Computers often contain, or control access to, valuable assets. Therefore, user authentication (confirming that a user is who he says he is) is an important component in computer system operations. User authentication methods have traditionally been based on passwords; the security of such systems depends mainly on the secrecy of the passwords. Passwords are the most familiar example of a “know something” security method: access rights are granted to anyone who knows the password. Drawbacks of “know something” systems are well-understood: an attacker can subvert the system by guessing the password, or by forcing, tricking or colluding with a legitimate user to reveal the secret.
Another common type of security system is based on legitimate users having a physical token such as a key or identification badge (a “have something” system). These systems are also well-understood, and can be subverted by an attacker who steals or copies a physical token. (Tokens are often made difficult to copy to improve the security of such systems.)
Combination systems (“have something, know something”) require a prospective user to present a physical token and to prove knowledge of a secret such as a Personal Identification Number (“PIN”) or password. Such systems may be somewhat more secure, but are still vulnerable to the same sorts of attacks, because physical tokens and secrets can both be separated from their rightful owners and used by an impostor.
A number of biometric security systems have been developed to tie access rights more closely to an authorized person, rather than anyone who simply possesses the authorized person's objects or secrets. For example, fingerprints, iris and retina images, voice recognition and hand geometry have all been used to identify individuals in connection with a security system. These approaches can provide varying levels of confidence that a person is who he claims to be. Unfortunately, many of these systems depend on uncommon and/or expensive hardware to perform the measurements, so they may not be suitable for use in large-scale, heterogeneous environments.
One biometric authentication method that has attracted some attention for its flexibility, discriminative power and lack of reliance on specialized hardware is based on keystroke timing measurements. It has been observed that individuals type differently from one another, and that typing style (speed, pressure, rhythm, intercharacter delays, and so on; together, “keystroke dynamics”) carries information that can be used to identify the typist. (Note that this information is present regardless of the text being typed—there is no requirement that a secret password be used.)
Keystroke dynamics systems based on statistical and neural-network models have been proposed (e.g., Young, Cho), but implementations suffer from computational complexity and operational drawbacks that limit their acceptance. For example, a statistical or neural authentication system may take an unacceptably long time to identify a user, require excessive reconfiguration to add or remove a user to a database of authorized users, or demand unrealistically consistent typing skills to distinguish between users. A keystroke-dynamics-based authentication system that improves these areas may be of interest.