Biometric Identification and Authentication in Computers: Keystroke Dynamics.
The recent trend in smart phone technology has seen the introduction of fingerprint identification and the latest innovation in the iPhone X of face identification and authentication. Unfortunately, the limitations of most computers desktops and laptops alike means that the use of a user name and password are still very much the mainstream means for identification and authentication. However, this traditional approach is arguably still a valid means for controlling access to sensitive information and data even with the advent of the cloud the various accounting systems the access by way of a user name and password is prevalent. Cloud based systems and records are an invitation for cyber crime (Kaufman, 2009).
There has been an exponential increase in the use of the web based systems and whilst computer technology has simplified and arguably improved the flow of information and financial transactions it has resulted in an increased danger from hacking (Monrose & Rubin, 1999; Banerjee & Woodward, 2012; Teh, Teoh & Yue, 2013). Such attacks have compromised a wide variety of business but most importantly the banking industry has been at the forefront of the attacks (Choo, 2011). The security of the finance sector is a concern with the sensitivity of the information and data with in computer systems. The problem of cyber crime is not limited to large organizations it also affects small to medium size businesses (Velmurugan, 2009). Subsequently, if the passwords, pin numbers and user access codes can be compromised what additional security is available and this is where the alternative forms of identification and authentication offered by biometrics comes into consideration. For small to medium sized firms the use of biometrics can be a cheaper or more affordable way of dealing with security and yet still offer that added degree of security.
Approaches to authentication and identification have been classified as falling within three basic categories; knowledge based; object based; and biometric based (O'Gorman, 2003; Shanmugapriya & Padmavathi, 2009). A knowledge based approach is linked to something that is committed to a person's memory such as a password or pin number. An object based approach involves the use of an item that a person has in his or her possession such as a card (eg an ATM card). By contrast a biometric approach is based on some particular aspect particular that person alone and can be physiological (eg finger prints) or behavioural (eg keystroke dynamics). An overview of these categories and the relevant characteristics is presented in Figure 1.
According to Shanmugapriya and Padmavathi (2009) the biometric based technologies are increasing in their application especially when used in conjunction with the other forms of authentication and identification. They act as a means of verifying the identity of the person and thus add an extra layer of security to the process of gaining access to the particular data base and information available through the organisation, be it a bank a government department or a small to medium size business.
In choosing a particular category of biometric based approach there are additional matters that need to be considered, in particular the physiological aspects have a number of draw backs that make them difficult to implement in the case of any system security access control. For example, Snelick, Mink, Indovina and Fellow (2005) highlighted the findings of the US Congress report into the use of a biometric system that approximately 2 percent of the US population did not have a legible fingerprint and subsequently would be unacceptable. With these potential problems it is considered that behavioural based approaches offer a more equitable and useful method. In retrospect, Jain, Ross and Prabhakar (2004) suggested that to be useful a biometric approach needs to satisfy four characteristics:
1. Universality: that is every person should have characteristic;
2. Distinctiveness: the characteristic should be sufficiently different between persons;
3. Permanance: the characteristic should be consistent over time to meet the matching criteria;
4. Collectability: the characteristic needs to be something that can be recorded and measured quantitatively.
Of the various types of behavioural based approaches, the keystroke dynamics satisfies the four characteristics and offers a viable means for validating the identification of a user.
Keystroke dynamics involves analysing the habitual typing rhythm patterns of a user when the person is typing on a keyboard. Research has shown that the keystroke rhythm is a good indicator the identity of a person (Gupta, 1990; Maher, Napier,Wagner, Laverty, Herderson & Hiron, 1995; Monrose & Rubin, 2000). The concept of identifying a person by the rhythm and timing of keystrokes actually dates back to telegraph operators who could identify each other by the tapping rhythm of the dots and dashes that constituted morse code (Teh, Teoh & Yue, 2013; William & Harter, 1899).
Jain, Ross and Prabhakar (2004) identified that keystroke dynamics can operate to satisfy two different outcomes, be it identification or simply verification. Identification requires a large amount of keystrokes in order to assess a person's identity against a number of possible users. This is complex and requires a longer time period before identification can be validated. Verification on the other hand about checking the keystroke dynamics of a known individual to confirm validation. This less time consuming and more specific to making an assessment about an individual. Techniques for verification of keystroke dynamics have been described as either static and dynamic or continuous (Monrose & Rubin, 1999). Static verification occurs at a specific time and thus provides additional security assessment to traditional knowledge based approaches such as user name an password. The static verification is subsequently a more robust verification of the user (Shanmugapriya & Padmavathi, 2009).
Typing on a computer keyboard can provide a number of details all of which can be recorded and stored by the computer. The feasibility for the recording and use of such data can be traced back to the work of Gaines, Lisowski, Press and Shapiro (1980) undertaken at the Rand Corporation. In essence, specific features of the typing have been identified that explain the relevant aspects which go towards making keystroke dynamics a viable means for identification and verification purposes. The categories of the sequence of events have been described as relating to the latency. The three types of latency most commonly used are "press-to-press" (PP); "release-to-release" (RR); and "release-to-press" (RP). Alternative terms have been used with press-to-press described as digraph latency (Leggett, Williams, Usnick & Longnecker, 1991) and the release-to-press time being described as the flight time (Stefan & Yao, 2010). The time interval between the pressing and releasing of keys is described as the "Trigraph" and the time that each key stroke is depressed is referred to as the "key hold time" or "dwell time" (Bergadino, Gunetti & Picardi, 2002). The conceptual relationship between these features that constitute the characteristics of an individual's keystroke dynamics are presented in Figure 2.
The security model that is proposed involves various stages of identification, authentication and overall validation of a person to allow access to the particular system. Level 1 - identification, would remain as the traditional knowledge base requiring the input of a user name and password is a sufficient starting level. This is an input required to be completed by the relevant person. Level 2 - verification, would involve the application of the biometric base approach of keystroke dynamics using the typing of the person from level 1. This is done without the need for the person to be aware of the analysis that is conducted on their input from level 1. Should an error occur then level 3 would employ an object based checking for example, the unique identification of the desk top PC, laptop, note book, tablet or smart phone. The concept is presented in Figure 3 below.
Banerjee, S. & Woodward, D. (2012). Biometric Authentication and Identification using Keystroke Dynamics: A Survey, Journal of Pattern Recognition Research, 7, 116-139.
Bergadino, F., Gunetti, D. & Picardi, C. (2002). User authentication through dynamic keystroke analysis, ACM Transactions on Information and System Security, 5(4), 367-397.
Choo, K. K. R. (2011). The cyber threat landscape: Challenges and future research directions. Computers & Security, 30(8), 719-731.
Gaines, R., Lisowski, W., Press, S. & Shapiro, N. (1980). Authentication by Keystroke Timing: Some Preliminary Results, Technical Report R-2526-NSF, Rand Corporation.
Jain, A., Ross, A. & Prabhakar, S. (2004). An Introduction to Biometric Recognition, IEEE Transactions on Circuits and Systems for Video Technology, 14(3), 4-20.
Joyce, R. & Gupta, G. (1990). Identity Authentication Based on Keystroke Latencies, Communications of the ACM, 39, 168-176.
Kaufman, L. M. (2009). Data security in the world of cloud computing. IEEE Security & Privacy, 7(4), 61-64.
Leggett, J., Williams, G., Usnick, M. & Longnecker, M. (1991). Dynamic identity verification via keystroke characteristics, International Journal of Man-Machine Studies, 35(6), 859-870.
Maher, D., Napier, R., Wagner, M., Laverty, W., Herderson, R. & Hiron, M. (1995). Optimizing digraphy-latency based biometric typist verification systems: inter and intra typist differences in digraphy latency distributions, International Journal of Human-Computer Studies, 43(4) 579-592.
Monrose, F. & Rubin, A. (2000). Keystroke dynamics as a biometric for authentication, Future Generation Computer Systems, 16, 351-359.
O'Gorman, L. (2003). Comparing Passwords, Tokens, and Biometrics for User Authentication, Proceedings of the IEEE, 91(12), 2019-2040.
Shanmugapriya, D. & Padmavathi, G. (2009). A Survey of Biometric keystroke Dynamics: Approaches, Security and Challenges, International Journal of Computer Science and Information Security, 35(1), 115-119.
Snelick, R., Mink, A., Indovina, M. & Fellow, A. (2005). Large-Scale Evaluation of Multimodal Biometric Authentication Using State-of-the-Art Systems, IEEE Transactions on Pettern Analysis and Machine Intelligence, 27(3) ,450-455.
Stefan, D. & Yao, D. (2010). Keystroke Dynamics Authentication Against Synthetic Forgeries, International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborativeCom).
Teh, P., Teoh, A. & Yue, S. (2013). A Survey of Keystroke Dynamics Biometrics, Scientific World Journal, 1-24.
Velmurugan, M. S. (2009). Security and Trust in e-Business: Problems and Prospects. International Journal of Electronic Business Management, 7(3), 151-158.
William, L. & Harter, N. (1899). Studies on the Telegraphic Language: The acquisition of a hierarchy of habits, Psychological Review, 6(4), 345-375.
Enovasions Limited, Fiji
JEL Classifications: M15; O30
PsycINFO Classifications: 4120
FoR Codes: 0803
ERA Journal ID #: 40840
|Printer friendly Cite/link Email Feedback|
|Publication:||Journal of New Business Ideas and Trends|
|Date:||Sep 1, 2018|
|Previous Article:||In Defence of "Replication Research".|
|Next Article:||Implications of the Fair Work Commission's modern award review for casuals.|