Username and password pairs as authentication factors are as weak as they are ubiquitous. Usernames and passwords can be "phished," stolen, discovered, and cracked in a number of ways. This single factor of authentication is so weak that the Federal Financial Institutions Examination Council (FFIEC) is requiring that all online banking services adopt multi-factor authentication by the end of 2006. In addition, other businesses exposed to Internet security risks are also implementing multi-factor authentication as a way to better protect their users from fraud, even though there is not yet a regulatory mandate for them to do so.

In light of these needs, a technique known as keystroke dynamics (or, typing dynamics) is emerging as an effective way to strengthen user authentication. Keystroke dynamics is a detailed description of the timing of key-down and key-up events when users enter usernames, passwords, or any other string of characters. Because a user's keystroke timings are as individual as handwriting or a signature, keystroke dynamics can be used as part of a scheme to verify a user's identity.

This article is an executive summary of our full report, The Business Case for Keystroke Dynamics in Multi-Factor Authentication.

To better understand the potential of keystroke dynamics, it may be useful to review the three categories of authentication factors:

1. Something you know: Username and password pairs fall into this category, as do questions with secret answers (e.g. "What is your mother's maiden name?" or "What was the name of your first pet?"). The answers to these questions may be known to many people other than the true account owner, but the owner has the ability to "harden" the answers to these prompts in many ways (e.g. substituting numbers for letters, spelling the answer backwards, or changing the spelling slightly).
2. Something you have: ATM cards are the most pervasive example in this category. Many financial services websites put a persistent cookie on a user's PC when the user initiates an online account or uses a new PC or other access device for the first time. One-time password-generating tokens (key fobs) are the most secure example, but they can be expensive to provide and support. One-time passwords sent to mobile phones as text messages are yet another innovative example.
3. Something you are: Fingerprint readers are the most commonly understood example in the biometric category of authentication, but keystroke dynamics may soon emerge as the most widely implemented. A major attraction of keystroke dynamics is that it can be implemented with hardware already in use (the computer keyboard), so no additional hardware is needed, such as fingerprint readers or retina scanners. Furthermore, keystroke dynamics can be collected as part of the user's normal login process, so that multiple challenges--which annoy users--are not required when a login appears invalid.

On the surface, therefore, there is much to recommend keystroke dynamics as a cost-effective method to strengthen user authentication. But how can these benefits be evaluated more precisely? The full version of this report presents a simple analytical framework to estimate the security and economic benefits of keystroke dynamics in the context of multi-factor authentication. It does not examine the specifics of keystroke dynamics algorithms; rather, it examines how keystroke dynamics can best be used in conjunction with other existing authentication factors to effectively achieve multi-factor authentication.

The full version of this report provides some simple scenarios to illustrate the application of keystroke dynamics. We then analyze the security benefits of keystroke dynamics in the context of multi-factor authentication. The net effect of keystroke dynamics is to isolate and concentrate potentially fraudulent logons into smaller and smaller segments, so that more expensive methods of authentication can be applied to those logon attempts with a greater likelihood of being truly fraudulent. Finally, we examine the economic benefits of multi-factor authentication. These benefits include lower customer service costs, smaller fraud expenses, and fewer false negatives (legitimate customers who are falsely rejected).

December 2006