c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 8 5 – 9 3
ava i lab le at www.sc ienced i rec t . com
journa l homepage : www.e lsev ie r . com/ loca te /cose
Keystroke dynamics-based authentication for mobiledevices
Seong-seob Hwang, Sungzoon Cho*, Sunghoon Park
Seoul National University, 599 Gwanangno, Gwanak-gu, Seoul 151-742, Republic of Korea
a r t i c l e i n f o
Article history:
Received 26 November 2007
Received in revised form
2 June 2008
Accepted 29 October 2008
Keywords:
Mobile device
Keystroke dynamics
Artificial rhythms
Tempo cues
Biometrics
User authentication
* Corresponding author. Tel.: þ82 2 880 6275E-mail addresses: [email protected] (S.-
0167-4048/$ – see front matter ª 2008 Elsevidoi:10.1016/j.cose.2008.10.002
a b s t r a c t
Recently, mobile devices are used in financial applications such as banking and stock
trading. However, unlike desktops and notebook computers, a 4-digit personal identifica-
tion number (PIN) is often adopted as the only security mechanism for mobile devices.
Because of their limited length, PINs are vulnerable to shoulder surfing and systematic
trial-and-error attacks. This paper reports the effectiveness of user authentication using
keystroke dynamics-based authentication (KDA) on mobile devices. We found that a KDA
system can be effective for mobile devices in terms of authentication accuracy. Use of
artificial rhythms leads to even better authentication performance.
ª 2008 Elsevier Ltd. All rights reserved.
1. Introduction by International Biometric Group as ‘‘the automated use of
Use of mobile devices is diversified more and more (Chen
et al., 2008). Cell phones and personal digital assistants (PDA)
are used for banking and stock trading nowadays. However,
there are three reasons why security of mobile devices has
a lot to be desired. First a PIN comprises only four digits, thus,
the number of candidate passwords is limited to only 10,000
(from 0000 to 9999). It is much easier for a potential impostor
to acquire the password by shoulder surfing and systematic
trial-and-error attacks. Second, mobile devices may be easily
lost or stolen because of their small sizes. For example, more
than one million mobile phones are stolen in Europe for
a typical year (Kowalski and Goldstein, 2006). Third, we tend to
lend mobile phones easily to other people, thus they are
exposed to a higher risk of surreptitious use.
Recently, biometrics has been proposed to improve the
security of mobile devices. The term ‘‘biometrics’’ is defined
; fax: þ82 2 889 8560.s. Hwang), [email protected] Ltd. All rights reserved
physiological or behavioral characteristics to determine or
verify identity.’’ Physiological biometrics relies upon a phys-
ical attribute such as a fingerprint, a face and an iris, whereas
behavioral approaches utilize some characteristic behavior,
such as the way we speak or sign our name (Clarke and Fur-
nell, 2005). Clarke and Furnell (2007a) concluded that the two-
factor authentication, combining PIN code and biometrics,
improves the overall reliability of authentication.
Keystroke dynamics-based authentication (KDA) is one of
biometrics-based authentication methods, motivated by the
observation that a user’s keystroke patterns are consistent
and distinct from those of other users. When implemented for
mobile devices, KDA has the following advantages over other
biometrics-based methods. First, most biometrics-based
methods require an extra device, e.g. a finger-scanner or an
iris-scanner (Clarke and Furnell, 2005), which restricts
mobility as well as increases cost. On the other hand, KDA
r (S. Cho), [email protected] (S. Park)..
Fig. 1 – A keystroke pattern is transformed into a timing
vector when a user types a string ‘‘5805.’’ The duration and
interval times are measured by milliseconds.
c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 8 5 – 9 386
requires no additional device. Second, users tend to be reluc-
tant to provide their fingerprints or irises. On the other hand,
a user always has to type his or her password to log in, so
collecting keystroke patterns can be done without causing any
extra inconvenience to the user. Third, a scanned fingerprint
or iris requires a large volume of memory, a higher computing
power and communication bandwidth than keystroke timing
vectors. The efficiency of KDA is particularly important in
mobile environment which tends to have a smaller memory,
a lower computing power and slower wireless Internet than
a PC on the wired Internet.
Behavioral attributes are more subject to deviation from
norms than physical ones. A high variability leads to a high
authentication error. The variability is a measure of data
quality. Another measure of data quality is how unique the
typing patterns are. The more unique, the less likely the
patterns are similarly replicated by impostors. Recently, arti-
ficial rhythms and tempo cues were proposed to improve the
quality of typing patterns: uniqueness and consistency in
particular (Cho and Hwang, 2006). Improving the data quality
by decreasing variability and increasing uniqueness helps us
alleviate the weakness of a short PIN.
In this paper, we propose KDA with artificial rhythms and
tempo cues for mobile user authentication. To compare
between ‘‘Natural Rhythm without Cue’’ and ‘‘Artificial
Rhythms with Cues,’’ we completed the following tasks. First,
we implemented KDA system on a mobile phone which is
connected to a remote server through a wireless network. The
novelty detector classifier was built since only valid users’
patterns are available in practice. Second, subjects were asked
to perform enrollment, login, and even intrusion to other
subjects’ accounts. Whenever a subject types his or her
password, the typing pattern is collected, sent to a server and
stored. Third, a comparative analysis was conducted to verify
the superiority of artificial rhythms and cues over natural
rhythms without cues. We also tested hypotheses to compare
the performance involving different typing strategies.
The organization of this paper is as follows. The following
section introduces keystroke dynamics-based authentication
for mobile devices and describes our methods to improve the
quality of typing patterns. Section 3 presents the data
collected and experimental results. Finally, conclusions and
a list of future work are discussed in Section 4.
2. Keystroke dynamics-based authenticationfor mobile devices
2.1. Keystroke dynamics-based authentication (KDA)
The password-based authentication is the most commonly
used in identity verification. However, it becomes vulnerable
when the password is stolen. Keystroke dynamics-based
authentication was proposed to provide additional security
(Gaines et al., 1980; Umphress and Williams, 1985). Keystroke
dynamics-based authentication (KDA) is to verify a user’s
identity using not only the password but also keystroke
dynamics. For example, a keystroke pattern is transformed
into a timing vector when a user types a string ‘‘5805’’ as
illustrated in Fig. 1. The duration and interval times are
measured by milliseconds. A user can get access only if his
timing vector is similar enough to those already registered in
the server. Thus, he or she can only get access if the password
is typed with the correct rhythm.
Three steps are involved in KDA as illustrated in Fig. 2.
First, a user enrolls his/her keystroke patterns. A keystroke
pattern is defined as depicted in Fig. 1. A password of m
characters is transformed into a (2m� 1)-dimensional timing
vector. A ‘‘duration’’ denotes a time period during which a key
is pressed while an ‘‘interval’’ is a time period between
releasing a key and stroking the next key. Second, a classifier
is built using the keystroke patterns. The classifier, in a sense,
is a prototype of the valid user patterns. Third, when a new
keystroke pattern is given, one will reject it as an impostor
pattern if the distance between the prototype and the pattern
is greater than some threshold, or accept it as the valid user’s
pattern otherwise.
KDA can help us improve security for various services
involving mobile devices (Hwang et al., 2007). Even when an
impostor obtains both PIN and the mobile device, KDA can still
prevent him from logging in through the strengthened
authentication process. Recently, Clarke and Furnell (2005,
2007a,b) studied user identification using KDA on mobile
devices. They utilized the keystroke of 11-digit telephone
numbers and text messages as well as 4-digit PINs to classify
users. Their identification models were based on feed forward
multi-layer perceptron (FF-MLP), radial basis function (RBF)
networks, and generalized regression neural networks (GRNNs).
Our approach is different from that of Clarke and Furnell
(2005, 2007a,b) in the following aspects. First, they built
a classifier using impostors’ patterns as well as the valid user’s
patterns. In reality, however, impostors’ patterns are not
available unless the password be disclosed to potential
impostors and their patterns are collected. Rather, we
employed novelty detection framework where only the valid
user’s patterns are used for training. Second, each user in their
experiments enrolled 30 typing patterns. In practice, users
would not endure such a long enrollment procedure. More-
over, the typing speed on mobile devices is much slower than
that on a local PC. In our study, we collected only five patterns
from each user for enrollment. We compensated the reduced
data quantity with improved data quality through use of
artificial rhythms and cues strategy. Third, they utilized
various patterns such as 4-digit PINs, 11-digit telephone
numbers, and text messages while we focused only on 4-digit
PIN since PIN has been fixed to four digits for decades. Fourth,
their subjects used an SW interface developed on a laptop
while our subjects used a real mobile phone, which is a third
Fig. 2 – Three steps of KDA framework: enrollment, classifier building, and user authentication.
c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 8 5 – 9 3 87
generation synchronized IMT-2000 cellular system
(CDMA2000 1xEV-DO) (Qualcomm).
2.2. Improving data quality
One way to cope with the lack of data quantity is to improve
data quality. Data quality in KDA can be measured in terms of
uniqueness, consistency, and discriminability (Cho and
Hwang, 2006). Uniqueness is concerned with how different
a valid user’s typing patterns used to build a classifier are from
those of potential impostors’. Also, consistency is concerned
with how similar a valid user’s access typing patterns are to
his enroll typing patterns. Finally, discriminability is con-
cerned with how well access typing patterns and impostor
typing patterns could be separated. The definition of
discriminability implies that two possible approaches exist to
improve discriminability. The first is to improve uniqueness,
and the second is to improve consistency.
As one way to improve uniqueness, it has been proposed to
type a password with artificial rhythms reproducible by the
valid user only (Cho and Hwang, 2006). Table 1 represents
various artificial rhythms to increase typing uniqueness. In
this paper, pauses are selected among various artificial
rhythms since they are simple and easy to control. A user
inserted a number of intervals where deemed necessary to
make the timing vector unique. As shown in Fig. 3, ‘‘5805’’ can
be typed as ‘‘5_ _ _80_ _5’’ with a three beat long pause between
‘5’ and ‘8’, and another two beat long pause between ‘0’ and ‘5.’
There are many combinations of inserting pauses in terms of
Table 1 – Various artificial rhythms.
Artificial Rhythms Advantages
Pauses Flexible
Musical rhythm Consistent, Easy to remember
Staccato Consistent
Legato Consistent
Slow tempo Flexible
the positions and lengths of pauses. The more combinations
there are, the harder an impostor can guess it correctly.
In order to prevent pauses from being inconsistent, tempo
cues are provided (Cho and Hwang, 2006). Tempo cues (Fig. 6)
work like a metronome helping the user keep the beat. Given
the tempo beat, the user only needs to remember the number
of beats for each pause. Usually, they can be provided in three
modes: auditory, visual, and audio-visual. In addition, users
are allowed to choose the tempo of the cue. It has another
advantage of improving uniqueness since only the valid user
knows the tempo.
Fig. 3 presents the timing vectors of password ‘‘5805’’ from
strategies ‘‘Natural Rhythm without Cue’’ (Fig. 3a) and ‘‘Arti-
ficial Rhythms with Cues’’ (Fig. 3b). The dotted lines represent
the enroll patterns, x, while the solid line represents the
prototype, m. Note that the timing vectors depicted in Fig. 3
were normalized, or divided by the two-norm. When
comparing timing vectors between strategies, there are
differences in terms of both uniqueness and consistency.
First, observe the intervals between ‘5’ and ‘8’ from ‘‘Artificial
Rhythms with Cues’’ are very large compared to those from
‘‘Natural Rhythm without Cue.’’ An impostor’s pattern would
be more similar to those from ‘‘Natural Rhythm without Cue’’
and it is highly likely to be distinct from those from ‘‘Artificial
Rhythms with Cues.’’ Same can be said for intervals between
‘0’ and ‘5.’ Thus, long intervals improve uniqueness of a user’s
patterns. Second, observe that the differences between the
enroll patterns and the prototype are smaller from ‘‘Artificial
Rhythms with Cues’’ than from ‘‘Natural Rhythm without
Disadvantages Remedies
Inconsistent when long Use of cues
Rhythmical sense required
Limited
Limited, Exact duration Use of cues
Inconsistent Use of cues
Fig. 3 – Timing vectors of a password ‘‘5805.’’
c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 8 5 – 9 388
Cue.’’ Tempo cues improved the consistency of the patterns
from ‘‘Artificial Rhythms with Cues.’’
2.3. Mobile application
The experiments were performed on the third generation
synchronized IMT-2000 cellular system (CDMA2000 1xEV-DO)
(Qualcomm). The mobile device used is SAMSUNG SCH-V740
(Korean model number; Samsung Electronics website) as
shown in Fig. 4. The software authentication module was
implemented in WIPI (wireless Internet platform for interop-
erability), developed by the Mobile Platform Special Subcom-
mittee of the Korea Wireless Internet Standardization Forum
(KWISF). These are standard specifications necessary for
providing an environment for mounting and implementing
applications downloaded via the wireless Internet on the
mobile communication terminal. For more details, see the
WIPI website.
Any user authentication including KDA has two types of
error, i.e. false acceptance rate (FAR) and false rejection rate
(FRR) (Golarelli et al., 1997). One type of error can be reduced at
the expense of the other by varying a threshold. Thus, in order
to avoid effects of arbitrary threshold selection, the models
were compared in terms of the equal error rate (EER) where
Fig. 4 – Mobile phone used in the ex
the FRR and the FAR are equal. In practice, a threshold has to
be decided empirically. For a more detailed discussion of
proper threshold selection, see Fawcett (2006). Without KDA,
an impostor could login as a valid user if he knows the pass-
word, FAR¼ 100% results. On the other hand, the valid user
will always be able to log in, which corresponds to FRR¼ 0%,
i.e., FAR¼ 100% and FRR¼ 0%.
3. Performance evaluation
3.1. Data collection
A total of 25 users aged from 22 to 33 (the average is 25.3)
participated in our experiment in July 2006. In the experiment,
a 4-digit numeric PIN was used. Two strategies were
employed: ‘‘Natural Rhythm without Cue’’ and ‘‘Artificial
Rhythms with Cues.’’ The same password for each user was
used in both strategies. Each user enrolled five typing patterns
for each strategy. After enrollment, each user made 30 login
attempts using each strategy. Users were also given pass-
words of other users and told to act as ‘‘impostor’’ to those
passwords, i.e., typing it twice each. Since there are 24 ‘‘other’’
users, each user typed passwords 48 times. In summary, for
periment: SAMSUNG SCH-V740.
Fig. 5 – User interface for a virtual stock exchange.
c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 8 5 – 9 3 89
each password, we collected five enroll typing patterns, 30
legitimate access typing patterns, and 48 impostor typing
patterns.
The data above were collected from a scenario involving
a virtual stock exchange (Fig. 5). A user designs one’s own
artificial rhythm (Fig. 3) and chooses the type of tempo cues
(Fig. 6). The tempo of the cue was fixed to 500 ms for
convenience.
All users were asked the reason why a particular password
was chosen (Table 2). There are three different kinds of
reasons (see the fourth column of Table 2) for selecting
a password. First, familiar numbers were chosen such as
favorite combination, birth date, or telephone number.
Second, numbers that are easy to remember were selected.
For instance, both users 09 and 19 chose ‘‘2580’’ because that
is an ‘‘easy’’ number for them although with different reasons.
The number keys used in ‘‘2580’’ are located in the middle
column of a keypad on the mobile phone, so it is easy to type.
‘‘2580’’ is also the title of a very popular TV investigative show
in Korea, similar to ‘‘60 Minutes’’ in the US. Thus, it is easy to
remember. Third, certain passwords were chosen for no
particular reason at all. Of all users, 44% indicated ‘‘Famil-
iarity,’’ and 32% indicated ‘‘Ease,’’ while only 24% indicated
‘‘Randomness.’’ This clearly suggests that introduction of
artificial rhythms and tempo cues could enhance security.
A PIN has been fixed to 4-digits for decades and the number of
candidate passwords used for the mobile handset is only
10,000 (from 0000 to 9999). It is not difficult to guess a PIN
because an impostor might know the owner’s birth date or
telephone number, and a PIN easy for one person to type
would be also easy for another to type. For ‘‘Typing Hands,’’
(see the fifth column of Table 2), 68% indicated ‘‘both hands’’
while 32% indicated ‘‘one hand.’’ This implies that each user
might have a particular way to type on a mobile device as on
a keyboard.
3.2. Experimental results
We introduced artificial rhythms and cues to improve data
quality. Thus, we have to show from experiments that the
quality actually improved. Hwang et al. (submitted for publi-
cation) showed that typing patterns from ‘‘Artificial Rhythms
with Cues’’ were significantly more unique and consistent
than those patterns from ‘‘Natural Rhythm without Cue.’’
Thus, we instead here show that the authentication accuracy
improves.
Table 3 presents the authentication results from two
strategies ‘‘Natural Rhythm without Cue’’ and ‘‘Artificial
Rhythms with Cues.’’ Out of 25 users, 19 users’ EER decreased
19% on average while six users’ EER increased 4% on average.
Four users’ EER decreased to zero. Especially, the EERs of user
03 and 14 were dramatically decreased, both from 40% to 0%
Fig. 6 – Various tempo cues.
Table 2 – User passwords and answers to questionnaire(R [ randomness, F [ familiarity, E [ ease).
User Age Password Selectionreason
Use ofhand(s)
Elapsed time(naturalrhythm)
(ms)
01 23 1223 R Both 1163
02 24 3143 R Both 832
03 23 0083 F (favorite #) Both 1408
04 23 1472 F (favorite #) Both 1017
05 28 7118 F (phone #)þ E One hand 897
06 23 7265 R Both 921
07 30 2385 F (phone #) Both 812
08 25 5805 F (phone #) Both 1442
09 24 2580 F (favorite #)þ E One hand 1013
10 28 3784 R One hand 1755
11 24 3579 F (a sequence
of odd #)
One hand 1069
12 22 1379 E Both 671
13 25 0822 R One hand 1357
14 27 4569 R Both 1276
15 23 0203 F (birth date) Both 1222
16 24 1004 R Both 794
17 24 5472 R Both 2151
18 23 3887 F (privacy) One hand 792
19 28 2580 E Both 906
20 23 2220 E One hand 870
21 33 1133 E Both 675
22 25 1258 F (phone #) One hand 1105
23 27 5262 E Both 1020
24 30 1125 E Both 739
25 24 0305 F (birth date) Both 632
Table 3 – The equal error rate (%) from two strategies.
User NaturalRhythmwithout
Cue
ArtificialRhythm
withCues
User NaturalRhythmswithout
Cue
ArtificialRhythms
withCues
User 01 14 0 User 15 18 4
User 02 0 3 User 16 6 3
User 03 40 0 User 17 8 11
User 04 15 2 User 18 6 4
User 05 0 4 User 19 30 3
User 06 16 3 User 20 4 3
User 07 4 0 User 21 12 15
User 08 18 2 User 22 28 8
User 09 6 3 User 23 8 4
User 10 5 3 User 24 21 2
User 11 18 3 User 25 1 3
User 12 0 7 Average 13 4
User 13 23 8 Min 0 0
User 14 34 0 Max 40 15
c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 8 5 – 9 390
and 34% to 0%, respectively. The overall EER decreased from
13% to 4% by using ‘‘Artificial Rhythms with Cues.’’
Fig. 7 shows a detailed picture of what really happened.
First, note that the classifier in our study is a very simple
distance based one. A prototype of a user’ enroll patterns is
calculated and stored. When a new keystroke pattern is pre-
sented, the distance between the pattern and the prototype is
computed. If it is small enough, access is granted. If not, it is
not granted. In order to gain good authentication perfor-
mance, three conditions have to be met. First, enroll patterns
have to be consistent, or the ‘‘enroll distances’’ between the
prototype and the enroll patterns have to be small. Second,
login patterns have to be close to the enroll prototype, or the
‘‘login distances’’ between the enroll prototype and the login
patterns have to be small. Third, enroll patterns have to be
unique, or the ‘‘impostor distances’’ between the enroll
prototype and impostor patterns have to be large better. User
03 reduced EER dramatically through use of ‘‘Artificial
Rhythms and Cues.’’ Thus, we show in Fig. 7 the cumulative
distributions of the three kinds of distances, ‘‘enroll,’’ ‘‘login,’’
and ‘‘impostor.’’ In (a), login distances (black) are larger than
enroll distances (blue), which means the user’s login patterns
are somewhat different from the enrolled patterns. The real
reason for user 3’s large error comes from the fact that
impostor distances are not large (red). Now see how these
three lines change in (b). Both login and enroll distances are
very small while impostor distances are quite large. This
separation of login distances from impostor distances
accounts for perfect discrimination between legitimate user
and impostors.
Recently, Hwang et al. (submitted for publication) found
that artificial rhythms and cues were particularly useful to
Fig. 7 – Cumulative distributions of ‘‘enroll’’ (black), ‘‘login’’
(blue), and ‘‘impostor’’ (red) distances when (a) ‘‘Natural
Rhythm without Cue’’ and (b) ‘‘Artificial Rhythms with
Cues’’ strategies were employed, respectively.
Table 5 – The average EERs (%) with respect to theproperties involving ‘‘Password Selection Reason’’ and‘‘Typing Hands.’’
Section NaturalRhythmwithout
Cue
ArtificialRhythmswith Cues
Frequency
Password Familiarity 14 3 11/25
Selection Ease 10 5 8/25
Reason Randomness 13 4 8/25
One hand vs.
both hands
One hand 11 4 8/25
Both hands 14 4 17/25
Table 6 – Hypotheses and p-values involving passwordand typing hand(s).
Hypothesis H1 hypotheses p-Value
Typing strategy The average EER involving
‘‘Artificial Rhythms with Cues’’
is lower than that involving
‘‘Natural Rhythm without Cue.’’
0.0002
For natural rhythms, the
average EER of ‘‘Ease’’ is lower
than that of ‘‘Familiarity.’’
0.2339
Natural rhythms For natural rhythms, the
average EER of ‘‘Ease’’ is lower
than that of ‘‘Randomness.’’
0.2754
For natural rhythms, the
average EER of ‘‘Familiarity’’ is
lower than that of
‘‘Randomness.’’
0.4576
For artificial rhythms, the
average EER of ‘‘Ease’’ is lower
than that of ‘‘Familiarity.’’
0.1243
Artificial rhythms For artificial rhythms, the
average EER of ‘‘Ease’’ is lower
0.3075
c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 8 5 – 9 3 91
poor typists in desktop keyboard environment. We now
investigate if this is also true in mobile device environment.
We call a user as a ‘‘poor typist’’ if his average elapsed time
with ‘‘Natural Rhythm without Cue’’ is greater than 1 s or as
a ‘‘good typist’’ otherwise. We identified 13 poor typists out of
25 users. The average EERs with respect to typing ability are
shown in Table 4. For the good typists, the average EER from
‘‘Natural Rhythm without Cue’’ was 8% while that from
‘‘Artificial Rhythms with Cues’’ was 4%. On the other hand, for
the bad typists, the average EER from ‘‘Natural Rhythm
without Cue’’ was 18% while that from ‘‘Artificial Rhythms
with Cues’’ was 4%. Although the poor typists yielded much
higher error rates when ‘‘Natural Rhythm without Cue’’ was
used, they became comparable to the good typists when
‘‘Artificial Rhythms with Cues’’ was used. Clearly, artificial
rhythms and cues are particularly beneficial to the users with
a poor typing ability in mobile user authentication.
Table 5 compares the average EERs for different password
selection reasons and ‘‘Typing Hands.’’ For ‘‘Password Selec-
tion Reason,’’ the average EER of ‘‘Ease’’ was the lowest from
‘‘Natural Rhythm without Cue.’’ However, there was little
difference among password selection reasons. When the
users employed ‘‘Artificial Rhythms with Cues,’’ average EER
was less than 5% for all cases. For ‘‘Typing Hands,’’ we
observed essentially the same trend. There was little
Table 4 – The average EER(%) for different typing abilityand strategy.
Natural Rhythmwithout Cue
Artificial Rhythmswith Cues
Good typists 8 4
Poor typists 18 4
difference between typing hands. Also, when the users
employed ‘‘Artificial Rhythms with Cues,’’ average EER was
less than 5% for all cases. These results are comparable to
those reported in Hwang et al. (submitted for publication)
where authentication accuracy was greatly improved with
a PC keyboard by employing ‘‘Artificial Rhythms and Cues.’’
We tested hypotheses to compare the performance
involving different passwords and different typing strategies.
Specific hypotheses and p-values are summarized in Table 6.
Only the 1st H1 hypothesis was accepted with p-value of 0.0002
while all the others were rejected. The results indicate that the
EERs using ‘‘Artificial Rhythms and Cues’’ clearly decreased
compared to that using ‘‘Natural Rhythm without Cue.’’ We
concluded that the effect of either ‘‘Password Selection
Reason’’ or ‘‘Typing Hands’’ was negligible on the
than that of ‘‘Randomness.’’
For artificial rhythms, the
average EER of ‘‘Familiarity’’ is
lower than that of
‘‘Randomness.’’
0.2636
Typing hand For ‘‘Typing Hand(s),’’
‘‘Artificial Rhythms with Cues’’
are beneficial to users who
typed using both hands.
0.2409
A bold figure indicates an accepted hypothesis.
Table 7 – Comparing the performance with related works.
Input string Feature Artificial Rhythmswith Cues
No. of patterns fortraining (or validation)
EER (%)
Clarke and Furnell
(2005, 2007a,b)
4-Digit PIN Inter-keystroke latency No 30 9–16
11-Digit number Inter-keystroke latency No 30 5–13
6-Digit text msg. Inter-keystroke latency No 30 15–21
Hwang et al. (2007) 4-Digit PINs Duration and interval No 5 13
4-Digit PINs Duration and interval Yes 5 4
c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 8 5 – 9 392
authentication. It was found from the results that the use of
‘‘Artificial Rhythms with Cues’’ improves the accuracy for user
authentication.
Table 7 compares the performance with related works. The
experiments of Clarke and Furnell (2005, 2007a,b) involving 4-
digit PINs resulted in EERs ranging from 9% to 16%. When the
users adopted the ‘‘Natural Rhythm without Cue,’’ we
obtained the EER of 13%, which is similar to the ones from
Clarke and Furnell. When they employed ‘‘Artificial Rhythms
with Cues,’’ however, we found that the error was reduced to
3%. Given the very small number of patterns for training (or
validation), we found that ‘‘Artificial Rhythms with Cues’’ did
improve authentication accuracies significantly.
4. Discussion and conclusions
For decades, the mobile environment has stabilized with
stunning speed. Accordingly use of mobile devices, such as
cell phones and personal digital assistants (PDAs), is diversi-
fied. However, PINs are still adopted as the only security
mechanism for those mobile devices. Because of their limited
length and alphabet, PINs are susceptible to shoulder surfing
and systematic trial-and-error attacks. This paper investi-
gated the effectiveness of user authentication using keystroke
dynamics-based authentication (KDA) on mobile devices. In
particular, we utilized artificial rhythms and tempo cues to
overcome problems resulting from short PIN length. Through
the experiments involving human subjects, we found that the
proposed strategy reduced the error from 13% to 4%.
A few limitations and future directions need to be
addressed. First, comparison research for various mobile
devices is needed to enhance the usability of KDA. Second, we
have to apply to a more diverse group of users. Although most
people make use of mobile devices, various usage-patterns
may exist. Third, we measured performance in terms of EER.
Thus, the error rates presented in the paper should be taken
only as a reference. In practice, depending on applications,
FAR may be more important than FRR or vice versa. The issue
could be addressed by proper threshold selection.
Acknowledgement
This work was supported by grant no. R01-2005-000-103900-
0 from Basic Research Program of the Korea Science and
Engineering Foundation, the Brain Korea 21 program in 2006
and partially supported by Engineering Research Institute of
SNU.
r e f e r e n c e s
Chen GD, Chang CK, Wang CY. Ubiquitous learning website:scaffold learners by mobile devices with information-awaretechniques. Computers & Education 2008;50(1):77–90.
Cho S, Hwang S. Artificial rhythms and cues for keystrokedynamics-based authentication. Lecture Notes in ComputerScience (LNCS) 2006;3832:626–32.
Clarke N, Furnell S. Authentication of users on mobile telephones– a survey of attitudes and practices. Computers & Security2005;24(7):519–27.
Clarke N, Furnell S. Advanced user authentication for mobiledevices. Computers & Security 2007a;26(2):109–19.
Clarke N, Furnell S. Authenticating mobile phone users usingkeystroke analysis. International Journal of InformationSecurity 2007b;6(1):1–14.
Fawcett T. An introduction to ROC analysis. Pattern RecognitionLetters 2006;27(8):861–74.
Gaines R, Lisowski W, Press S, Shapiro N. Authentication bykeystroke timing: some preliminary results. Rand ReportR-256-NSF. Rand Corporation; 1980.
Golarelli M, Maio D, Maltoni D. On the error reject trade-off inbiometric verification systems. IEEE Transactions on PatternAnalysis and Machine Intelligence 1997;19(7):786–96.
Hwang S, Cho S, Park S. Mobile User authentication usingkeystroke dynamics analysis. In: Proceedings of the KoreanOperations Research and Management Science Society(KORMS) conference, Seoul, Korea, 17 November, 2007; 2007a,p. 652–655.
Hwang S, Lee H, Cho S. Improving authentication accuracy usingartificial rhythms and cues for keystroke dynamics-basedauthentication, submitted for publication.
International Biometric Group. How is biometrics defined? http://www.biometricgroup.com/reports/public/reports/biometric_definition.html.
Kowalski S, Goldstein M. Consumers awareness of, attitudestowards and adoption of mobile phone security. In: 20thinternational symposium on human factors intelecommunication, Sophia-Antipolis, France, 20–23 March2006.
Qualcomm. CDMA2000 1xEV-DO overview. Available from: http://www.cdmatech.com/download_library/pdf/QCOM_1xEV-DO.pdf.
SAMSUNG Electronics website. http://www.samsung.com.Umphress D, Williams G. Identity verification through keyboard
characteristics. International Journal of Man Machine Studies1985;23:263–73.
WIPI website. http://www.wipi.or.kr/English/index.html.
Seong-seob Hwang is currently a PhD candidate in the
Department of Industrial Engineering, Seoul National
University, Korea. Before entering graduate school, He worked
as a system engineer at SAMSUNG SDS. His research interests
c o m p u t e r s & s e c u r i t y 2 8 ( 2 0 0 9 ) 8 5 – 9 3 93
include data mining, pattern recognition, and their
applications.
Sungzoon Cho is a professor in the Department of Industrial
Engineering, College of Engineering, Seoul National Univer-
sity, Korea. His research interests are neural network, pattern
recognition, data mining, and their applications in various
areas such as response modeling and keystroke-based
authentication. He published over 100 papers in various
journals and proceedings. He also holds a US patent and
a Korean patent concerned with keystroke-based user
authentication.
Sunghoon Park received BS of Computer Science in 2005, and
is currently a PhD candidate in the Department of Industrial
Engineering, College of Engineering, Seoul National Univer-
sity, Korea. His research interests include financial engi-
neering and marketing applications.