Key pattern analysis (KPA) in the computer world is similar to performing a piano concerto. Unlike a kitten on the keys, your keystroke pattern can protect you from a musical sour note, or from a stolen computer password. Timing is crucial to a good song, and now it may be the answer to foiling hackers.
This approach to securing your password is a form of biometrics which also encompasses fingerprints, iris and retina recognition, gait analysis, and now typing patterns. KPA .is relatively new and still has its shortcomings. However, individuals at several universities, such as Ravel Jabbour, Wes Masri and Ali El-Hajj of the American University of Beirut, in Lebanon, and Daniele Gunetti, Claudia Picardi, and Giancarlo Ruffo, Department of Informatics, University of Torino, have been testing how to perfect the model. They have been looking into its use for both securing data and identifying the user.
Many aspects of typing are taken into account. The length of time a key is pressed, the time between pressing one key and then the next, also know respectively as duration or dwell time and latency or flight time, are all recorded based on the electronic signals from a standard keyboard. Similar to voice recognition software, such as Dragon Dictate, the user must ?teach? the computer how they type, by repeating their password several times, so a profile of their pattern can be developed.
Even if your password falls into the wrong hands, no one could replicate your typing style according to the hypothesis. However, that magic word we use to access our data, makes password pilfering too easy. It is estimated that the most Internet users have just one or two magic words that they use over and over again for all their online accounts.
Creating a template, or biometric profile, becomes a question of balance, however, like Goldilocks and the Three Bears, it has to be just right. The longer the password, the better and more complex your profile will be, but make it too long and you have less chance of matching your typing pattern exactly each time.
The researchers at the University of Torino while testing the impact of language on KPA pointed out some of its pitfalls. "Keystrokes, unlike other biometric features, convey an unstructured and very small amount of information. Keystroke duration and digraph latency are in fact a pretty shallow kind of information. Keystroke dynamics are a behavioral biometric, like voiceprints and handwritten signatures. As such, they are intrinsically unstable, and show a certain degree of variability even without any evident reason."
How you type might protect and/or identify you
Saying that typing dynamics may provide meaningful information to improve the accuracy of an Intrusion Detection System, they tested the viability of KPA in various languages. They used typing samples from 31 volunteers typing free form as if they were writing an email in both Italian and English. They showed that a user could be identified by his typing style even when writing in a language different from that used to create his profile.
Since 1975, when the idea of keystroke analysis was first explored, many studies have taken place. A paper in 2007 in the International Journal of Information Security, by Clarke and Furnell was the first one performed on mobile devices. More recently Nathan Clarke and A. Buchoux from the Centre for Information Security & Network Research, University of Plymouth in the UK created a software prototype to study keystroke analysis on a Smartphone. They used Visual Basic .NET, Microsoft .NET Compact Framework 2.0 and a SPV C600 Smartphone running Microsoft Windows Mobile 5. One determination was that a 4-digit pin was not long enough for practical use.
They also noted in that paper that is now four years old that "the applicability of implementing neural networks on a Smartphone is poor, with algorithms at present too computationally demanding for processors. However, given the rapidly evolving nature of mobile devices and their ever-increasing processor speeds and capacities, it is envisaged this will not remain a problem."
Regardless of language, KPA on a Smartphone is challenging
In fact, they have continued their work and their latest presentation Towards a Flexible, Multi-Level Security Framework for Mobile Devices was presented at the Proceedings of the 10th Security Conference in Las Vegas where they again reiterate: "User authentication, has not kept up with the advances in device technology." Their paper proposes an approach outlining three techniques for establishing what level of security to provide based upon individual services and applications.
There are still many obstacles to address in KPA. Click here for an unusual rendition of keystroke analysis.