For decades, we have been using the two-pronged key system for securing our electronic data and services. The two-pronged key we’re talking about is the username/password combination. There are variations of this, of course. For example, instead of a username, you might be using your email address, or something called a user ID. But the concept remains the same.
The username/password combination for security is over 50 years old. To be more precise, it was first implemented in the year 1961 at Massachusetts Institute of Technology (MIT). We have been using this security method for all kinds of data and services online, including but not limited to emails, banking, and gaming services.
But it’s also true that it’s been proved a lot many times that this kind of security doesn’t really work well, especially in the modern day when the processing power of commodity hardware is better than ever and it’s getting easier by the day to crack passwords. Switching to a more secure system is not just obvious, but necessary.
Quite a few new types of authentication mechanisms have been implemented, iris scanners, fingerprint scanners, random number generators, and USB drives as authentication devices. But most of these methods authenticate the user at the beginning of a process, for example, when you login to your computer. But they don’t authorize the user for the various actions being performed after the first authentication. So, for example, if somebody get access to your computer, they can easily go through your files.
The need of the hour is a system which detects intrusions in systems continuously and in real time. In other words, we need a system which identifies and learns the behaviour of the user of a system. So when there’s an intrusion, it can easily detect the change in behaviour of the user and label the user as an intruder. This analysis of behaviour is known as keystroke dynamics.
Keystroke dynamics, as the name suggests, uses the information of how you interact with your keyboard to draw your digital fingerprint.
Keystroke dynamics measures the speed at which you type, the latency in your keystrokes, the amount of pressure you apply on the keys, the key combinations you use, and a few other things. This, according to the people who came up with this, is unique per person. So it becomes easy to identify if there’s an intrusion.
Each person’s typing is influenced by distinctive neuro-physiological factors, which leads to a uniqueness in the way we handle different key combinations. This is also known as muscle memory, and it helps in maintaining that consistency in typing, which in turn makes this system much reliable than the ones in existence today.
But you might say that there’s some privacy concern here, because a software is continuously monitoring what I’m typing. The thing is, keystroke dynamics is only concerned about how you’re typing, or how you’re using the keyboard. It is not concerned about what you’re typing. So there’s nothing to be worried about.
And because keystroke dynamics is a software-only-e-Biometrics system, there’s no need for any kind of extra, special hardware, just the keyboard that you’re already using. This brings keystroke dynamics to the forefront of the modern day authentication and authorization biometric systems.
When you’re working with a traditional biometric system, say for example a fingerprint scanner, there’s an enrollment process. If your fingerprints are not already registered in the system’s database, it’s not going to authorize you. There’s a similar enrollment process for keystroke dynamics as well. In this, you’ll be asked to type in a (mostly) two page text into a software. This software will learn the rhythm and patterns in your typing. Soon after this, it’ll be able to differentiate you from other users of the system. However, learning your keyboard-using style is a continuous process within the system, similar to any other machine learning system. So the more you use it, the better it gets at recognizing you.
Most of the leading keystroke dynamics systems today in the market are able to provide an accuracy of 99% in detecting intrusions. The software runs in the background on the user’s computer, silently monitoring the keystrokes of the user in his or her day-to-day usage of the computer, not asking for any other input, after the initial enrollment process.
It is also one of the most inexpensive systems out there, as there’s absolutely no need for any extra hardware. With just the existing keyboard and a software, the system is able to provide continuous validation of the user.
But, as any other technology, this has to be regulated with industry standards. Any software which monitors users’ keystrokes has a lot of potential to be deadly.
This technology is still in its infancy. It would be interesting to follow it to maturity, for all we know, this might rid us of all the usernames and passwords we struggle to keep in our memory.