How keystroking style could replace passwords for authentication

The way that you type at the keyboard, along with an algorithm, could make authentication more secure and cheaper, researchers say.

The username and password mix that we've been using for authentication is on its way out, some people think.

As we all know, problems include outright theft, the loss of password, phishing, and bots.

Alternatives that have proven a bit more successful have included adding an extra element of authentication — such as an object that has to be in the possession of the user. A bank card at an ATM is an example of this. That's called two-factor authentication.

But a new biometric typing keystroke algorithm that knows how you type could be a better authentication method, some scientists say.


Biometrics promise the most security, experts say. A fingerprint, or a voice print, is unique — it's theoretically inseparable, unlike the easily copied magnetic card.

Cheaper and faster computer processing and sensors, along with algorithms, could now allow those biometrics to come of age — we're seeing fingerprint sensing in mobile devices now, for example.


We all type slightly differently at the keyboard. That uniqueness could be used to identify users online, the scientists at the Jeppiaar Engineering College in Chennai, India, think.

This "dynamics characteristic of someone's typing or the human typing pattern," varies from person to person, the scientists say in their paper.

J. Visumathi and P. Jesu Jayrin say that a keystroke method of authentication would be cheaper and more reliable than existing systems.

No software or hardware

"To find out the typing patterns we do not require any additional software," they say.

The process uses "various software systems already present in the computer. This leads to decreased costs."

You gain the benefit of biometric security without the sensor hardware cost, if it works.

Leaky keyboards, which enable the cloning of keystrokes, might be one possible fail point, though — leaks have been created before at ATM machines with dummy swipe readers, for example.


Two phases are used with the system: new user registration where the keystrokes are recorded, and then authentication of the stored keystroke data.

In this case, the scientists use five samples with a corresponding user name and password.

"Dwell" is the duration of a specific key stroke, and "Flight," the pause between keystrokes are among the elements used.

"Typing Speed" is the number of average keystrokes over a time period, and "Interkey time" is the "timing information between the release of the key and the press of successive key."

They are all applied to the template algorithm.


There's competition for new biometrics authentication ideas. I've written about a bank that's using algorithm-driven voice authentication in "Can voice recognition replace passwords?" The sound of the user's voice authenticates the transaction.

One clever advantage to that system is that a spoken passphrase can be compared to a blacklist of known crooks who've called in to try to con the system.


Other recent authentication developments include using the emoji icons that people use to communicate in messages.

I've written about emoji authentication before in "Emoji passcodes are easier and more secure."

Emoji are the pictorial icons that derive from Japanese electronic messages. The security company behind that authentication technology says that it's done research that indicates 64% of millennials regularly communicate only using emoji.

Therefore, they should find it easier to remember an emoji password than a PIN, solving one major password issue — forgotten ones.

Copyright © 2015 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022