Overview of the Last Article

In our articles on Biometrics, we have covered a wide range of topics, ranging from examining the Physical-based Biometrics, to Multimodal Solutions, to implementing a Biometrics Infrastructure in the Cloud, to even using the principles of Cryptography to help further protect the Biometric Templates as they are in transit across any given network.

Even the e-Passport Infrastructure was examined as well. This is essentially where the traditional paper passport is being replaced by the Electronic or Biometric Passport. This new type of technology contains a Smart Card, which can hold up to three templates of differing modalities-namely those of Fingerprint, Facial, and Iris Recognition.

Our last article looked at perhaps the most overlooked part of a Biometric modality-the Sensor.

The sensor can be deemed to be at the “Heart” of both the Physiological and Behavioral based Biometrics. There are many types of Sensors which are available in the marketplace today, and they include the following:

  1. Optical based scanners;
  2. Solid State Sensors;
  3. Ultrasound Sensors;
  4. Temperature differential Sensors;
  5. Multispectral Imaging Sensors;
  6. Touchless Fingerprint Sensors;
  7. Other types of Sensors (which include CCD Cameras, Active Sensors, and Passive Sensors).

It should be noted, that at least with respect to Fingerprint Recognition, it is the Optical based scanners which are used the most. There are a number of reasons for this, especially that of easy installation and low cost. But, the Touchless based Sensors are also gaining quite a bit of momentum as well. The primary reason for this is that it does not require direct contact by the end user.

As a result, there are no hygiene related issues. This, in turn, leads to a much greater end user acceptance, because there are also no Privacy Rights or Civil Liberties violations issues either. At present, it is Vein Pattern Recognition which is using the Touchless Sensor the most. It is expected the other contact-based modalities will also follow suit in this regard, especially that of Hand Geometry Recognition and Fingerprint Recognition.

In this article, we further examine of the two Behavioral based Biometrics-that of Keystroke Recognition.

An Overview of Keystroke Recognition

Keystroke Recognition relies upon the unique way in which an individual types on a computer keyboard. No matter what we type on our office or home computers, there is a distinct rhythm to it. The uniqueness also comes in for how long we type, and the successive patterns in which we press the keys down on the computer keyboard.

In this regard, Keystroke Recognition is even older than that of Hand Geometry Recognition or Fingerprint Recognition. The reason for this is that the interest in the unique typing patterns dates back to the 19th century when the Morse Code first came out. By World War II, the United States military intelligence department could identify Morse Code operators by their unique typing patterns. Although the Morse Code is only (in a technical sense) a series of dots and slashes, some distinctiveness could still be established.

The first Keystroke Recognition device came out in 1979, and by 1980, the National Science Foundation further validated Keystroke Recognition as an official Biometric Modality. By 2000, it was finally accepted as a commercial security technology that could be used in either the public or private space.

Keystroke Recognition: How It Works

To start the Enrollment process, an individual is required to type a specific word or group of words (texts or phrases). In most cases, the individual’s username and password are used. It is very important that the same words or phrases are used during both the Enrollment and the Verification processes.

If not, the behavioral typing characteristics will be significantly different, and a mismatch will arise between the Enrollment and Verification templates. As a result, the individual will not then be able to gain access to the resources to which he or she is seeking.

To create the Enrollment Template, the individual must type his or her username and password about 15-20 times. The individual being enrolled should type without making any corrections (for instance, using the backspace or delete key to correct any mistakes). If the individual does make corrections, the system will then prompt the individual to start again from the very beginning.

The distinctive, behavioral characteristics measured by Keystroke Recognition include the following variables:

  1. The cumulative typing speed;
  2. The time which elapses between the consecutive keystrokes;
  3. The time that each key is held down (this is also known as the “Dwell Time”);
  4. The frequency in which the number pad or function keys are used;
  5. The timing in the sequence of the keys used to type a capital letter (for example, whether the shift or letter key is released first);
  6. The length of time it takes an individual to move from one key to another (this is also known as the “Flight Time”);
  7. Any Error Rates, such as using the Backspace or Delete keys.

These behavioral characteristics are subsequently used to create the statistical profiles, which become the Enrollment and the Verification Templates. The concepts of Hidden Markov Models are used in this process.

The statistical profiles can be classified as either “Global” or “Local.” With the former, all of the behavioral characteristics are combined, but with the latter, only the behavioral characteristics for each keystroke is utilized.

It should be noted that the statistical correlations between the Enrollment and the Verification templates can be subsequently modified, depending on the security threshold which is required by the business or corporation. For example, an application which requires a lower level of security will permit some differences in the typing behavioral patterns. But, an application which requires a higher level of security will not allow for any kind of behavioral differences to occur.

It is important to make the distinction between Static based and Dynamic based Keystroke Verification. In the case of the former, Verification only takes place at certain times for example, when the individual logs into his or her computer. With the latter, the individual’s keystroke and typing patterns are recorded for the entire duration of a given session.

The Advantages and Disadvantages of Keystroke Recognition

Keystroke Recognition does possess a number of strengths and weaknesses. Probably its biggest advantage is that it does not require any additional, specialized hardware, as opposed to the other Biometric modalities. All that is required is specialized software which can be very easily and quickly installed onto a computer or wireless device.

Second, this modality can be very easily integrated with other existing authentication processes which are non-Biometric based. For example, if a business or a corporation chooses to continue with its legacy security infrastructure, Keystroke Recognition would be the ideal choice to use for a Multimodal approach.

Third, the training which is required for the end user is very minimal. For instance, most everybody is familiar with typing on a computer keyboard. All that is required is just a few minutes to type in the passphrase in an iterative fashion, as previously discussed.

Regarding disadvantages, the biggest is one is that this modality still heavily relies upon the username and password as the primary passphrase. If this combination were to be hacked into (which can be so easily done today), the individual would then have to go through the entire Enrollment process once again, with a different username and password.

Not only is this an inconvenience, but it can also be costly for an organization. It can cost up to $300 per year per employee for any username/password resets.

Second, since passwords are still the primary means for Logical Access Entry, many corporations and businesses are now mandating that passwords be long and complex. This includes using a combination of uppercase and lowercase letters, punctuation marks, integers, etc.

Because of this, it has become very difficult for the employee to remember their password, and as a result, they tend to write them onto a Post-It Note and attach it to their workstation monitor (this has become affectionately known as the “Post It Syndrome”). With these passwords now in clear sight, other employees can steal them, thus escalating the risks of inside threats even more.

Third, although the potential uses of Keystroke Recognition remain strong, it is still not widely deployed in many security applications.

Ethical Hacking Training – Resources (InfoSec)


The following criteria can gauge the true effectiveness of a Keystroke Recognition system:

  1. Universality:

    This modality has strong levels of public acceptance. This means that individuals who do not know how to type or have less than ten fingers can still, theoretically, complete the Enrollment process.

  2. Uniqueness:

    At present, this modality can only be used for very low-level Logical Access applications. This is primarily because it is still the username and password combination which is used for creating the Enrollment and Verification templates.

  3. Permanence:

    This is probably one of the biggest flaws of Keystroke Recognition. Unlike the stability offered by Iris or Retinal Recognition, there is no permanence into the specific typing pattern of an individual. This can even change on a daily basis, due to a number of factors. This includes physical injuries to the fingers, physical fatigue, lack of attention when typing or even using a different computer keyboard.

  4. Collectability:

    In comparison to the Physical-based Biometrics, it can take a very long time to collect the passphrase samples, from which the statistical profiles are created.

  5. Acceptability:

    As discussed previously, Keystroke Recognition possesses a very high level of acceptance in the limited applications which it serves. This is due to its strong levels of ease of use.

  6. Resistance to circumvention:

    Most of the typing data is not encrypted. Thus, this information can be maliciously intercepted by a Cyber attacker, and even be used actually to spoof the Keystroke Recognition system. Also, keylogging software can be covertly deployed onto the workstation or wireless device to record the typing patterns of an individual secretly.

  7. Performance:

    With the proper security threshold in place, this modality can have a False Rejection Rate (FRR) of up to 3% (primarily due to the changes which occur in the typing pattern/rhythm), and have False Acceptance Rate (FAR) of .01%. This means that there is a higher statistical probability that a legitimate user will not be accepted by a Keystroke Recognition system, as opposed to an impostor being accepted.