keystroke authentication it’s all in how you type john c. checco biometritech 2003 biochec™
TRANSCRIPT
Keystroke AuthenticationIt’s All in How You Type
John C. CheccoBiometriTech 2003
bioChec™
Overview
What is Keystroke Authentication
How Effective is Keystroke Authentication
Advantages of Keystroke Authentication
Markets for Keystroke Authentication
Future for Keystroke Authentication
What is Keystroke Authentication
Biological Measurements Measurement of physical aspects of a person that determine identity Static measurement
ڤ Absolute match Quality of measurement is only variable by the quality of the capture device. Examples:
ڤ DNA, ڤ Iris/Retina Scan, ڤ Fingerprint, ڤ Hand Geometry …
Behavioral Measurements Measurement of characteristic traits exhibited by a person that can determine
identity Dynamic measurement
ڤ Confidence match Quality of measurement varies by behavioral and other external factors. Examples:
ڤ Keystroke Heuristics, ڤ Handwriting Analysis, ڤ Voice Verification …
What is Keystroke Authentication
Keystroke Heuristics / Keystroke Dynamics
Pattern exhibited by a person using an input device in a consistent manner
Keyboard, Keypad, Stylusڤ.Relies on spatial configuration, timing, cadence, and contentڤ
Measurements captured are already available by the input device:Dwell timeڤFlight timeڤAbsolute versus Relative timingڤ
Processing consists of deducing a series of key factors from an arbitrary data stream:
Robotic vision, Economic trending, Quantum physicsڤ.Being consistent as well as consistently inconsistentڤ
What is Keystroke Authentication
History of the World, Part I 1979:
.Technology originally developed by SRI Internationalڤ
1984: National Bureau of Standards (NBS) study concluded that computerڤ
keystroke authentication of 98% accuracy.
1988: Keystroke authentication hardware device passes NIST Computerڤ
Security Act of 1987.
2000: Keystroke authentication passes the Financial Services Technologyڤ
Consortium (FSTC) / International Biometric Group (IBG) Comparative Testing program.
Patents (partial list):5056141 ,4998279 ,4962530 ,4805222 ,5557686 ,4621344ڤ
How Effective is Keystroke Authentication
Fingerprint FAR= ~0% FRR= ~1%
Keystroke Heuristics FAR = ~0.01% FRR = ~3.0%
Manufacturer recommended settingsڤVariable (application-defined)ڤ
Facial Recognition FAR/FRR vary according to: compression, distance, illumination,
media, pose, resolution, and other temporal factors.
Voice Recognition FAR = ~1.6% FRR = ~8.1%
How Effective is Keystroke Authentication
What If …. I injure my hand?
?How many people have you met that have had hand injuriesڤ?How many people have you met that forgot their passwordڤ
I enrolled on one keyboard and want to login on another?Tactile versus membraneڤFull-size versus compactڤKey-character layoutڤ
My connection is hijacked and someone replays my keystrokes?
.Fraud detection methods vary by manufacturerڤ
I have a bad day?
Advantages of Keystroke Authentication
Deployment / Maintenance: No physical hardware to install or maintain. No manpower needed on client-side deployment for installations or upgrades.
Technical: Inherently narrows the identification pool to achieve authentication FAR/FRR.
Portable: Users are not limited to individual or specific workstations. Can support remote access and telecommuting
Adjustable: Application and/or user managed levels of security. Can constantly adjust/refine a user’s biometric template over time.
Breadth: Software-only components allow integration into any software project.
User Acceptance: Non-invasive capture Can support invisible (background) enrollment. Works better with phrases familiar (easy to remember) for the user.
Markets for Keystroke Authentication
Network Security: Integration with Single Sign-on Solutions. RADIUS integration Integration into terminal access applications. Integration into NTFS Volume Protection. Promote proper use of existing licensing. Logging of biometric access creates better forensic evidence.
Personal Information Security: Primary authorization for individual document encryption. Secondary authorization mechanism for online purchases.
Asset Identification: Integration with Online Training/Testing. Document signing (e.g. HIPAA) Software Licensing and Registration.
Future for Keystroke Authentication
Consumer Market:
ATM PDA RIM Cell phones Home Security Access Pads
Questions and Comments
Notes:
