do not always provide the level of security which is
required. Many networked software systems today use some kind of public key exchange
to set up an encrypted session, over which a username/password pair is sent. Good
examples of this are the widespread use of SSL and SSH. Passwords are relatively safe
over such channels. Passwords and PINs with Secure Socket Layer encryption will remain
the most widely-used method for user authentication for now, due to the logistics of
distributing physical tokens or smart cards. In 2004 about 95% of online interactions
were authenticated by passwords or PIN numbers. A drop below 90% is not expected by
Gartner researchers before 2007 [44].
Today, costs are the main driver in companies so they might consider replacing password
authentication systems with alternative schemes just for reasons of costs. Decreasing
helpdesk costs might be more important to a company than the level of security. Probably
no single method of authentication will completely replace passwords, and trends are
revealing that organizations are employing multiple techniques for user authentication
[44].
Chapter 9
Conclusion
The goal of this study was to present an overview of secure alternatives to password-based
authentication mechanisms. The password problem in chapter 2 makes it very clear
that there are fundamental problems with the usability and security of passwords and
there is a need for secure alternative authentication systems. In Chapter 3, requirements
for alternative authentication schemes which have be to fulfilled were verbalized. One
major demand is the abnegation of additional hardware. Therefore, only alternative
authentication mechanisms which do not need any extra hardware, such as graphical
password and keystroke dynamics, were reviewed in chapter 4 and chapter 5, respectively.
Chapter 6 presented a greater overview of further alternative authentication techniques.
Requirements were reviewed and an analysis of graphical passwords and keystroke
dynamics from a usability and security point of view was conducted in chapter 7.
Chapter 8 explained why passwords will probably remain prevalent in the near future,
despite new alternative authentication schemes.
The past decades have seen a growing interest in alternative authentication mech-
anisms regarding traditional text-based passwords. This is mostly due to the fact that
users have difficulties remembering a password that is long and appears to be random.
Instead, they create short, simple, and insecure passwords.
There are several alternative authentication mechanisms to choose from. Due to costs of
hardware, security and usability reasons only a few are applicable. In this study there
are certain requirements the alternative authentication mechanisms have to meet, such
as no additional hardware, effective security, better ability to memorize, simple and easy
usability and, finally, a large area of application. On first sight, graphical passwords and
keystroke dynamics meet these requirements.
66
Graphical passwords have been designed to try to make passwords more memorable and
easier for people to use and therefore, more secure. The current graphical password
techniques can be classified into three categories: pure recall-based, cued recall-based and
recognition-based. A comparison of current graphical password techniques is presented
in Table 7.1. The analysis shows that the process of registration and authentication
takes longer with graphical passwords than with text-based passwords. But the analysis
also suggests that it is more difficult to break graphical passwords using the traditional
attack methods such as brute force search, dictionary attack, or spyware. However, since
there is not yet wide deployment of graphical password systems, the vulnerabilities of
graphical passwords are still not fully understood. Although the main argument for
graphical passwords is that people are better at memorizing graphical passwords than
text-based passwords, the existing user studies are very limited. In general, graphical
passwords, especially the Passfaces system, are auspicious techniques but do not satisfy
all preferable requirements. Most of the time the area of application is too small to fully
replace text-based password systems. The current graphical password techniques are
still immature. Much more research and user studies are needed for graphical password
techniques to achieve higher levels of maturity and usefulness.
Keystroke dynamics are rich in individual mannerisms and traits and they can be used
to extract features used to authenticate access to computer systems and networks.
Keystroke dynamics is an inexpensive biometric verification method as there is no need
for any additional hardware besides a normal keyboard. On the other hand, keystroke
dynamics is not a strong biometric identification method, so it is not applicable to
situations where most stringent security measures have to be followed. There are
many different algorithms for pattern recognition and metrics for measuring keystroke
rhythms. Digraph latency is the metric that is used most commonly and artificial neural
network paradigms have been found to more successful than classical pattern recognition
algorithms in the classification of users. The keystroke dynamics of a computer user’s
login string provides a characteristic pattern that can be used for identification and
verification. Keystroke patterns combined with other security schemes can provide a
very powerful and effective means of authentication and verification of computer users.
A username/password-based authentication procedure is made significantly more secure
using keystroke dynamics. Knowing the username and the password is not enough for
logging in to the system, the typing dynamics of the real user has to be imitated as well.
BioPassword is a promising application which uses keystroke dynamics for verification.
The security analysis suggests that it is more difficult to break keystroke dynamic-based
authentication systems using traditional attack techniques. Attacks are significantly more
difficult if a continuous keystroke dynamics identification is used. However, there does
not appear to be any such systems available. Systems for identification do not work very
9 Conclusion 67
well yet. This is the reason why keystroke dynamics do not fulfill the requirements for an
alternative authentication method. In the verification case, a username and password,
which can be forgotten or cracked, is sill used. Further research into reliable methods
is needed in order to make keystroke-based authentication systems non-irritating and
widely accepted by the computing and network security community.
Overall, graphical passwords and keystroke dynamics are promising alternatives to
password-based authentication mechanisms and work very usefully in certain areas.
Depending on the graphical password system, graphical passwords can be applied
to workstations, web applications, ATM machines and mobile devices. For example,
Passfaces can be used at ATM machines to replace PINs. Keystroke dynamics has many
applications in the computer security arena, like restricting root level access to the
master server hosting a key database. Any user trying to access the server is prompted
to type a pass phrase along with his username and password. Access is granted if his
typing pattern matches within a reasonable threshold with that of the claimed identity.
Dynamic or continuous monitoring of the interaction of users while accessing highly
restricted documents or executing tasks in environments where the user must be alert
at all times is a ideal scenario for the application of a keystroke authentication system.
For example keystroke dynamics may be used to detect uncharacteristic typing rhythm,
brought on by drowsiness, fatigue etc. in air traffic controllers and notify third parties
for necessary action.
However, text-based passwords will probably remain prevalent in the near future for
reasons such as user resistance to change, cost of modifying the existing systems and
compatibility with legacy systems.
Acknowledgments
I would like to express my thanks to my supervisors, Prof. Dr.-Ing. Felix Freiling for
providing and assigning this interesting and challenging topic, and Prof. Christian Bischof
for the 2nd examination of this diploma thesis.
My special thanks go to Dipl.-Inform. Martin Mink whose guidance as an advisor was
indispensable for me. Thank you for several helpful discussions and for your advice
during my work on this thesis.
I am also deeply indebted to my parents for their support throughout all my years
of study. Their silent support enables me to pursue my goals and dreams, no matter
whether they are related to education or not. Thank you for all the sacrifices you have
made for me. Loving thanks go to my Mum for proof-reading and eliminating a few
grammar and comma mistakes.
My thanks go to Felix Langness, Matthias Sondermann and Christian Terboven
for many good and encouraging ideas. Finally, and most importantly, my deepest thanks
to Stefanie Kamp. Thank you for your love, your critical remarks and your moral
support.
List of Figures
4.1 Draw-A-Secret – Graphical Password System . . . . . . . . . . . . . . . . . 19
4.2 Passlogix – Graphical Password System . . . . . . . . . . . . . . . . . . . . 20
4.3 PassPoints – Graphical Password System . . . . . . . . . . . . . . . . . . . 21
4.4 Deja Vu - Graphical Password System . . . . . . . . . . . . . . . . . . . . 23
4.5 Passfaces – Graphical Password System . . . . . . . . . . . . . . . . . . . . 24
4.6 Keyboard usage with Passfaces . . . . . . . . . . . . . . . . . . . . . . . . 25
5.1 Measurements of keystroke latencies . . . . . . . . . . . . . . . . . . . . . . 32
5.2 Equal Error Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.3 The BioPassword Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
7.1 Grid selection enhancement of Draw-A-Secret . . . . . . . . . . . . . . . . 46
List of Tables
5.1 Previous keystroke analysis studies . . . . . . . . . . . . . . . . . . . . . . 38
7.1 Comparison of major graphical password schemes . . . . . . . . . . . . . . 55
Bibliography
[1] A. Adams, M. Sasse, and P. Lunt. Making Passwords Secure and Usable. People and
Computers XII, pages 1–20, 1997.
[2] A. Adams and M.A. Sasse. Users are not the enemy: Why users compromise com-
puter security mechanisms and how to take remedial measures. Communications of
the ACM, pages 41–46, 1999.
[3] S. Akula and V. Devisetty. Image Based Registration and Authentication System.
Proceedings of Midwest Instruction and Computing Symposium, 2004.
[4] K. Allendoerfer. Human factors considerations for passwords and other user identi-
fication techniques. Technical Report, September 2005.
[5] A. Altman. Review of BioPassword 4.5.
http://www.biometritech.com/features/022502review.htm, October 2003.
[6] Real User Personal Authentication. The Science Behind Passfaces. White Paper,
June 2004.
[7] N. Bartlow. Username and Password Verification through Keystroke Dynamics. Mas-
ter Thesis, 2005.
[8] A. Bauer. Gallery of random art. http://andrej.com/art/, 1998.
[9] D. Bensinger. Human memory and the graphical password. Passlogix White Paper,
1998.
[10] I. Biederman, A. Glass, and E. Stacy. Searching for objects in real world scenes.
Journal of Experimental Psychology, pages 22–27, 1973.
[11] J.C. Birget, D. Hong, and N. Memon. Robust discretization, with an application to
graphical passwords. Cryptology ePrint archive, 2003.
76 BIBLIOGRAPHY
[12] S. Bleha, C. Slivinsky, and B. Hussien. Computer-access security systems using
keystroke dynamics. IEEE Transactions on Pattern Analysis and Machine Intelli-
gence, pages 1217–1222, December 1990.
[13] G. Blonder. Graphical passwords. United States Patent 5559961, 1996.
[14] M. Boroditsky. Passlogix password schemes. http://www.passlogix.com.
[15] M. Boroditsky. Passwords - Security Weaknesses and User Limitations. Passlogix
White Paper, 1998.
[16] R. Bragg. Biometric security products.
http://www.mcpmag.com/Features/article.asp?EditorialsID=270.
[17] K. Brittain and R. Pacquet. The Cost of a non-automated Help Desk. Gartner
Research, January 2002.
[18] W.L. Bryan and N. Halter. Studies in the Physiology and Psychology of the Tele-
graphic Language. The Psychology of Skill: Three Studies, pages 35–44, 1973.
[19] S.K. Card, T.P. Moran, and A. Newell. Computer text-editing: An information-
processing analysis of a routine cognitive skill. Cognitive Psychology, pages 32–74,
1980.
[20] RealUser Corporation. http://www.realuser.com.
[21] F. Craik and R. Lockhart. Levels of processing: A framework for memory research.
Journal of Verbal Learning and Verbal Behavior, pages 671–684, 1972.
[22] D. Davis, F. Monrose, and M.K. Reiter. On user choice in graphical password
schemes. Proceedings of the 13th Usenix Security Symposium, 2004.
[23] R. Dhamija and A. Perrig. Deja Vu: A User Study Using Images for Authentication.
Proceedings of the 9th USENIX Security Symposium, September 2000.
[24] R. Dhamija and A. Perrig. Deja Vu: A User Study Using Images for Authentication.
Proceedings of 9th USENIX Security Symposium, 2000.
[25] P. Dowland, S. Furnell, and M. Papadaki. Keystroke Analysis as a Method of Ad-
vanced User Authentication and Response. Proceedings of the IFIP TC11 17th In-
ternational Conference on Information Security: Visions and Perspectives, 2002.
[26] D. Gollman. Computer security. John Wiley and Sons Ltd, 1999.
BIBLIOGRAPHY 77
[27] R.N. Haber. How we remember what we see. Scientific American, pages 104–112,
May 1970.
[28] S. Haider, A. Abbas, and A.K. Zaidi. A multi-technique approach for user identifica-
tion through keystroke dynamics. IEEE International Conference on Systems Man,
and Cybernetics. Volume 2., pages 1336–1341, 2000.
[29] N. Haller. The S/KEY One-Time Password System. Proceedings of the Symposium
on Network and Distributed System Security, 1994.
[30] P. Holbrook and J. Reynolds. RFC 1244 Site Security Policy Handbook Working
Group. http://www.ietf.org, 1991.
[31] J. Hurley. Ask the Analyst: Passwords Are Gobbling Up your Profits. Aberdeen
Group, 2003.
[32] J. Ilonen. Keystroke dynamics. Advanced Topics in Information Processing - Lecture,
2003.
[33] BioPassword Inc. http://www.biopassword.com.
[34] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin. The design and analysis
of graphical passwords. Proceedings of the Eighth USENIX Security Symposium,,
pages 1–14, 1999.
[35] R. Joyce and G. Gupta. Identity Authentication Based on keystroke Latencies.
Communications of ACM, pages 168–176, February 1990.
[36] E.H. Jung. PasswordMaker - One password to rule them all.
http://passwordmaker.org, 2006.
[37] D. Klein. Foiling the Cracker: A Survey of, and Improvements to, Password Security.
Proceedings of the Second USENIX Security Workshop,, pages 5–14, August 1990.
[38] T. Kress and I. Daum. Wenn gesichter bedeutungslos sind. NEUROrubin, 2003.
[39] J. Leggett and G. Williams. Verifying identity via keystroke characteristics. Inter-
national Journal of Man-Machine Studies, pages 67–76, 1987.
[40] J. Leggett, G. Williams, and M. Usnik. Dynamic identity verification via keystroke
characteristics. International Journal of Man-Machine Studies, pages 859–870, Oc-
tober 1990.
78 BIBLIOGRAPHY
[41] D. Mahar, R. Napier, M. Wagner, W. Laverty, R. Henderson, and M. Hiron. Opti-
mizing digraph-latency based biometric typist verification systems: inter and intra
typists differences in digraph latency distributions. Int. Journal of Human-Computer
Studies, pages 579–592, 1995.
[42] J. Mandler and G. Ritchey. Long-term memory for pictures. Journal of Experimental
Psychology: Human Learning and Memory, pages 386–396, 1977.
[43] Microsoft. Windows live id. http://ideas.live.com/.
[44] S.K. Miller. Passwords Are Here To Stay . . . For Now. Processor Editorial Article:
Tech and Trends, 2004.
[45] F.N. Monrose. Towards Stronger User Authentication. Department of Computer
Science, New York University, 1999.
[46] D. Nali and J. Thorpe. Analyzing User Choice in Graphical Passwords. Technical
Report, May 2004.
[47] D. Norman. The Design of Everyday Things. Basic Books, 1988.
[48] M.S. Obaidat and B. Sadoun. Verification of computer users using keystroke dynam-
ics. IEEE Transactions on Systems, Man and Cybernetics, pages 261–269, 1997.
[49] M.S. Obaidat and B. Sadoun. Keystroke Dynamics based Authentication. Biomet-
rics. Personal Identification in Networked Society, 1999.
[50] Bank of America. Sitekey. http://www.bankofamerica.com/privacy/sitekey/.
[51] Massachusetts Institute of Technology. Kerberos: The Network Authentication Pro-
tocol. http://web.mit.edu/kerberos/.
[52] A.S. Patrick, A.C. Long, and S. Flinn. Hci and security systems. Proceedings of the
CHI 2004, pages 1056–1057, 2003.
[53] D. Reichl. KeePass - The Open-Source Password Safe. http://keepass.sourceforge.net,
2006.
[54] RSA Security. RSA SecurID Authentication.
http://www.rsasecurity.com/node.asp?id=1156.
[55] RSA Security. RSA Sign-On Manager.
http://www.rsasecurity.com/node.asp?id=2541.
BIBLIOGRAPHY 79
[56] M. Sasse, S. Brosthoff, and D. Weireich. Transforming the weakest link - a hu-
man/computer interaction approach to usable and effective security. BT Technical
Journal, pages 122–131, 2001.
[57] S.Brostoff and M.Sasse. Are Passfaces More Usable Than Passwords? A Field Trial
Investigation. People and Computers XIV - Usability or Else: Proceedings of HCI,
2000.
[58] R.N. Shepard. Recognition memory for words, sentences, and pictures. Journal of
Verbal Learning and Verbal Behavior, pages 156–163, 1967.
[59] S.J. Shepherd. Continuous authentication by analysis of keyboard typing character-
istics. European Convention in Security and Detection, pages 111–114, 1995.
[60] L. Standing. Learning 10,000 pictures. Quarterly journal of Experimental, pages
207–222, 1973.
[61] L. Standing, J. Conezio, and R. Haber. Perception and memory for pictures: Single-
trial learning of 2500 visual stimuli. Psychonomic Science, pages 73–74, 1970.
[62] Steganos. Steganos Safe 2007.
https://www.steganos.com/en/products/safe2007/, 2006.
[63] Open Source (Sun). OpenSSO. https://opensso.dev.java.net/.
[64] X. Suo, Y. Zhu, and G.S. Owen. Graphical passwords: A survey. 21st Annual
Computer Security Applications Conference, December 2005.
[65] F. Tari, A. Ozok, and S.Holden. A Comparison of Perceived and Real Shoulder-
surfing Risk between Alphanumeric and Graphical Passwords. Proceedings of the
second symposium on Usable privacy and security, 2006.
[66] J. Thorpe and P.C. van Oorschot. Graphical Dictionaries and the Memorable Space
of Graphical Passwords. Proceedings of the 13th USENIX Security Symposium, 2004.
[67] J. Thorpe and P.C. van Oorschot. Towards Secure Design Choices for Implementing
Graphical Passwords. Proceedings of the 20th Annual Computer Security Applications
Conference, 2004.
[68] D. Umphress and G. Williams. Identity Verification Through keyboard Characteris-
tics. International Journal Man-Machine Studies, pages 263–273, 1985.
[69] T. Valentine. An Evaluation of the Passface Personal Authentication System. Tech-
nical Report, 1998.
80 BIBLIOGRAPHY
[70] T. Valentine. Memory for Passfaces after a Long Delay. Technical Report, 1999.
[71] S. Wiedenbeck, J. Birget, and A. Brodskiy. Authentication Using Graphical Pass-
words: Basic Results. Proceedings of the 2005 symposium on Usable privacy and
security, 2005.
[72] S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, and N. Memon. Authentication
Using Graphical Passwords: Effects of tolerance and image choice. Symposium on
Usable Privacy and Security (SOUPS), 2005.
[73] S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, and N. Memon. PassPoints:
Design and longitudinal evaluation of a graphical password system. International
Journal of Human Computer Studies, 2005.
[74] M. Zviran and W.J. Haga. A comparison of password techniques for multilevel
authentication mechanisms. The Computer Journal, pages 227–237, 1993.