World of Computer Science and Information Technology Journal (WCSIT) ISSN: 2221-0741 Vol. 1, No. 9, 398-404, 2011 398 An Application of the Keystroke Dynamics Biometric for Securing PINs and Passwords Sally Dafaallah Abualgasim Department of computer science Sudan University of Science and Technology Khartoum, Sudan Izzeldin Osman Department of computer science Sudan University of Science and Technology Khartoum, Sudan Abstract— This paper investigates the use of the keystroke dynamics biometric as an added security for passwords and PINs (Personal Identification Numbers) used in POS (Points of Sale) and banking Automatic Teller Machines (ATM). The paper employs an algorithm using the keystroke dynamics which attempts to minimize compromising the security when the imposter get hold of both user-ID (user card) and password. Experiments were conducted using passwords of varying length by a group of users. The paper reports the results of the experiments and recommends an optimum number of digits in passwords when this biometric is used. The experimental results were encouraging for PINs of length 4-12 digits where the rate of rejection of legitimate users (FRR) was zero while the rate of acceptance of the imposter (FAR) was below 20%. Keywords- biometrics; keystroke dynamics; password security. I. INTRODUCTION Authentication is the process of determining whether a user should be allowed access to a particular system or resource. It is a critical area of security research and practice. Alphanumeric passwords are used widely for authentication, but other methods are also available today, including biometrics and smart cards. However, there are problems of these alternative technologies [1]. Biometrics raise main concerns such as acceptability and lack of flexibility and smart cards usually need a Personal Identification Number (PIN) because cards can fall in the hand of imposters. As a result, passwords are still dominant and are expected to continue to remain so for some time [1]. Traditional measures such as passwords and PINs need more advanced safeguards against unauthorized access to information and computer resources [19]. One such safeguard is keystroke dynamics. This method analyzes the way a user types at a terminal by monitoring the keyboard inputs and aims to identify users based on certain habitual typing rhythm patterns [19]. Keystroke dynamics is a biometric based on the assumption that different people type in uniquely characteristic manners. Observation of telegraph operators in the 19th century revealed personally distinctive patterns when keying messages over telegraph lines, and telegraph operators could recognize each other based on only their keying dynamics [6]. Keystroke dynamics is known with a few different names: keyboard dynamics, keystroke analysis, typing biometrics and typing rhythms [6]. Currently users begin information to computer systems via physical keyboards or keyboards on touch screens. The main advantage of using keystroke dynamics is that it can be used without any additional hardware. Thus it is inexpensive. The user acceptance of a keystroke dynamics biometric system is very high, since it is not intrusive and users do not necessarily even notice that such a system is used [6, 16]. The reset of this paper is organized as follows: The second part states the research problem, a short review of the previous studies is then presented; this is followed by theoretical concepts. The proposed algorithm is presented. This is followed by experiments and discussion of results. Finally, conclusions and suggestions for further research are given. II. THE PROBLEM Access to ATM is usually controlled by passwords or PINs. After the user enters his users-ID (his card) in an ATM machine, the user will be asked to enter his PIN or password. The main problem appears when a user loses his card and the card falls in the wrong hands, the guessing of PIN or password can be possible after many tries. So getting hold of a card (without knowing the password) does not necessarily allow access to the card owner account. However, currently if an imposter gets both the card and password of an account owner, there is no way to stop the imposter from using the card and cashing money from the account. WCSIT 1 (9), 398-404, 2011 399 So, the problem is: The user-ID (card) and PIN (password) are available to the legitimate user and to the imposter, how to stop the imposter and to allow the legitimate user to access the system. In this research the use of passwords or PINs is combined with typing behavior (i.e. keystroke dynamics) of the user and a unique signature is constructed for this user based on the keystroke dynamics. Here we attempt to secure a user account even if both his card and PIN or password fell in the hands of an imposter. The paper also presents the results of experiments using the keystroke dynamics biometric in an attempt to find the optimum number of digits in PINs and passwords which safeguards their security. III. THEORETICAL CONCEPTS 3.1 Problems of passwords The “password problem” arises because passwords are expected to comply with two conflicting requirements, namely: I. Passwords should be easy to remember. II. Passwords should be secure, i.e., they should look random and should be hard to guess; they should be changed frequently, and should be different on different accounts of the same user; they should not be written down or stored in plain text. Meeting these conflicting requirements is almost impossible for humans. Thus currently users create weak passwords and handle them in an insecure way [1, 18]. Therefore there is a need for some methods to secure passwords and their authentication and at the same time keep the user authentication protocol easily and quickly executable by humans. 3.2 Features used with keystroke dynamics Keystroke dynamics include several different measurements which can be detected when the user presses keyboard keys. Possible measurements include: - Latency between consecutive keystrokes. - Duration of the keystroke, hold-time. - Overall typing speed. - Frequency of errors (how often the user has to use backspace). - The habit of using additional keys in the keyboard, for example writing numbers with the num pad. - In what order does the user press keys when writing capital letters, is shift or the letter key released first. - The force used when hitting keys while typing (requires a special keyboard). Statistics can be either global, i.e., combined for all keys, or they can be gathered for every key or keystroke separately [6]. Systems employ one or more of these features. Most of the applications measure only latencies between consecutive keystrokes or durations of keystrokes [6]. For dealing with PINs or passwords, where a short series of digits is used the latency between keystrokes and the keystroke duration appear to be the only suitable measurements. Figure. 1 represents the latency between keystrokes and the keystroke duration. This research uses a combination of the keystroke latencies and the duration of keystrokes. Figure 1. Latency between keystrokes and keystroke duration 3.3 Keystroke Latencies Successive key presses and releases give rise to four types of key latencies: I. P-P (Press-Press): It is the time interval between successive key presses. Physically it represents how fast the person types. II. P-R (Press-Release): It is the time interval between the pressing of a key and releasing the same key. This is analogous to how 'hard' one types, i.e. how much pressure is applied during typing. III.R-P (Release-Press): It is the time interval between the release of a key and the pressing of the next key. IV. R-R (Release-Release): It is the time interval between the releases of two successive keys. These four latencies collectively form a mathematical representation of the typing rhythm of a user. For the same user typing the same word, they are expected to have consistent patterns and not vary out of pre-determined proportions [17]. In this research duration (I) named flight time and (II) named key time are used. Figure. 2 represents keystroke time for (I) and (II). Figure 2. Keystroke time for keytime and flighttime. 3.4 Metrics to evaluate a biometric system The most commonly adopted metrics to evaluate a biometric system’s authentication accuracy are the False Reject Rate (FRR) and the False Accept Rate (FAR) that respectively correspond to the two popular metrics of sensitivity and WCSIT 1 (9), 398-404, 2011 400 specificity [2, 3]. The false acceptance rate (FAR) denotes the rate that imposter is allowed access and false rejection rate (FRR) denotes the rate the legitimate user is denied access [5, 10, 17]. In this application we aim to minimize FRR and to maximize FAR. IV. PREVIOUS STUDIES Table I gives a summary the previous studies. Some researchers investigated keystroke dynamics biometrics for long text [2,19 ], other experimented with login/password [11,17] or user names [6] and some used phrases [ 5,21,11 ]. Statistical and neural network classification techniques were used. The present research uses statistical classification technique for PINs or passwords because it gives better performance which is an important factor in this particular application. TABLE I. SUMMARY OF PREVIOUS STUDIES (ADAPTED FROM [12, 21]) Study Year Classification Technique Users FAR (%) FRR (%) Gaines el. Al [2] 1980 Statistical 7 0 4 Leggett el al [17,19] 1988 Statistical 17 5 5.5 Leggett el al [21] 1989 Statistical 36 5 5.5 Bleha S. et al [6,12] 1990 Statistical 32 2.8 8.1 Joyce & Gupta [11] 1990 Statistical 33 0.25 16.36 Leggett et al. [12, 14] 1991 Statistical 36 12.8 11.1 Brown &Rogers [7,12,14] 1993 Neural Network 25 0 12.0 Bleha & Obaidat [4] 1993 Neural Network 24 8 9 Napier et al [12,14] 1995 Statistical 24 3.8% (combined) Obaidat& Sadoun[4] 1997 Statistical 15 0.7 1.9 Neural Network 0 0 Monrose& Rubin [12, 14, 22] 1999 Statistical 63 7.9 (combined) Monrose& Rubin [21] 2000 Statistical 63 16.78 ? Monrose& Rubin [21] 2000 Statistical 63 14.37 ? Monrose& Rubin [21] 2000 Statistical 63 12.82 ? Monrose& Rubin [21] 2000 Statistical 63 7.86 ? Alen Peacock [7] 2000 Statistical 11 8 4.2 Cho et al. [5] 2000 Neural Network 21 0 1 Ord & Furnell [14] 2000 Neural Network 14 9.9 30 Bergadano et al. [13] 2002 Neural Network 154 0.01 4 Kacholia& Pandit [17] 2003 Statistical 20 1 4.38 Guven & Sogukpinar [12] 2003 Statistical 12 1 10.7 Sogukpinar& Yalcin[14,21] 2004 Statistical 40 0.6 60 Furnell [12] 2004 Neural Network 35 4.9 0 Yu & Cho [10] 2004 Neural Network 21 0.3 3.69 Gunetti & Picardi [16] 2005 Neural Network 205 0.005 5 Lee & Cho [14] 2007 Neural Network 21 0.43 (Average Integrated Errors) Pin shen et al [15] 2007 Statistical 50 6.36 (Equal Error Rate) Chuda & Ďurfina [20] 2009 Statistical 15 8.4 2.5 3.6 4.7 WCSIT 1 (9), 398-404, 2011 401 V. ALGORITHMS AND EXPERIMENT 5.1 Algorithms The proposed algorithm consists of two steps: First step is a registration step. In this step the user enters his PIN n times (e.g. 6 times). The lengths of PINs are k digits (e.g. 3 to 12 digits). The system captures and records the key time for each digit and flight time for each pair of digits and saves these in a table. If the PIN is of length “k+1”, there will be “k” key times (kt) denoted by kt1, kt2, kt3,… ktn and “k-1” key flight times (ft) denoted by ft 1, ft2 , ft3 ,… ftn (as in Figure. 2), so the table will have 2k-1 columns representing key times and flight times, and n rows assuming that the user would enter his PIN n times. The information can be represented in tabular form as shown in Table II, where the first column represents key time for the first digit, the second column represents the flight time from first digit to second digit and third column represents key time for second digit and so on. TABLE II. KEYSTROKE TIME (KEY TIME AND FIGHT TIME) PIN time Repetition No. T1 T2 T3 ….. T2k-1 1 kt1 ft1 kt1 ….. kt1 2 kt2 ft2 kt2 ….. kt2 3 kt3 ft3 kt3 ….. kt3 … ….. N ktn ftn ktn ….. ktn Where T1 represents key time (kt), T2 represents flight time (ft), T3 represent key time (kt), and T4 represents flight time (ft) and so on. To minimize the effect of using different keyboards, the experimental readings were normalized by dividing the observed (Ti) by the max (Ti) and then continuing with the procedure. The data in Table II is used to compute the user’s signature. The user’s signature is computed as follows: sum i = ¿ = n j i j T 1 ) ( Where n is number of repetitions and T i is time (key time or flight time) of digit i. Mean i = sum i /n (2) Standard Deviation (STD i ) = ¿ ÷ ÷ 1 ) ( 2 N T mean i i The results are saved as shown in Table III. User signatures are stored in similar tables. TABLE III. A SAMPLE OF USER SIGNATURE TABLE PIN Time sum mean STD T1 T2 T3 T4 T5 The second step is the login step. In this step the user enters his user-ID (e.g. from ATM card) and his PIN. His PIN data is captured. His signature is computed and a login table similar to Table III is constructed. Now the login data is verified by comparing it against the data in signature table. A weight is calculated for each digits of the PIN as follows: Weight i = % 100 1 1 × | | | | | . | \ | | | . | \ | × | | . | \ | ¿ = i i n j j j STD mean STD mean The following algorithm is then used. It was adapted from [8,11, 17]. For every keystroke entered by the user in login, if the digit key time is within mean ± STD then the number of matches is incremented by one and a weight is calculated and is added to the total weight of the given trial. This procedure is repeated to every digit in PIN. The login is successful and the user will be allowed to enter the system if one of the following conditions is satisfied: (i) The calculated total weight is greater than 0.5. (ii) The number of matches divided by 2k-1 is greater than 0.75. If both conditions are not satisfied the user is allowed another trial. If the user fails three times this is considered a rejection and the user is not allowed to enter the system. 5.2 Experiments The experiment was conducted using 26 users: - Each user entered his PIN 5 times. Example the data of user1 PIN was “963” shown in Table IV, where the first column (T1) represents key time for the first digit “9”, the second column represents flight time for “9 to 6”, the third column represents key time for the digit “6”, the fourth column represents the flight time for “6 to 3”, and the last column represents the key time for the last digit “3”. TABLE IV. DATA CAPTURED FOR USER 1 FOR A PIN OF LENGTH 3 DIGITS PIN Time Repetition No. T1 T2 T3 T4 T5 1 1359 2719 1440 2801 1360 2 1439 3199 1120 2720 1361 3 1440 2881 1518 3119 1522 4 1362 2560 1279 2719 1201 5 1519 3119 1361 2961 1279 6 1681 3201 1520 2720 1599 (1) (4) (3 ) WCSIT 1 (9), 398-404, 2011 402 - A signature based on these keystroke dynamics was computed and stored for each user in his signature table. User 1 signature table is shown in Table V for his PIN “963”. TABLE V. USER 1 SIGNATURE DATA FOR A PIN OF LENGTH 3 DIGITS PIN Time sum mean STD T1 8800 1466.666667 120.5830281 T2 17679 2946.5 269.7078049 T3 8238 1373 154.9916127 T4 17040 2840 165.7974668 T5 8322 1387 148.8851907 Two user groups (A, B) of 13 each were formed: Group A: I. Logged in using their PINs : - The PIN data was processed using the stored signature of each user. Result: they all entered the system successfully. Hence, the False Reject Rate (FRR) was calculated. II. Each one of group A was given a username and PIN of a user from group B. - Each group A user attempted to enter the system as an imposter; he entered the username and PIN of a group B members. Three trials were allowed. The number of those who got through was counted. Hence, FAR was calculated. The results are reported in Table VI and Figure. 3. III. The above procedure was repeated using PINs of length from 3 to 12 digits. The results are reported in Table VII and Figure. 4. Table VIII and Figure. 5 show the numbers of false accept and false reject added all PIN lengths from 4 to 12 digits. The variations between individual users are shown in Figure. 6. VI. RESULTS AND DISCUSSION Based on the experiments, the following results can be drawn: I. In all cases and irrespective of the PIN number of digits FRR was zero as shown in Table VI Figure. 3. Therefore, it appears that using this biometric would not reject the legitimate user in all cases. II. The case where the PIN length is 3 digits led to large FAR as shown in Table VII and Figure. 4. Therefore, 3 digits PIN is not recommended and has to be eliminated from further experiments. III. Imposters who have the PIN and the user-ID (e.g. card) can login and succeed with a probability ranging from 0.28 (when the PIN length is 4 digits) to 0.13 (when the PIN length is 12 digits) as shown in Table VII and Figure. 4. I.e. under the proposed system at least 72% of tries by imposters would fail. IV. Since this is a behavioral biometric its effectiveness would vary from one individual to the other. This is shown in Figure.6. TABLE VI. FRR AND FAR TO GROUP A USERS (FRR) (FAR) Total Attempts 650 3260 No of Rejects/Accepts 0 733 Percent 0.00% 22.48% Figure 3. Comparison between FRR and FAR. TABLE VII. F AR FOR PINS OF 3 TO 12 DIGITS Figure 4. FAR for PINs of 3 to 12 digits PINs length False Accept True Reject FAR % 3 119 61 0.66 4 103 271 0.28 5 90 301 0.23 6 87 303 0.22 7 86 304 0.22 8 63 237 0.21 9 46 229 0.17 10 46 254 0.15 11 45 255 0.15 12 48 312 0.13 WCSIT 1 (9), 398-404, 2011 403 TABLE VIII. FAR FOR GROUP A USERS FOR PINS OF 4 TO 12 DIGITS False Accept 614 True Reject 2466 All trials 3080 FAR% 19.9% Figure 5. Comparison between False Accept Trials and True Reject Trials for group A users for PINs of 4 to 12 digits length. Figure 6. FAR for each user from group A. VII. CONCLUSIONS The paper demonstrates that keystroke dynamics can be used to secure PINs and passwords against the case when the imposter gets hold of the secret user PIN. This method does not negatively affect the legitimate user as the false reject rate is almost zero. It has been shown that for PINs of length 4 digits the imposter would fail in at least 72% of trials. This would increase with large PIN length. Further research is needed to test the case when keyboard is displayed on the touch screen. REFERENCES [1] S. Wiedenbeck , J. Waters, , J. Birget, A. Brodskiy, N. Memon, Authentication using graphical passwords effects of tolerance and image choice, symposium on usable Privacy and security –SOUPS, (2005) 1-12, USA. Availablehttp://isis.poly.edu/~graphpw/pubs/05_soups.pdf accessed 03/11. [2] R. Gaines, W. Lisowski, S. Press, N. Shapiro, Authentication by keystroke timing some preliminary results, Rand Report R-2526-NSF, Rand Corporation,1980. [3] M. Villan, , M. Curtin, , G. Ngo, J. Simone, S. cha, C. tappert, Keystroke biometric recognition studies on long-text input over the internet, CSIS, Pace University,availablehttp://csis.pace.edu/~ctappert/dps/d891b-06/keystroke 2006v4.pdf (2006) accessed 03/11 [4]A. K. Jain, R.bolle, S. Pankanti, Biometrics personal identification in networked society, in: M. Obaidat, B. Sadoun, Keystroke dynamics based authentication, kluwer academic publishers, USA, 1999, pp. 213-229 , available http://web.cse.msu.edu/~cse891/Sect601/ textbook/10.pdf, accessed 03/11. [5] S. Cho, C .Han, D. Han, H. Kim, Web based keystroke dynamics identity verification using neural network, Journal of organizational computing and electronic commerce, 10(4) (2000) 295-307, Available http://dmlab.snu.ac.kr/ResearchPapers/%5BChoS_HanC_HanD_Kim%5D(20 00)Web_based_Keystroke_Dynamics_Identify_Verification_using_Neural_N etwork.pdf accessed 03/11 [6] J. Ilonen, Keystroke dynamics, Lappeenranta University of Technology, Finland, http://www.it.lut .fi/kurssit/03-04/010970000/seminars/Ilonen.pdf (2003) accessed 11/07 [7] A. Peacock: Learning User Keystroke Latency Patterns (Preliminary Report),http://pel.cs.byu.edu/ ~alen/personal/CourseWork/cs572/KeystrokePaper/KeystrokePaper.html (2000) accessed 03/11. [8] D. Souza, Typing Dynamics Biometric Authentication, University of Queensland, Australia,http://innovexpo.itee.uq.edu.au/2002/projects/ s373901/thesis.PDF (2002) accessed 03/11. [9] M. Curtin , C. Tappert, M. Villani, G. Ngo, J. Simone, H. St. Fort, S.-H. Cha, Keystroke Biometric Recognition on Long-Text Input: A Feasibility Study, Proceedings of Student/Faculty Research Day, CSIS, Pace University, http://www.csis.pace.edu/~ctappert/papers/cvpr2006.pdf (2006) accessed 03/11. [10] Enzhe Yu, Sungzoon Cho, Keystroke dynamics identity verification and its problems and practical solutions, Computers & Security - COMPSEC, 23(5) (2004) 428-440, available http://dmlab.snu.ac.kr/ResearchPapers/Kestrokedynamicsidentityverification_i tsproblemsandpracticalsolutions.pdf accessed 03/11 [11] R. Joyce, G. Gupta, Identity Authorization Based on Keystroke Latencies, ACM 33(2) (1990) 168-176. [12] S. Furnell, Continuous user identity verification using keystrokes analysis, Proceedings of International Conference on Multimedia Communications, Southampton, (1995)189-193. [13] F. Bergando, D. Gunetti, C. Picardi, User Authentication through keystroke Dynamics, ACM Transactions on Information and System Security,5(4) (2002) 367–397. [14] D. Shanmugapriya, G. Padmavathi, A Survey of Biometric keystroke Dynamics: Approaches, Security and Challenges, International Journal of Computer Science and Information Security- IJCSIS, 5(1) (2009) 115-119. [15] P. S. Teh, A. B. Teoh, T. S. Ong, H. F. Neo, Statistical Fusion Approach on Keystroke Dynamics, Third International IEEE Conference on Signal- Image Technologies and Internet-Based System –SITIS, (2007) 918-923. [16] D. Gunetti, D. Picardi, Keystroke analysis of free text, ACM Transactions on Information and System Security, (2005) 8(3) 312–347. [17] V. Kacholia , S. Pandit, Biometric Authentication using Random Distributions (BioART),http://shashankpandit.com/papers/bioart/paper.pdf (2003) accessed 03/11 [18] S. Wiedenbecka, J. Watersa, J. Birgetb, A. Brodskiyc, N. Memonc, PassPoints: Design and longitudinal evaluation of a graphical password system Int. J. Human-Computer Studies 63 (2005)102–127. Available http://clam.rutgers.edu /~birget / grPssw/susan1.pdf accessed 03/11. [19] F. Monrose, A. Rubin, Authentication via Keystroke Dynamics ACM Conference on Computer and Communications Security (1997)48-56. [20] C. Daniela, D. Michal, Multifactor Authentication based on keystroke dynamics ,ACM International Conference on Computer Systems and Technologies 2 (2009) 1-6. [21] I. Sogukpinar, L. Yalcin, User Identification at Logon via Keystroke Dynamics, Journal of Electrical & Electronics Engineering, 4(1) (2004) 995- 1005. [22] F. Monrose, A. Rubin,Keystroke Dynamics as a Biometric for Authentication, Future Generation Computer Systems 16 (2000) 351–359. WCSIT 1 (9), 398-404, 2011 404 AUTHORS PROFILE Sally D.allah Abualgasim is currently a Ph.D. candidate in computer science at Sudan University of Sciences and Technology. Her research interests include how to use keystroke dynamics to secure PINs and passwords. I work as Lecturer at Faculty of Engineering and Technology, University of Gezira, Wed Medani, Sudan.
Report "An Application of the Keystroke Dynamics Biometric for Securing PINs and Passwords"