Replacing vulnerable password with secure keystroke biometrics

11th International Conference ACNS 2013.

“When you type in a search query on Google, the result shows up immediately while you are typing, even before you hit the enter key or click on the search button. Therefore, for every single key that you press on the keyboard, there is a corresponding message being sent to the Google server,” reveals Gao, who adds that the same technology is being used on Facebook and Twitter, among other Web sites.

“Servers using such technology could potentially log down the timing of every single message, which would correspond precisely to your typing dynamics.”

The imitation game
Inter-keystroke timing, or the time it takes between two consecutive key presses, is the most commonly used type of data for keystroke biometrics. Gao and colleagues set out to question the “uniqueness property” of keystroke biometrics — the extent to which systems can be fooled by attackers imitating their victims’ typing patterns.

Recruiting eighty-four SMU students as attackers, the researchers first gave each participant 30-45 minutes of training with a feedback software program, Mimesis, which they had developed. The program gives positive or negative feedback to the student so that, through incremental adjustments, they can closely imitate how their victim types.

Consider a scenario where a biometrics database is compromised; software such as Mimesis could be used to extract victims’ typing parameters, which can then be used for malicious purposes.

“For example, it will tell you that the way that you type right now is slightly different from the victim’s typing; or the inter-keystroke timing between A and S is shorter than what the victim types, so you better slow down a little bit when you are typing these two letters,” Gao elaborates.

The results show that when a victim’s typing pattern is known, imitation is possible — contrary to the findings of previous studies. The students could easily log into systems by impersonating their would-be victims, and fourteen of them managed to do so with an almost 100 percent success rate over a total of 200 attempts.

Interestingly, even if the attacker had partial information about their victim — perhaps a handful of typing samples captured by a key-logger as the victim is authenticating — they could nevertheless still achieve a reasonably high false acceptance rate.

Gao presented this research at the 20th Annual Network & Distributed System Security Symposium 2013 in San Diego, California. His conference proceedings paper, “I Can Be You: Questioning the Use of Keystroke Dynamics as Biometrics,” received the Best Paper Award.

Designing better, more usable interfaces
From their experiments, the researchers also learned a number of fascinating things: for one, the easier the password, the easier the imitation. Male students were also found to be better than female students at imitation. However, various factors such as typing consistency, type of keyboard, and imitation strategy had much less influence on the imitation outcome than expected.

Findings such as these could potentially prompt a re-think of current keystroke biometrics-based authentication systems, Gao believes. With his work, he hopes to spread awareness about the weaknesses of keystroke biometrics, allowing companies to configure their Web services in such a way that provides functionality without compromising on end user privacy.

— Read more in Chee Meng Tey et al., “Keystroke Timing Analysis of on-the-fly Web Apps,” Applied Cryptography and Network Security: 11th International Conference ACNS 2013, Banff, Alberta, Canada, 25-28 June 2013: Proceedings (doi: org/10.1007/978-3-642-38980-1_25)