User: Password:
Subscribe / Log in / New account

behaviorally-based biometrics

behaviorally-based biometrics

Posted Apr 10, 2008 13:35 UTC (Thu) by jabby (guest, #2648)
Parent article: Biometrics for identification

During my undergraduate studies I developed a proof-of-concept program that used a neural
network to recognize a user's typing style (as the cadence of keystroke timings from the
keyboard).  In the resulting paper [<>], I of
course acknowledged that this is not intended to be a complete security/identification
solution, but merely one option for inclusion in a set of methods.  I imagine someone typing
in their username and password and, in addition to validating the username and password, it
validates the way in which they are typed.  Other researchers have developed systems that
constantly monitor the keystroke activity of the user while interacting with the system.  If
at any point the typing behavior changes, the system can react appropriately (going into
lock-down mode or just sending an alert to an administrator.

My system worked fairly well, usually requiring only one or two attempts at the typing
challenge to be recognized and only rarely recognizing a false positive.  With tuning, I'm
sure it could have been improved.

The point is that behaviorally-based biometrics are *slightly* better than physically-based
ones in that it's harder to steal them and that they aren't entirely fixed.  In the scenario
of the keystroke timing recognition technique, the timings could potentially be stolen over
the wire and a repeat attack might then gain access.  But, combine that with some physical
form of ID, like a keyfob, and a memorized passphrase or password and now you're talking.  I
also imagine the person's typing style changing over time, like their signature.  The database
of keystroke timings would have to be updated periodically with new samples from the
authenticated user, perhaps gradually and automatically through some statistical recognition
of a slight but acceptable deviation from the current set.

I'm not arguing with the article at all.  I am actually in complete agreement that physical
attributes should never be treated like secret keys.  I just wanted to point out a dichotomy
in the realm of biometrics that might be worthy of separate consideration.

(Log in to post comments)

behaviorally-based biometrics

Posted Apr 10, 2008 23:42 UTC (Thu) by nix (subscriber, #2304) [Link]

Something I've wondered about for some time with these systems: what do 
you do if the user breaks an arm, or changes his keyboard, or is typing 
over a slow and laggy network?

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds