In a previous article, Ravi Das introduced keystroke recognition technology, including how it works and what it measures. Here he outlines the strengths and weaknesses of keystroke recognition technology.
Keystroke recognition technology has several strengths and weaknesses. Arguably its biggest strength is that it doesn’t require any additional, specialized hardware. As previously indicated, keystroke recognition is purely software-based, allowing the system to be set up very quickly.
Second, keystroke recognition can be easily integrated with other, existing authentication processes. By contrast, the adoption of certain other biometric technologies requires the implementation of a new process within an existing process. This calls for individuals who are properly trained in the use of contemporary biometric devices, which can greatly increase costs.
Third, most people are familiar with typing their username and password. As a result, there is very little training required for an individual to use a keystroke recognition system properly.
Fourth, the templates that are generated by the system are specific only to the username and password used. Should this username and/or password be tampered with, the individual only needs to select a new username and password to create a new set of enrolment and verification templates.
The weaknesses of a keystroke recognition system are the same as those found in other systems that rely on a username/password combination. For example, passwords can be forgotten or compromised while users will have to remember multiple passwords in order to gain access to, for example, a corporate network. It should be noted that keystroke recognition still requires users to remember multiple passwords. This results in additional administrative costs to reset passwords. As such, it only enhances the security of an existing username/password-based system.
Keystroke recognition is not yet a proven technology, nor has it been widely tested. And finally, keystroke recognition is not necessarily a convenient system to use.
Criteria used to rate keystroke recognition technology
Just like signature recognition, keystroke recognition is not as widely implemented as other biometric technologies, such as fingerprint recognition and iris recognition. But, like other biometric technologies, keystroke recognition can be evaluated against seven key criteria:
- Universality: This is a key strength of keystroke recognition. Even people who are “one-finger” typists or not familiar with typing at all can be accommodated.
- Uniqueness: At the present time, keystroke recognition only possesses enough unique features to be used for verification applications and not for identity applications.
- Permanence: This is one of keystroke recognition’s biggest weaknesses, as the typing pattern of an individual can change due to injuries, disease, increased typing proficiency, fatigue, lack of attention, or even using a different keyboard. Such variables can lead to an individual having a different typing pattern and rhythm.
- Collectability: It can take many typing samples by one individual to collect and extract enough unique features.
- Performance: When the proper security threshold setting is established by the systems administrator, keystroke recognition can produce an FRR (False Rejection Rate) of up to 3%, and an FAR (False Acceptance Rate) of up to .01%. As mentioned, keystroke recognition does not require any additional hardware, and enrollment and verification can happen remotely. It can even be used to further security harden passwords, and the template size is quite small.
- Acceptability: There are no privacy rights issues with keystroke recognition, and there are no negative correlations associated with typing.
- Resistance to circumvention: Any typing data which is not encrypted can be used maliciously by a third party, and even be used to spoof the keystroke recognition system. Also, key loggers can be established onto the computer itself to record the various keystroke patterns and rhythms.
Compared with other physical biometrics, keystroke recognition is easier and cheaper to implement. However, it is unlikely to be used for applications such as physical access control, document verification, passport verification, etc. Instead, it will be used for computer security (where fingerprint and iris recognition solutions are already used as a substitute for usernames and passwords).
Keystroke recognition is also well suited to e-commerce applications. Here, a user would be able to access an internet banking or e-commerce site by typing in the same text or phrase several times (rather than having to remember different usernames and passwords). Moreover, the same text or phrase can be used to log into multiple e-commerce sites. Keystroke recognition could also be the security tool of choice for Multi Modal Security applications, where it can be used to provide third, fourth, or even fifth tier security.
While small to medium-sized enterprises will probably not adopt keystroke recognition technology, it is well suited to large businesses and organizations, including major banks and financial institutions. It’s also quite conceivable that keystroke recognition will be adopted by governments around the world.
Up Next: Our next article will take a deep dive into the Biometric Technologies of the Future.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.