What is keystroke biometrics?
Keystroke biometrics, previously called keystroke dynamics, and lately typing biometrics is a type of behavioral biometric that refers to the way people type.
Keystroke biometrics is not a unified method of recording a user's typing timings and rhythm but rather a general idea starting from the concept that every person types in a unique way and if one can capture a person's "typing fingerprint", (also called typing pattern) one would be able to use it to authenticate that person afterwards.
However, in reality we see tens of ideas, academic studies, commercial implementations and even patents trying to solve the issue of how to recognize people based on the way they type, mainly how to create a reliable method with high accuracy based only on recording timings from a user's typing.
Very few behavioral biometrics companies such as BehavioSec or BioCatch are capable to perform typing biometrics auth with less than 5 enrollments (preserving good accuracy), while TypingDNA claims to be able to do even better with as low as 1 or 2 previous enrollments (with a free text method).
Identification can be done with some success but it works much better when typing recognition is combined with other things you know about one user (such as location, browser).
Beyond SMS OTP, tokens (that you need to carry around), or passwords (that you need to store and remember), most biometrics have major UX issues too because you need to do something in order to record face, fingerprint, voice, etc.
Typing biometrics seem to be friendlier but the issue with recording a very accurate typing profile starts whenever it's being used actively since the text to be written is somehow long.
a) Microphone based (voice, ambient noise) needs the user permission every time it's being used, both enrollment and verification needs to be done actively. Morphing software has been shown to make voice authentication useless, being able to reproduce someone voice from only 1 minute of audio. It also depends on a lower availability of microphones compared to keyboards.
b) Webcam based (face photo or video, ambient light) also needs to get user permission every time and it's depended on the availability of a high resolution webcam and proper lighting. It's been proven over and over again that if you have a Facebook, Linkedin profile photo or any medium-res photo of someone, you can hack into his account if protected by facial recognition software.
c) Behavior based (typing pattern, mouse movement, website user behavior) is the only biometric that can be trusted in the browser. Most important drawback is the accuracy of such behavioral methods. FAR (false acceptance rates) can get as high as 10-20% on mouse movement and website user behavior. The only biometric that reaches FAR as low as 2-5% is typing/keystroke biometrics (or even 1% with a method created by TypingDNA and available as a service).
Banking, payment, corporate, health and e-learning apps are the first ones to see an increase in online identity fraud and without additional layers of authentication (such as biometrics) there is not much to do to prevent the collapse of essentially everything.
Keystroke biometrics is not a unified method of recording a user's typing timings and rhythm but rather a general idea starting from the concept that every person types in a unique way and if one can capture a person's "typing fingerprint", (also called typing pattern) one would be able to use it to authenticate that person afterwards.
However, in reality we see tens of ideas, academic studies, commercial implementations and even patents trying to solve the issue of how to recognize people based on the way they type, mainly how to create a reliable method with high accuracy based only on recording timings from a user's typing.
Keystroke biometrics main challenges:
1. Enrollment and authentication
Typically typing patterns are recordings of a short identical text (such as the username+password combination), rarely typing patterns are built on free typed text. In both cases however, most accurate authentication methods need 5 to 10 previously enrolled patterns recorded either actively or passively.Very few behavioral biometrics companies such as BehavioSec or BioCatch are capable to perform typing biometrics auth with less than 5 enrollments (preserving good accuracy), while TypingDNA claims to be able to do even better with as low as 1 or 2 previous enrollments (with a free text method).
2. Passive vs. active enrollment and auth.
The key to wider adoption is passive enrollment and authentication. Basically, you can be protected by passively being monitored whenever you type but sometimes it takes too much, these methods need you to type enough text in order to be able to detect a fraud therefore keystroke biometrics is often used as an active layer (asking the use to type a text proactively in order to move further).3. Identification
Since typing recognition comes typically with a high FAR (false acceptance rate, also called false positive rate) there is no way you can identify precisely a user only by typing patterns alone.Identification can be done with some success but it works much better when typing recognition is combined with other things you know about one user (such as location, browser).
4. User experience
Since all other authentication methods have UX issues, typing biometrics may be the one to solve such issues. When you're using SMS OTPs for payments or password recovery you have to reach for your mobile phone and copy a shortcode in the browser. This is clearly not very user friendly.Beyond SMS OTP, tokens (that you need to carry around), or passwords (that you need to store and remember), most biometrics have major UX issues too because you need to do something in order to record face, fingerprint, voice, etc.
Typing biometrics seem to be friendlier but the issue with recording a very accurate typing profile starts whenever it's being used actively since the text to be written is somehow long.
Top adoption drivers for typing biometrics technology:
The main things that drive the adoption of typing biometrics are:1. Best biometric in the browser compared to any other biometric
There are only 3 types of biometrics that can be recorded through a PC browser in a native way and here are the drawbacks for each of thema) Microphone based (voice, ambient noise) needs the user permission every time it's being used, both enrollment and verification needs to be done actively. Morphing software has been shown to make voice authentication useless, being able to reproduce someone voice from only 1 minute of audio. It also depends on a lower availability of microphones compared to keyboards.
b) Webcam based (face photo or video, ambient light) also needs to get user permission every time and it's depended on the availability of a high resolution webcam and proper lighting. It's been proven over and over again that if you have a Facebook, Linkedin profile photo or any medium-res photo of someone, you can hack into his account if protected by facial recognition software.
c) Behavior based (typing pattern, mouse movement, website user behavior) is the only biometric that can be trusted in the browser. Most important drawback is the accuracy of such behavioral methods. FAR (false acceptance rates) can get as high as 10-20% on mouse movement and website user behavior. The only biometric that reaches FAR as low as 2-5% is typing/keystroke biometrics (or even 1% with a method created by TypingDNA and available as a service).
2. The increasing need for a 2nd authentication factor
Everyone talks about replacing passwords, tokens and shortcodes (SMS based one time passwords), but the experts know that fraud risks get higher and higher each day and in 2016 alone there were more account takeovers drove by phishing attacks than in our entire Internet history.Banking, payment, corporate, health and e-learning apps are the first ones to see an increase in online identity fraud and without additional layers of authentication (such as biometrics) there is not much to do to prevent the collapse of essentially everything.