PayZa : From passwords to keystrokes: an evolution in user identification technology

From passwords to keystrokes: an evolution in user identification technology

Submitted by Tarek on Fri, 08/31/2012 - 12:09

An evolution in user identification technology

Gone are the days of remembering long, complicated, case-sensitive passwords. Or are they? With new user identification technologies on the market, passwords might be going obsolete. But are these new technologies really as effective as a strong password?  With the common problem of using the same passwords on different online accounts, and the proliferation of password-cracking software and techniques, it turns out that these new sci-fi-style technologies might be even more reliable.

Keystroke identification is one of the new technologies replacing password identification in some companies and organizations, and is getting more and more attention in the computer security community. This technology works by monitoring keystroke dynamics – a person’s unique typing patterns. Likened to “handwriting of the digital age”, keystroke identification makes security more human-friendly than passwords (which can be easily cracked, especially if they contain words instead of random characters, and can be forgotten by the user), and allows for more continuous authentication as opposed to one-time password authentication. This is good as the computer system will be able to detect if a user has changed mid-session.

Typing dynamics can be captured through various identifying components including but not limited to latency between consecutive keystrokes, dwell time (time duration in which a key is pressed), flight time (time between releasing a key and pressing the next one), typing speed and error frequency (use of backspace button). These identifying components can be as unique as a hand-written signature.

Although keystroke identification is high-tech, and right up there with retina, fingerprint and facial feature recognition, there is some skepticism surrounding its efficiency. Unlike the other biometric technologies, typing patterns are not as consistent over time and can be erratic, even throughout the course of a day. And there are also concerns about keystroke loggers overriding this type of authentication system.

But skepticism aside, authenticating a computer user by keystroke just might be the key to stronger online security because it is not that recent a technology, and has been studied for longer than most people know. According to Chairunnanda et al., the study of the manner in which people type goes back as far as Morse code. Apparently, Morse code wasn’t only useful in relaying messages over vast distances, but it also helped to identify the sender of the code. Like the identification techniques used for Morse code, keystroke dynamics can help stem the incidence of identity theft, and can prove useful in the e-commerce industry where a lot of highly sensitive personal information is transmitted online.

Some companies, even Payza, are still making use of the username/password credential system and have no immediate plans to adopt a biometric means to authenticate our users, but it is still exciting to know that such avante-garde and highly feasible means for identifying people are on the horizon.

In the mean time, you can strengthen your passwords by making use of programs like Password Safe (https://www.schneier.com/passsafe.html), 1Password (https://agilebits.com/onepassword) and Last Pass (http://lastpass.com/) which can help your create and store very strong passwords.

References

• http://people.csail.mit.edu/edmond/projects/keystroke/keystroke-biometrics.pdf
• http://www.slate.com/blogs/future_tense/2012/03/20/keystroke_identification_may_replace_passwords_allow_for_continuous_authentication_.html
• http://petsymposium.org/2011/papers/hotpets11-final8Chairunnanda.pdf
• http://www.ise.bgu.ac.il/faculty/liorr/idth.pdf

More about Payza Security

From - https://blog.payza.com/node/46