- Major Studies
Username and password pairs as authentication factors are as weak as they are ubiquitous. Usernames and passwords can be "phished," stolen, discovered, and cracked in a number of ways. This single factor of authentication is so weak that the Federal Financial Institutions Examination Council (FFIEC) is requiring that all online banking services adopt multi-factor authentication by the end of 2006. In addition, other businesses exposed to Internet security risks are also implementing multi-factor authentication as a way to better protect their users from fraud, even though there is not yet a regulatory mandate for them to do so.
In light of these needs, a technique known as keystroke dynamics (or, typing dynamics) is emerging as an effective way to strengthen user authentication. Keystroke dynamics is a detailed description of the timing of key-down and key-up events when users enter usernames, passwords, or any other string of characters. Because a user's keystroke timings are as individual as handwriting or a signature, keystroke dynamics can be used as part of a scheme to verify a user's identity.
This article is an executive summary of our full report, The Business Case for Keystroke Dynamics in Multi-Factor Authentication.
To better understand the potential of keystroke dynamics, it may be useful to review the three categories of authentication factors:
On the surface, therefore, there is much to recommend keystroke dynamics as a cost-effective method to strengthen user authentication. But how can these benefits be evaluated more precisely? The full version of this report presents a simple analytical framework to estimate the security and economic benefits of keystroke dynamics in the context of multi-factor authentication. It does not examine the specifics of keystroke dynamics algorithms; rather, it examines how keystroke dynamics can best be used in conjunction with other existing authentication factors to effectively achieve multi-factor authentication.
The full version of this report provides some simple scenarios to illustrate the application of keystroke dynamics. We then analyze the security benefits of keystroke dynamics in the context of multi-factor authentication. The net effect of keystroke dynamics is to isolate and concentrate potentially fraudulent logons into smaller and smaller segments, so that more expensive methods of authentication can be applied to those logon attempts with a greater likelihood of being truly fraudulent. Finally, we examine the economic benefits of multi-factor authentication. These benefits include lower customer service costs, smaller fraud expenses, and fewer false negatives (legitimate customers who are falsely rejected).