User acceptance and high cost often prevent organizations from adopting biometrics as a workstation multi-factor authentication solution.
This is not to say that other solutions present fewer implementation obstacles. The capital expenditure and on-going maintenance costs associated with token-based systems are often higher than those related to fingerprint scanning. So how do businesses deal with the weak security presented by password-only authentication? Behavioral biometrics, and keystroke dynamics in particular, might be the answer.
In this article, I explore biometrics at a high level. This is followed by a short comparison of physical and behavioral biometrics. Finally, I describe how keystroke dynamics works and how solutions based on this technology can be implemented with relatively low business impact.
What is biometrics?
Biometrics–when used with a Personal Identification Number (PIN) or password–is the use of unique human characteristics to identify, verify, and authenticate users for access to information and physical resources. Biometric solutions can be applied to a wide variety of challenges, including room or building access as well as network or device authentication.
Human traits used for biometrics are divided into two categories: physical and behavioral. Physical traits often used for this purpose include:
- Finger or hand geometry
- The retina, specifically the blood vessel pattern inside the eye
- The features of the iris, the colored area of the eye surrounding the pupil
- Facial features
Behavioral traits help verify a person’s identity by looking at some measurable activity. Examples include:
- Signature dynamics–various solutions measure some combination of appearance, shape, timing, and pressure as the user writes his signature
- Voice verification–tone, pitch, and cadence are used to create a template to verify user identity
- Mouse dynamics–measurement of distance, speed, and angle contribute to identity analysis
- Keystroke dynamics–the duration of each key-press and the time between keystrokes is used to help with identification
The accuracy of any biometric method is measured in terms of Failed Acceptance Rate (FAR) and Failed Rejection Rate (FRR). Both are expressed as percentages. The FAR is the rate at which attempts by unauthorized users are incorrectly accepted as valid. The FRR is just the opposite. It measures the rate at which authorized users are denied access.
The relationship between FRR (Type I) and FAR (Type II) is depicted in Figure A. As one rate increases, the other decreases. The Cross-over Error Rate (CER) is sometimes considered a good indicator of the overall accuracy of a biometric system. This is the point at which the FRR and the FAR have the same value. Solutions with a lower CER are typically more accurate.
|
Figure A |
 |
| CER and Error Rate Relationship (From Just Enough Security, © 2006, Erudio Security LLC) |
Table A lists three approaches to biometrics with their associated error rates. Note that fingerprint biometrics is more accurate that the two behavioral biometrics. This is not an issue, however. As we will see next, the advantages of a solution like keystroke dynamics far outweigh any potential accuracy issues.
Table A
|
Biometrics |
FAR |
FRR |
|
Fingerprint |
approx 0% |
approx 1.0% |
|
Voiceprint |
approx 1.6% |
approx 1.8% |
|
Typeprint (Keystroke) |
approx .01% |
approx 3.0% |
Table 1: Error Rate Comparison
Why use behavioral biometrics?
Biometrics using physical characteristics for identification comes with two major challenges: cost and user acceptance. Sensors to read physical traits must be purchased and maintained at points of authentication. A sensor, with supporting software, runs in excess of $100. Multiply this by hundreds of workstations and the cost quickly becomes prohibitive for many organizations. Add the support costs needed to maintain or replace deployed sensors, and the total cost of ownership (TCO) rises quickly.
In addition to cost, many users are hesitant to accept solutions that capture and store things like fingerprints or iris patterns. They see this as an invasion of their personal privacy. Deployment can be further complicated by complaints that the scanning device is too intrusive (e.g. eye scanners) or that the shared use of a sensor is unsanitary. Finally, errors in the analysis of sensor input tend to frustrate both users and management.
Two of the four behavioral biometrics solutions listed earlier promise to effectively deal with these issues: mouse and keystroke dynamics. Signature and voice dynamics still carry some of the baggage associated with physical biometrics; they require additional equipment. They also carry the additional burden of having relatively high error rates.
Mouse dynamics is in the early stages of development. It will be some time before it reaches the appropriate level of maturity needed to deploy it in a business environment. This leaves us with keystroke dynamics.
Keystroke Dynamics (KD)
To demonstrate how KD works, I will walk through the basic functionality of the solution developed by BioPassword.
In KD, there are two metrics used to verify the identity of a user: dwell time and flight time (see Figure B). As a person types, the KD application collects the duration of each key press and the cycle time between one key press and the next. For verification purposes a known verification string is usually typed (i.e. account ID and password).
|
Figure B |
 |
| Keystroke Dwell Time and Flight Time (BioPassword, 2006) |
Once the verification string is entered, it is processed by an algorithm that compares the person’s typing behavior to a sample collected in a previous session. The output of the comparison is a score. If this is the first time the KD system has seen this user, the results of this process are used to enroll him instead of verifying his identity.
If the score falls within a range defined by the organization as acceptable, and the password entered is correct, the user is authenticated and verified — access to information resources is granted. For those cases where the score is not acceptable, business rules can be defined to determine how to proceed. Figure C depicts this process.
|
Figure C |
 |
| Verification Monitoring and Enforcement (BioPassword, 2006) |
As shown in the graphic, an organization can apply business rules to determine how the collected information and the comparison results are used. For example, an employer who intends to roll out KD might choose to collect typing behavior samples without any interaction with the employees. This allows for the silent and non-intrusive enrollment of all network users. Further, the KD system improves over time. The more samples collected for a specific user the lower the error rate when verification is actually turned on. And no special equipment is needed. Any keyboard can be used for this process.
Business rules can also be used to support the verification process. The error rate of biometric technology can be frustrating. With KD, the administrator can write a business rule to prompt the user for a cognitive password when a comparison score is not quite high enough to pass. By asking a secret question, the user is able to continue the login process, and the KD system is able to automatically update the stored comparison template to more accurately reflect the user’s typing habits.
The final word
Multi-factor authentication does not have to be a high cost, user-frustrating implementation. The key is to use the technology best suited for the target business. As always, this means deploying a solution that results in a return on investment and has minimal impact on operational efficiency. Keystroke dynamics provides the opportunity to meet these business objectives.