When any computer user types on a keyboard, the pattern of keystrokes is unique – like a fingerprint. When using a mouse, the patterns for each user are just as different – and Iowa State engineers aim to combine these “patterns” to identify people, offering a more secure alternative to passwords.
When any computer user types on a keyboard, the pattern of keystrokes and pauses is unique – like a fingerprint. When using a mouse, or touchscreen, the patterns for each user are just as different – and Iowa State engineers aim to combine these “patterns” to identify people, instead of using usernames and passwords.
Describing the patterns as “cognitive fingerprints”, the Iowa State team can identify users via their typing rhythms with very high accuracy – false acceptance and rejection rates of just 0.5%, Phys.org reports.
The experiments conducted by Morris Chang, associate professor of electrical and computer engineering, are large-scale – using more than 2,000 users, according to Iowa State’s report.
Chang says he can improve the accuracy rates by combining typing patterns with analysis of mouse or mobile device patterns.
“These pauses between words, searches for unusual characters and spellings of unfamiliar words, all have to do with our past experiences, our learning experiences,” Chang says. “We call them ‘cognitive fingerprints’ which manifest themselves in typing rhythms. Our technology is able to distinguish legitimate users versus imposters, based on the large-scale experiments we’ve been able to conduct.”
Chang’s work is supported by the Defense Advanced Research Projects Agency (DARPA).
The software – Cognitive Typing Rhythm – collects a user’s typing patterns during a 90-minute exercise. The pattern is loaded into a network’s security system, where it’s used to monitor users constantly.
“The system can see if the same person or an imposter is coming in to hijack the computer,” Chang said. If the system detects an unauthorized user, it can lock users out of a network, restrict access or ask for another password.
“When you use a computer today, the user is typically only verified during the initial login,” Chang said. “But DARPA wanted to know how we can assure the same person is using the computer as long as a session is still active. We had a hypothesis about how to do that, we implemented it and we proved it.”
Other researchers are creating similar systems that rely on identifying users by unconscious habits – as reported by We Live Security here.
SilentSense, announced in the wake of iPhone 5, can identify a user within 10 taps of the touchscreen with 99% accuracy, according to Cheng Bo of the Illinois Institute of Technology. The system works with a smartphone’s gyroscope and accelerometer to identify users, and even takes account of their gait as they walk, as reported by New Scientist.
“While using mobile devices, most people may follow certain individual habits unconsciously. Running as a background service,SilentSense exploits the user’s app usage and interacting behavior with each app, and uses the motion sensors to measure the device’s reaction,” says Bo.