The last two articles in this extensive series addressed signature recognition technology. Now, expert author Ravi Das moves on to introduce the topic of keystroke recognition technology.
Keystroke recognition technology relies upon the unique way in which an individual types on a computer keyboard. In today’s mobile world, typing is something we take for granted every day. Whether it’s the way we type on the keyboard on our office or home computer, or even our smartphone, there is a distinctive way in which we type. This uniqueness comes from the rhythm in which we type, for how long we hold the keys down on our smartphone or computer keyboard, and the succession of keys used overall in the typing process.
A brief—and surprising—history of keystroke recognition technology
Keystroke recognition can actually be considered the oldest biometric technology around, even older than hand geometry recognition or fingerprint recognition. This is primarily so because the interest in unique typing patterns dates all the way back to the 19th century when the Morse Code first came out.
By World War II, the United States military intelligence department could actually identify enemy Morse Code operators by their unique typing patterns. While, technically speaking, Morse Code is only a series of dots and dashes, some distinctiveness could still be established.
The first keystroke recognition device came out in 1979. By 1980, the National Science Foundation scientifically validated the technology of keystroke recognition, and by 2000, it was finally accepted as a commercial biometric technology, which could be used in either the public or private sector.
Keystroke recognition: How it works
To start the keystroke recognition enrollment process, an individual is required to type a specific word or group of words (text or phrases). In most cases, the individual’s username and password are used. It is very important that the same words or phrases are used during both the enrolment and verification processes. If not, the behavioral typing characteristics will be significantly different, and, as a result, a mismatch will arise between the enrolment and verification templates.
To create the enrolment template, the individual must type his or her username and password (or text/phrase) about 15 times. Ideally, the enrolment process occurs over a period of time rather than all at once. This way, the capture of behavioral characteristics will be more consistent.
During keystroke recognition enrollment, the individual being enrolled should type without making any corrections (for example, using the backspace or delete key to correct any mistakes). If the individual does make corrections, the keystroke recognition system will prompt the individual to start again from scratch.
The distinctive, behavioral characteristics measured by keystroke recognition technology include:
- Cumulative typing speed
- The time that elapses between consecutive keystrokes
- The length of time that each key is held down (also known as the Dwell Time)
- The frequency with which other keys, such as the number pad or function keys, are used
- Key release and timing in the sequence used to type a capital letter (whether the shift or letter key is released first)
- The length of time it takes an individual to move from one key to another (also known as the Flight Time)
- Any error rates, such as using the backspace key.
These behavioral characteristics are subsequently used to create statistical profiles, which essentially serve as the enrolment and verification templates. The templates also store the actual username and password. The statistical profiles can either be “global” or “local.” Whereas a global profile combines all behavioral characteristics, a local profile measures the behavioral characteristics for each keystroke.
The statistical correlation between the enrolment and verification templates can subsequently be modified, depending on the desired security level. An application which requires a lower level of security will permit some differences in typing behavior. However, an application which requires a higher level of security will not permit any behavioral differences.
It is important at this point to make a distinction between static and dynamic keystroke verification. In the case of the former, verification takes place only at certain times, such as when the individual logs in to his or her computer, for example. With the latter, the individual’s keystroke and typing patterns are recorded for the duration of a given session.
Up Next: Our next article will examine the strengths and weaknesses of keystroke recognition technology.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.