Commentary
I Got Rhythm
- by John Capone , April 2, 2008
The idea for keystroke dynamics predates keyboards. The concept goes back to World War II and was called "The Fist of the Sender," which, surprisingly, is not the title of a kung fu movie about postmen. "The Fist" in this case refers to how telegraph operators could recognize one another's sending patterns, even in Morse code. Every individual has his own unique way of typing. Even now, as I type, I am sending information through my keyboard that could be used to identify me as the typist.
The company urging me to protect myself, bioChec, sells its patent-pending "dynamic enrollment" as a security measure. This added layer of security makes it nearly impossible for someone to log in as you, even if they have your password. Once the system learns your unique typing signature (it took 12 tries for the bioChec demo to learn mine) it stores it as your particular template.
According to a National Institute of Standards and Technology study, modern keystroke recognition, with a false acceptance rate (FAR) of 0.01 percent, is nearly as reliable as fingerprinting and much more reliable than voice verification, which can have a FAR as high as 1.6 percent. Though biometric checks have their advantages. "If someone manages to steal my fingerprint using a gummy-bear, I cannot go and get another fingerprint," says bioChec's John Checco (you could say he was born into this). "Yes, we have 10 digits to choose from, but very limited reuse. Behavioral biometrics excel in re-usability because most systems measure a finite slice of behavior: speaking, writing or typing a particular phrase. If someone shadows me enough to type a particular phrase close enough to warrant identity theft, I can just change my passphrase. The thief must start from scratch because my behavior consists of many variables, and only a small portion is measured to make an assessment."
Josh Chasin, the chief research officer at comScore says that the data gathering and measurement company uses a patented keyboard and mouse movement biometric technology it calls User Demographic Reporting (UDR) as part of its methodology. "We create a roster of users of a computer in a household," he says. "Our roster contains the first names of these persons and their demographics." Once the system has learned the patterns of all members of a household, comScore can tell who is using a given computer. Chasin says, "It is contingent on our having created a signature or fingerprint for each machine user. This system allows us to attribute user sessions to specific persons without our having to serve them a pop-up each time someone uses the Internet, asking for self-identification." Of course, it would also prevent dad from claiming it must have been his son searching for local MILFs last night.
"When we introduced this technology in 2001," says Checco, "there was a lot of concern in the corporate world of monitoring employees for productivity purposes - drugs, alcohol, all the things that came with the dot-com bubble. In that vein, we were asked at many, many times if keystroke biometrics could determine if someone was inebriated or under the influence. The short answer is no." He goes on to say that the technology can only tell that behavior has changed but not why. For instance, typing could become erratic for a reason as simple as someone holding a phone with one hand while trying to type with the other, or they could be drunk, but the system could not make this distinction.
These current uses of behavioral biometrics all depend on a person training the system beforehand, so, of course the user is aware of it. When asked if he saw broader applications for the technology, where the system would not need to be trained and could, say, identify traits in an anonymous user, Chasin says, "I don't know. But I bet the CIA does." The CIA, sadly, offered no comment.
