Authenticating People by their Typing Pattern

The University of Regensburg in Germany has released authentication software that makes use of the fact that each person's typing behavior is unique. It works by requesting that the person who seeks access to a computer or a password-protected file type a short passage on an ordinary keyboard: the longer the passage, the more reliable the authentication.

Posted on November 2, 2005 at 8:06 AM • 53 Comments

Comments

stacyNovember 2, 2005 9:08 AM

There is a company flogging a product that uses this idea.
http://www.biopassword.com
I know nothing about them except what you can read on the web page. They claim they can do it accurately based on an eight character username and an eight character password. I am also curious about the claim to be able to work for web applications... I don't see how that is possible without a client side agent and I don't see how you could trust the client side agent for an internet facing application.

Erik AblesonNovember 2, 2005 9:09 AM

An interesting idea, although there's one area where this breaks down and that's in the international arena where you run across different keyboard layouts. As an anglophone transplanted in France, I'm just starting to get my touch typing speeds back up to where I find them reasonable, and I'm now ruined as a typist on US layout keyboards. Switching back and forth from the english at the house and french at the office has definitely changed my psycho-motor profile for typing.

Just something to keep in mind for highly mobile professionals - they'll need about 6 months of acclimatization before they can rekey their typing pattern with any degree of consistency.

Tim VailNovember 2, 2005 9:09 AM

Perhaps it cannot be spoofed, but it is easily subject to DOS attack. Do something to the person that makes them unable to type like they used to.

AaronNovember 2, 2005 9:12 AM

For a web application you could have a little java code that runs on the client side that just records the key timings and sends that back to the server side where the code would decide if it matched the user's profile. You could do a hack to replace the client java code but if you don't know the key timing profile you have to match, how does that do you any good?

Bill P. GodfreyNovember 2, 2005 9:18 AM

For a replay attack, you'd a hardware keylogger that can replay typing by an external signal (not a command entered by the keyboard) with the same timing as when it was recorded.

And physical access to the keyboard port.

ArikNovember 2, 2005 9:20 AM

Heh. This takes me back.

I've actually done that way back in the late 1980's on my old trusty Apple ][e, in Applesoft BASIC and some 6502 machine code. I had the user type 3 words and time the keystrokes.

The false positive rate was pretty high, as I didn't apply a very sophisticated algorithm for the detection, but for my purposes it was enough.

I think I still have the source and my data file on a 180KB 5.25" floppy

Matthew FriendNovember 2, 2005 9:20 AM

I had the opportunity to test this at the Systems in Munich. The system requires the user type in a specific phrase. Unfortunatly (As I understood) the phrase was set globaly and is not really a Password that the user can set. I think this is a weakness since is makes the methode the primary means of security.

Spoofing the system would be quite easy... The acustice pattern of the person logging in could easily be gotten from the cubical next store without having line of sight with the keyboard. A person could probably use a low tech approach and simply "practice" with an MP3 player until the rythum fits. Additionaly since it is implemented as a Windows/Linux login or an Applet for Web Apps it still does nothing to protect against key loggers.

Now on the posative side... I have a pretty inconsitant "hunt and peck" typing style and I had about a 60/40 success rate. I actualy found this to be quite good for my inconsistant way of typing.

I think combining this technologie with a long password, unique to each user would increases security over the password alone. For applications such as Network Appliances that use a web interface this kind of Biometrics is very interesting since is can be used with any Applet capable web Browser. No card reader, fingerprint or DNA analysing hardware needed :-)

PS: This post is a natural product. Any misspelled words or gramatical errors cannot be avoided and enhance its natural beauty.

Bill P. GodfreyNovember 2, 2005 9:23 AM

@Me (Bill P. Godfrey)

"(not a command entered by the keyboard)"

Or, commanded by a keypress that the keylogger does not pass along to the recipient.

(Oops)

jayhNovember 2, 2005 9:27 AM

@mathew Friend

"60/40" is ok for novelty but can hardly be used for real world authentication. Add to that many users may not be touch typists, may be typing on an unfamiliar keyboard, or in distracting surroundings, or standing vs sitting and it's really just a parlor trick.

EliNovember 2, 2005 9:32 AM

I'm a touch typist, so that's how I enter passwords, etc. Unless I'm holding my daughter in one arm... then I'm hunt-n-pecking with whichever hand is free.

Neat idea. Bad idea.

Yvan BoilyNovember 2, 2005 9:38 AM

I wonder how the software compensates for the fact that the more frequently someone types the same phrase, the more efficiently they can type it?

One would think that eventually the software will train the users out of a 'pattern' useful for authentication, and furthermore, eventually all users will start to fall into reasonably broad groups of typing speeds.

Its a nice experiment, and interesting to note that typing patterns are that personal, but this is snake oil.

Frank Ch. EiglerNovember 2, 2005 9:58 AM

"the fact that each person's typing behavior is unique" is stretching. "typing behavior uniqueness" is not a fact just because a self-promotional web page so claims.

RSaundersNovember 2, 2005 10:10 AM

@ Yvan & Frank: I think that the whole question of stability is unexplored by folks advocating this. Typing is a learned behavior, and it requires practice to maintain. That's good evidence that it is not a biometric function of finger bone geometry or something else that is stable. My son is taking a keyboard class in school, and it's made a dramatic improvement in his proficiency in two months.

What happens when you take three weeks vacation, or jamb a finger playing basketball after work?

This sounds like movie plot security.

Bruce SchneierNovember 2, 2005 10:10 AM

"Replay attack won't work, you get different challenge text each time."

But if I can monitor your typing patterns, I can spoof them.

This system has the same problems as all biometric systems: you need to trust the path from the biometric -- the fingerprint, the fingers on the keyboard, whatever -- to the verification system.

PhillipNovember 2, 2005 10:10 AM

The replay attacks could be eliminated by requiring a different phrase be typed each time. This would require a longer learning period as the system would have to learn and be able to calculate much about the person's typing habits. For example. It may take me longer to type a "p" if the proceeding character was an "e" than if the proceeding character was an "o".

Just my $.02

AnonymousNovember 2, 2005 10:49 AM

Hey at least that means that hired goons wont be breaking your fingers if they want to get into your computer!!
Now we finally have a countermeasure against rubber hose cryptography

OttoNovember 2, 2005 10:59 AM

@Phillip, etc.

If an attacker already has the ability to record, with high granularity, the inter-keystroke timings, then they probably also have the ability to record what's being typed. With sufficient data, it shouldn't be too hard to inject the correct timing frequencies even if the phrases change for each authentication.

All in all, I can't see this being of much use unless the whole system is tamper evident (e.g. an ATM machine). If it is based on commodity PC parts, then a dongle inserted between the keyboard and the PC could record timings and keystrokes easily that could then be incorporated into the hacking tool. The hacking tool would just read the challenge statements and "type" them back using the timings of the target user.

Pat CahalanNovember 2, 2005 11:30 AM

> Hey at least that means that hired goons wont be breaking your fingers if
> they want to get into your computer!!

They'll just break your wife's fingers. People who circumvent security measures in the classic "rubber-hose" sense (do it or I'll break your leg) are pretty good at getting around technical security countermeasures, because they attack the human interface.

Alfred ThompsonNovember 2, 2005 11:31 AM

I seem to remember reading several times that trained telegraph operators used to be able to recognize people by the way they transmitted code on the telegraph. During world war II this was seen as a valuable skill for making it harder for imposters to send falsified messages. Not 100% of course and I doubt that any such system could be reliable enough as a sole system for giving access. I don't think I'd trust it.

Lally SinghNovember 2, 2005 11:37 AM

so... how does the system handle me being hung over one day and hypercaffeinated the next?

JimNovember 2, 2005 11:44 AM

I had previously considered this to be an effective biometric property that could augment traditional authentication. Password + Typing Pattern = authentication. Replay attacks are a problem. The biggest issue in my mind is that if I break one arm, my typing pattern changes and I do not get authenticated.

BarryNovember 2, 2005 11:54 AM

Presumably, though, many of these difficulties apply to most biometrics... a new scar on your finger could affect fingerprint recognition... and especially behavioural biometrics - the common cold would make speech recognition harder...

Surely the best thing to do in all these cases is to use the technology, but apply it carefully so that it is used *in conjuction with* (and so to enhance) existing security methodologies?

Pat CahalanNovember 2, 2005 12:01 PM

@ Barry

From a theoretical standpoint, it'd be interesting to see an N-factor authentication system, where you need to pass N-M tests in order to gain access. Someone needs to figure out the optimal values of N and M, though.

This is, after all, how we normally identify people -> if someone shaves off a beard, but otherwise sounds and looks like someone I know (and has speech-recognition patterns, etc), then I identify him appropriately, even though he fails one of his biometrics.

A schmantzy version would require a challenge on each of the M failures (you sound like Bill, but Bill has a beard, where is your beard?), with some sort of analysis provided on the M failures to predict the likelihood that the target is actually who they claim to be...

Yvan BoilyNovember 2, 2005 12:47 PM

@Otto

As an extension of what you have said; if the ability to exists to record interstroke timings, it should be reasonably possible based on statistical analysis to determine which keys are being pressed, especially with a technique like this because the ability to use typing abilities as a metric it must be using materials that are on average, consistent with normal typing (i.e. blocks of text in a business unit, lines of codes in development unit, etc).

RhandirNovember 2, 2005 1:27 PM

@Pat Cahalan
Hmm. I don't know as much as I should about the theory you mention, but a practical application occured to me that might fit with your thoughts.

Most of the scenarios I see discussed on this blog are single challenge-response events. Keystroke analysis that runs continuously could report to a server a running rating of the likelihood that the person typing is the same user that was authenticated at the beginning of the transaction.*

Here's a common scenario: Bob needs to get his secretary onto a network share that he/she isn't authorized to be on, to do some mundane task. Naturally, Bob goes and logs in, turns it over to his secretary, and gets lunch.

Given keystroke profiling, Jack the system admin could get an email from the server alerting him that Bob's session doesn't really match up with his usual profile, he can wander down the hall and take a peek at who's sitting at Bob's desk.

I guess my point is, that here's a tool that supplys a measure for the "hinky-ness" of someone's behavior, which is probably more valuable than yet another challenge-response setup. If I read Bruce correctly, he's much in favor of evaluating situations for relative levels of "hinky".
____
*A statistical analysis of keystroke pattern data collected over a period of months or years would be pretty interesting, and seems like just the kind of simple repetitive math-oriented task that computers were made for.

Dave FriantNovember 2, 2005 2:00 PM

I have enjoyed reading this morning’s Blog on Keystroke Recognition. My name is Dave Friant and I am with BioPassword. Everyone has raised good questions throughout the discussion this morning. BioPassword has addressed all of the questions that have been raised with management features of our technology including Internet authentication, different types/styles of keyboards, keystroke replay attacks ­ we throw out exact replicas and the input must come from the keyboard interrupt, etc. If anyone is interested in learning more about the technology please feel free to visit the BioPassword website at, www.biopassword.com. If you would like to learn more about the technology please feel free to contact us. BioPassword has patents on Keystroke Recognition technology and the technology can be used with any device where data is input by touching, tapping or typing. This biometric is the perfect biometric for logical access applications. With a false accept rate (FAR) of 0.4% (4 in 1000 attempts), combined with good IT security policies of locking someone out after 3 or 4 unsuccessful attempts, this biometric is virtually un-spoofable. It is the only software-only biometric, it does not require a special device or sensor, user’s do not have to change their behavior to use it or be trained how to use it, it is easy to deploy and manage, it has a very low total-cost-of-ownership and it is the only biometric that can be seamlessly deployed over the Internet. We make MSFT Windows and the Citrix environment secure. We also solve the Internet’s biggest problem of Phishing, Pharming, identity theft and account-hijacking.

[comment edited at user's request -- Moderator]

Koray CanNovember 2, 2005 3:29 PM

Why is this not "snake oil" ? Look at this claim: "The typing behaviour is a significant and personally individual feature, which cannot be copied." What proof do they have that it is truly unique for each individual ? I know this is not proven for fingerprints or retinas, either, but what is the statistical threshold for acceptance of such a method ?
Moreover, I don't like the "the longer the passage..." bit. I thought the problem was having to provide through one's fingertips input that has a lot of entropy, so in a good solution I don't want to type many many characters.
Ok, you can no longer forget your password or disclose it to others (assuming understanding and replicating one's keystroke pattern is as hard as they would like us to believe), but is the system so perfect that it will never reject me when it's really I who's doing the typing (no false negatives) ? At least with passwords, I get no false negatives.

jammitNovember 2, 2005 3:31 PM

@Dave Friant
Don't take anything here personally. We normally go over everything here with a fine toothed sledgehammer. After going to your site, I found two PDF files to go over. From what I've read so far is that this is something to use only in conjunction with another security protocol. We aren't here to test hack you. We're just curious and careful.

Rob MayfieldNovember 2, 2005 3:48 PM

@Dave Friant : "In fact, if you do gain access to my account, BioPassword will give you $10,000. Enough said. Any takers?"

Then why not post the password here ? I'm sure plenty of people would be happy to test it.

Of course, any decent system wont give away hints as to what failed - "the content" or "the way it was typed" - so theres probably no way of knowing that you'd be testing the way it was typed, it could just be you gave out the wrong password ...

jammitNovember 2, 2005 4:07 PM

@Bruce Schneier
I'm probably out of place here and I apologize for it, but I feel kind of nervous for Dave Friant in that he gave his email and phone number in "non" spammable format. Would it be alright to ask if you could edit his post and "munge" it a little bit?

Dave FriantNovember 2, 2005 4:14 PM

Our technology is simply one part of a comprehensive security solution. We simply provide a match score, based on a live typing sample compared with a previously enrolled template, and then a decision is made whether or not to allow access based on the value of the score. Also, a person needs to cooperate with this technology in order for it to verify a person is who they say they are. If you enroll into a system using two hands sitting down you must authenticate using two hands sitting down. The false rejection rate will vary based on a user's level of cooperation. I hope this helps clarify a few of the previous postings.

Dave FriantNovember 2, 2005 4:19 PM

To clarify, the BioPassword $10K challenge is a face-to-face challenge. We ONLY do this at trade shows. This is not something that is done over the Internet online. I do not want to mislead someone regarding this challenge. If you run into us at a trade show please stop by our booth and we will be glad to let you try it. Thanks.

9387tNovember 3, 2005 4:03 AM

I have heard a talk about keystroke dynamics some 5 years ago. Apparently, the system needed a quite long learning phase to work, but after that worked quite well both for touch-typists and hunt-and-peckers.

The systems used static (typos) and dynamic properties (relative timings of pairs and triplets of letters). If you wanted it to be challenge response, the learning period was longer.

Replay attacks with the challenge response are possible, of course, but would need a long learning-period and would have to real-time. Sounds difficult to me.

jammitNovember 3, 2005 10:54 AM

Yep, I post again. When will I ever shut up? It seems that the authentication is actually the same learning curve that's needed to hack the system. It's sort of like trying to pass a written signature to an expert who knows how you write. I personally believe it's a decent idea, but only if it's used with another device. I think everybody here can agree that two part authentication is pretty good, but only as good as the security of both authentications. How about having many different ways of authentication, and the computer asks for two different ones? Every time you fail it, the computer asks for two different methods.

Yvan BoilyNovember 3, 2005 1:44 PM

@Dave Friant

Unfortunatley the offer of $10,000 reward under those conditions is of little value; you have set a specific time constraint (trade show duration), you specify the usage of the technology, and you have a narrow environment for testing (equipment furnished by BioPassword).

The majority of research done by security professionals is done with open time constraints, in testing environments, and where the attacker controls all of the variables. This is the only way perform proper research because it not only allows you to verify success, it also allows you to verify failure.

What you are proposing is a very constrained penetration test, which is held for marketing purposes, and holds no real value to a researcher, and certainly that type of claim would do little to bolster the confidence of a security professional in your product.

Please note that this is not an attack on you, your company, or your product, simply a perspective on the value of offering awards for 'testing' of a security control.

No one will dispute the value of defense in depth, but the issue is that this seems to be a highly dubious, closed security control. That sort of thing doesn't sit well with security people.

Alen PeacockNovember 4, 2005 12:15 PM

I am one of the authors of the "Identifying Users from their Typing Patterns" chapter in the recently published 'Security and Usability' O'Reilly book, which is a basic overview of this technology covering the last 30 years or so. Alfred Thompson is right -- some of the original researchers in this area cited telegraph operators' abilities to "authenticate" one another as inspiration, and there are lots of other individual examples of prior art, as Arik illustrated.

We also reviewed several of the patents covering this area. Note that BioPassword is aggressive in enforcing them (I'm somewhat surprised that the University of Regensburg has been able to publish their tool).

We published a similar survey paper in September 2004 in IEEE Security & Privacy Magazine: Special Issue on Usability and Security.

DarkFireNovember 7, 2005 12:51 PM

How does the system cope with users who are tired and therefore potentially type more slowly or with less accuracy?

I know that my accuracy tends to suffer greatly when I'm tired, in a rush etc.

The Psylock TeamNovember 14, 2005 7:21 AM

Hello!

We are from the Psylock team of the University of Regensburg in Germany. We are doing research on the subject of recognizing people based on their typing behaviour since 1992 and we have already put a lot of effort into our methods. Psylock (Psychometric Locking) is a patented method and is being used for 2 years now by about 20 of my colleagues in their daily work. So far it has never occurred that a user was locked out of his/her account and could not authenticate by means of typing behaviour, despite several sport injuries and things like quitting to smoke.

In the following we will comment on what we consider the main questions raised in this thread.

Spoofing:
=========
First of all, we would like to stress what Mr. Schneier has been saying for many years now: “Biometrics are unique identifiers, but they are no secrets��?. To my opinion, much of the confusion raised in this thread and elsewhere could be avoided if this fact had been borne in mind. Whenever taking a decision based on a matching score calculated by any biometrical system, you have always to ensure or at least to assume that the observation in case originated from a genuine measurement action. With typing behaviour biometrics this is no different. Depending on the use case to be handled you may need to take some extra effort to guarantee such a genuine measurement or you may just make the assumption that the effort an attacker has to make in order to fake or inject a valid typing pattern is not worthwhile from his/her perspective.

The way of hacking Psylock would logically seem a keylogger that would record the user’s typing pattern while authenticating. One way to make such an attack more difficult is to challenge the user with a random sentence every time he/she tries to authenticate, to bring in an element that is not contained in the keylogger’s data.

Changes in the typing behaviour:
================================
Many of the concerns expressed in this thread are based on the observation that the typing behaviour may change due to different reasons. A user may have recorded his/her profile sitting on chair and is now trying to authenticate while standing. His/her hand might get injured. Or his/her typing behaviour may change simply because of practice.

Most evident is the fact that ones’ typing behaviour is naturally fluctuating depending on the mood, the time of day, or other factors. Psylock is checking not only dynamic factors of typing behaviour like the time span between keystrokes, but also stable parameters like the precise order of key-down and key-up events, typical typing mistakes or the way you correct them. This way, the common fluctuations are tolerated by Psylock. After a successful login, Psylock indicates the user the matching score that he/she has reached, so that he/she gets a feedback on how large that fluctuation was.

Sometimes, however, it happens that the typing behaviour changes drastically, e.g. as a consequence of an injury. Here, we have several fallback mechanisms. In case the injury is slight, like a cut finger, the program still recognises the user thanks to the afore mentioned stable parameters.

In case the injury is harder, like a broken hand, a fallback mechanism can be activated and the user will access the system by means of a special password or another authentication mechanism for some time, and then returns to the Psylock authentication as soon as his hand is cured.

In the last case, when the user suffers an injury that will affect his/her typing behaviour for good, the administrator has the possibility of resetting the typing profile, and then the user trains Psylock anew. Of course, even if the user’s hand is not injured he/she can provide the system with additional learning samples whenever he/she wants.

Other changes in the typing behaviour can occur in connection with an improvement in typing skills, for example. This is not a problem for Psylock, as its neural network is “learning��? every time the user authenticates. As the user does not learn to type fast within a day, the program will simply follow his/her progresses and keep the profile up to date.

Different keyboards do, of course, affect the authentification results. If the keyboards are not too different Psylock would recognise the user with a little bit lower matching score, and then update his/her profile accordingly. This is e.g. usually the case when switching from a standard PC keyboard to a Notebook keyboard. If the keyboards are too different, like metal keyboards in a bank, or language specific keyboards, the user may keep up a separate profile for every type of keyboard.

Online demo:
============
As yet, we are in the process of testing the program on large groups of users. We are always glad to get feedback from more users, and would be glad if you tested our online demo that will go online in the next days. It will let you create your own account (for this you have to type a short sentence 20 times), or try to attack one of our accounts.

RogerNovember 14, 2005 6:42 PM

A small aside, inspired by Alfred Thompson's remark. I had also heard of WW2 radiotelegraph operators recognising, for example, SOE agents in the field by their keying pattern -- known as their "fist". However until reading "Between Silk and Cyanide" I hadn't realised how sophisticated the process was. A grossly different operator could be recognised by sound alone, but in most cases they used an electromechanical device which automatically plotted a graph (polar, if I recall correctly) as the signal was received. These formed rosette-like patterns unique for each operator and fairly stable, which could then be compared by vgrep against file copies taken while the operator was in training.

The system could not detect an agent acting under duress (a problem for many biometrics, of course), but was otherwise extremely difficult to fool, so it at least encouraged the Gestapo to keep the operators alive.

Roy MaxionNovember 20, 2005 11:41 AM

The claims made by both BioPassword and PSYlock are attractive, but I wonder
what evidence can be brought to bear in
supporting those claims? What, for example, would constitute a sound testing regime that would produce reliable hit, miss, and false-alarm rates? I haven't seen anything that shows how these technologies were tested, but would be very interested in same.

Roy MaxionNovember 20, 2005 11:42 AM

The claims made by both BioPassword and PSYlock are attractive, but I wonder
what evidence can be brought to bear in
supporting those claims? What, for example, would constitute a sound testing regime that would produce reliable hit, miss, and false-alarm rates? I haven't seen anything that shows how these technologies were tested, but would be very interested in same.

Daria GanitchevaNovember 26, 2005 2:55 PM

@ Roy Maxion: I am part of the Psylock research team. Psylock is the result of almost 13 years of throrough research and extensive field tests, which gives us a vast quantity of data on almost any statistics possible.
We have just released a free online version of Psylock, where anyone can test the method and get more information. You are welcome to try it out on:
http://132.199.255.236/psylock-demo/
or
http://www.psylock.de/
More information like research papers and publications are available on request.

Carl WeberNovember 29, 2005 1:52 AM

The method of identifying users by their typing pattern is old. It is availablwe since 1991 by:
Phoenix Software International
5933 West Century Blvd. Suite 1200
Los Angeles, CA 90045
(213) 338-0400 (voice)
(213) 338-0801 (fax)
The DOS test version will be available from: www.GreenHouse.de/ZIPDownLoad/BIOLOCK.ZIP
until 31Dec2005

Daria Ganitcheva, Team PsylockNovember 30, 2005 10:31 AM

Hello!
While it is true that there have been former applications based on the same idea as Psylock, Psylock has definitely added a lot of functionality and increased the security level. Psylock is available as an online security measure as well as a standalone version, it can be used on home computers as well as on servers. Additionally, it can fully replace a password, instead of just enhancing it. The fact that Psylock is analyzing a sentence instead of one word typed by the user, the recognition of the typing patterns is much more exact. Quoting the Biolock description file: "As a demonstration program, BioLock contains no security mechanism for actually protecting your PC."
What the Psylock developers team did was to make a program that can actually provide computer security on a high level, and it is being used by many companies already, who have been convinced by the low total cost of ownership and the handware-independency of Psylock.

Mary CJanuary 18, 2006 9:04 PM

I am working on a keystroke recognition system for my doctoral dissertation. This discussion has been very helpful.
Thanks
MC

Dave KirbyOctober 4, 2007 4:43 PM

I know that this discussion is a little old, but I thought that it would be useful to add that when a key-stroke pattern recognizer is used as part of the authentication process anyone who tries to enter an account by using either the correct or incorrect password will leave a type of personal identifier (their pattern of typing). This residue of the attack might be helpful in locating and prosecuting this common type of intruders. The likelihood of this info being useful for prosecution grows when you consider how frequently those who are trying to break into an account work at the same institution as the person whose account they are trying to use. In this case the intruder's own keying pattern signature will be on file at the institution and can be used to help identify the intruder.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..