ARTICLES Dependable Computing John Rushby Editor Identity Authentication Based on Keystroke Latencies The variables that help make a handwritten signature a unique human identifier also provide a unique digital signature in the form of a stream of latency periods between keystrokes. This article describes a method of verifying the identity of a user based on such a digital signature, and reports results from trial usage of the system. Rick Joyce and Gopal Gupta Computer systems are now used in almost all aspects of business and commerce and many businesses rely heavily on effective operations of their computer systems for their business to succeed. For computer systems to be effective, they must be secure so that information stored in them is accessible only to authorized users. Computer security usually involves several components: l l l physical security of the computer installations so that unauthorized persons may not enter the installations. identification, authentication and authorization mechanisms to ensure that persons accessing the computers remotely are allowed access to the systems only if they are authorized to have such access. Use of login names and passwords is the most common mechanism to control user access to computer systems although some sensitive installations require that the user insert a user identification card in specially designed user terminals. physical security of computer terminals is also used in some sensitive computer systems. This usually restricts the user to access the computer system only through one of the designated terminals that are placed in physically secure locations. This article deals only with user authentication. Methods for verifying the identity of an individual can be divided into four classes: (1) objects in the possession of the individual, such as keys, id cards, passports, etc. (2) knowledge that the person has, such as lock combination, password, PIN number, etc. (3) actions such as signature or patterns of behavior. 01990 ACM 0001.0782/9OjOZOO-0168 $1.50 166 Communications of the ACM such as the physical description, prints, retinal pattern, voice pattern, etc. (4) physiology finger- Computer systems commonly use the first two of these categories, e.g., possession of keys to the building along with a valid username/password, or possession of a bank card along with knowledge of its corresponding PIN number. Some work has been done in the last category but as, of yet these techniques require expensive, specialized hardware and software. To date, the “actions” category has been largely ignored. Use of login names and passwords is the most commonly used mechanism for static identification and authentication. The apparent ease with which hackers have been able to access many systems that were considered secure clearly indicates the inadeq.uacy of the password mechanism for verifying identity and therefore there is a need for other, more reliable, security measures. Society has relied on the written signature to verify the identity of an individual for hundreds of years. The complexity of the human hand and its environment make written signatures highly characteristim and difficult to forge precisely. In current computer :systems, the signature has been replaced by a username/password pair (coupled with encryption schemes) fo:r static identification and authentication. One problem with this scheme is that it relies entirely on the “knowledge” category of authentication techniques, and. has abandoned the information contained in the “actions” category. The handwritten signature has a parallel on the keyboard. The same neurophysiological factors that make a written signature unique are also exhibited in a user’s typing pattern. When a person types on a keyboard, he/she leaves a digital signature in the form of keystroke latencies (the elapsed time between keystrokes). For well-known, regularly typed strings this signature can be quite consistent. Februa y 1990 Volum 33 Number 2 Articles The idea of using keyboard characteristics in identifying and verifying individuals is not new and some products that use such characteristics have been known to be in the market and others have been rumored to be ready for release. Unfortunately however, the effectiveness of such systems is not known since the techniques used in these products are often confidential and very little research about their effectiveness is available in the public domain. In the last few years Gaines, Lisowski, Press and Shapiro [2], Umphress and Williams [7], Garcia [3], Leggett, Williams and Umphress [6], Leggett and Williams [5] and Young and Hammon [8] have studied the use of keystroke characteristics in verifying identity of a person. Gaines et al. [2] describe an experiment in which seven professional secretaries at the Rand Corporation were asked to type the same three passages of text at two different times separated by four months. All secretaries were not available to type all three texts at both sessions and complete data was available for only 11 sessions. Each of the three passages of lowercase text was about 300-400 words long. The first passage was an ordinary English text, the second a collection of random words while the third was a collection of random phrases. Keystroke latency times between adjacent letters (called digraph latency times) were computed for each individual and were found to vary from 75 msecs to several seconds. Also, it was found that there was little difference in the digraph times in the three passages and therefore, for each individual, the information from the three texts was merged. Since the digraphs considered involved only lower-case letters and spaces, there were 27 X 27 possible different digraphs. Most of these 729 digraphs either did not occur in the typed material or occurred only infrequently. The analysis therefore was based on only those digraph values that had at least 10 or more replications for each sitting of each individual. There were 87 such digraphs. These digraph values were transformed by removing the outliers and then taking the logs of the remaining values. Logarithms of the values were used because it was assumed that the raw data was log-normally distributed and the transformed data was found to be approximately normally distributed. A classical twosample t-test of the hypothesis that the means of each digraph times at both sessions were the same was carried out assuming that the two variances were the same for each individual. It was shown that the number of digraph values that passed the test were typically between 80 percent to 95 percent. Gaines et al. also studied the suitability of such digraph latency information in authenticating identity. As noted earlier, there were 87 digraph values that had 10 or more samples for each of the eleven different sessions. Each authentication test involved selecting one of these sessions as the reference session and each of the remaining 10 sessions as a session from a person (or claimant) wishing to access the computer system. A total of 55 such tests can be carried out given the data and the symmetry of the tests. Using the same f-tests, it February 1990 Volume 33 Number 2 was found that out of the 55 tests, the imposter’ pass rate (percentage of invalid user attempts being accepted) was zero and the false alarm rate (percentage of valid user attempts being denied access) was about 4 percent (2 out of 55). Further analysis was carried out in an attempt to identify what Gaines et al. [2] call key or core digraphs. It was found that if only five digraph values (viz., in, io, no, on, and ul) were used, the authentication procedure worked perfectly i.e., no imposter pass or false alarms were found. Although the results of [2] are encouraging, their study had a number of limitations. The most important being the number of individuals involved in the experiment. Their results therefore, particularly those relating to use of only five digraphs in authentication, need much further investigation. Umphress and Williams [7], Leggett, Williams and Umphress [6] and Leggett and Williams [5] report the results of two experiments similar to the experiment conducted by Gaines et al. [2]. The first experiment had 17 programmers of varying typing ability provide two typing samples, the first with about 1400 characters that served as a reference profile and the second of about 300 characters that served as the test profile. In the second experiment, 36 participants typed in a 537 character passage at two different times separated by over a month. The basis of the research of [6] is to use two keystroke characteristics of the user. The first measure is the mean of the keystroke latencies of the user, essentially the user’s typing speed. The second indicator involves comparing digraph latencies between all digraph combinations that have been typed by the user with reference latencies in a 26 X 26 reference latenties matrix whose rows correspond to the first letter of a two letter digraph and columns correspond to the second letter. In the second experiment, blank was added as a valid character in digraphs and the first part of the test that was based on the mean of all keystroke latencies of the user was dropped since it was found not to add any discriminating power to the verifier. Since many of the digraph latencies occur only infrequently, the standard deviation of the reference profile latencies (i.e., all the latencies in the reference profile) is used as a measure of tolerance of a match. If the test digraph latency time was within 0.5 standard deviations of the reference digraph latency mean then the latency was counted as valid. The ratio of valid digraph latencies to total latencies in the test string was then computed. If the ratio was above 0.6, the user was considered to have passed the verification test. In [5] 12 different digraph latency tests were evaluated. These included using different maximum digraph latencies allowed to remove outliers (viz., 300 msecs, 500 msecs and 750 msecs) as well as applying the test to only a subset of the digraphs, for example, the subset identified by [2] or 6 and 15 most frequent digraphs, ‘We are inclined to agree with “impostor” but we will continue field have used this spelling. the editor that “imposter” to use “imposter” since is better spelled as earlier papers in this Communications of the ACM 169 Articles left-hand-only digraphs, right-hand-only digraphs, etc. It was found that if the five digraphs identified by [2] as core digraphs were used, the false alarm rate was above 30 percent and the imposter pass rate above 17 percent. The best results were obtained by using all digraphs involving lower-case letters only and the blank with a maximum latency of 500 msecs. This digraph latency test resulted in an identity verifier with false alarm rate of only about 5.5 percent and imposter pass rate of about 5.0 percent. Although the above low error rates are quite impressive, the imposter pass rate of 5 percent is still too high to be useful as an identity verifier since an imposter pass is a breach of the system security. A false alarm rate of 5 percent could well be acceptable since it would be nothing more than a nuisance in that a genuine user would, on the average, fail to get access to the system 1 out of 20 attempts. Therefore a reliable identity verifier would require techniques that would reduce the imposter pass rate to well below 1 percent. A lower false alarm rate would also be desirable but, as noted above, not essential. The experiments discussed above have a major limitation in that they required the users to type in rather large character strings, first for generating the reference latencies data and then for verification. Jn spite of this, in the experiments of [6] it was necessary to use standard deviation of the reference profile latencies as a measure of tolerance of a digraph latency for each digraph latency in the matrix. Verification itself required the user to type in a large number of characters. For example, in the experiment of [2], a total of more than 1000 words needed to be typed by each claimant. The experiment of [7] required the user to type 300 characters while the second experiment reported in [5] required 537 characters. A static identity authentication system would not be successful if it asked the user to type long strings for reference purposes and another long string every time for verification purposes. Garcia [3] describes a U.S. patent for a method and apparatus for identity verification based on a somewhat different approach. He suggests that the best data for identity verification is derived when an individual types his/her own name since the latencies generated by the user in typing his/her name have been found to be stable and unique. In addition, the name is the easiest password to remember. The first step of the procedure suggested by [:3] involves the user typing his/her name a number of times to provide a vector of mean latencies to be used as a reference. This Garcia calls the electronic signature of the individual. In addition, the covariance matrix of the vectors of reference latencies is computed as a measure of the consistency of the individual’s signature. In computing the vector of mean latencies and the covariance matrix, the outliers are removed. When a person wants to access a computer resource, he is required to identify himself by typing in his/her name. The latency vector of the keystrokes of this name is compared with the reference signature that is stored in the computer. If this claimant’s latency vector 170 Communications of the .4CM and the reference signature are statisticall;y similar, the user is granted access to the system. The hlahalanobis distance function is used to measure the similarity of the two vectors. It is recommended in [3] that if the computed distance measure is more than IOO, the vectors should be considered dissimilar and if less than 50, the vectors should be considered similar. If a value of between 50 and 100 is obtained, it is suggesied that the claimant be required to retype the name. Although no evidence is presented, the suggested procedure is claimed to have an imposter pass rate of 0.01 percent and a false alarm rate of 50 percent. Garcia notes that the thresholds for acceptance and rejection may be altered if one wishes to reduce the false alarm rate and is willing to accept a higher imposter pass rate. Garcia [3] also suggests another procedure which he calls complex discrimination. Rather than using the same string for an individual, complex discrimination involves the individual to type in each of at least 1,000 of the most common words in the English language at least 10 times to provide the reference raw data. Now, for verification, a random phrase is generated by the computer using the common words used in the reference and the user is required to retype that phrase. The latencies recorded by the user are then compared with the latencies stored in the computer and the user is permitted access only if similarity between the latenties is established. No information about the effectiveness of this approach is presented. The approach is of course not practical in most applications since it requires quite a long session to generate the reference data. More recently, another U.S. patent for identity verification has been granted to Young and Hammon [8]. Young and Hammon use the term keystroke dynamics to denote the typing pattern of an individual including features like latencies and keystroke pressures. Although the details of the procedure used in the invention are not described clearly, it is suggested that a plurality of features be used. These could include digraph latency times, time to type in a preclefined number of keystrokes, time to enter some common words [e.g., the, and, for). The identity verifier itself is based on first obtaining reference features (it appears that the features include keystroke latencies and possibly keystroke pressures) about a user and then comparing the vector of these features with similar features extracted from a claimant’s typing session. The comparison is based on computing the Euclidean distance between the two vectors of features. No information is however presented about the effectiveness of the techniques used. Young and Hammon also propose that the identity verifier should typically operate on a continuous basis (this is sometimes called dynamic verification) in contrast to static verification that takes place only once at the start of each login session. Further, it is suggested that the keystroke timing device could be located in the terminal itself and the terminal could send the encoded timing information to the computer that the claimant wishes to access. February 1990 Volume .33 Number 2 Articles In this article, we use an approach for static identity __ verification similar to that used in [3]. Our approach is based on using keystroke information obtained during the login process using a modified login sequence. In addition to using the login name and password, we propose that the user be required to type in two additional strings that are familiar to the user, for example, the user’s first and last names. An identity verifier using the latency information obtained when only user-name and password are used in the login process was found to provide good performance (around 1 percent imposter pass rate), but the additional two strings improved the performance considerably. Although more than four strings may be desirable to obtain accurate information about a user’s keyboard characteristics, we feel a user cannot be expected to type in much more than four strings for verification purposes. Also we believe the information obtained from typing four well-known strings is likely to be more reliable than information obtained from a user typing in a large number of unfamiliar strings since typing familiar strings is less error prone and does not involve difficulties like reading text from paper and therefore provides a more distinct signature. Using the names as additional strings to be typed would provide data obtained from text strings that, for most people, would not change for their life time. Using the name could well be suitable for applications like the ATMs where the user could be asked not only to type in his/her PIN but also his/her name. The results of present study suggest that the combination of the PIN and the keystroke characteristics obtained when the user types in his/her PIN and his/her name could provide a very secure system. IDENTITY VERIFIER The proposed identity verifier uses the following approach. First, for each user, the procedure described below is followed to obtain a reference signature (analogous to a written sample signature) consisting of latency information recorded during the modified login process suggested earlier. Each time the user desires access to the computer system, he/she provides a digital signature (called the test signature or the claimant’s signature) during the Iogin process. The claimant’s identity is verified if this digital signature matches the reference signature stored in the system. To obtain a reference signature, we follow an approach similar to that used by the banks and other financial institutions. A new user goes through a session where he/she provides a number of digital signatures by typing in the four strings several times. Note that in the present environment the digital signature has four components, one component for each string that the user types. The system requires a new user to provide eight reference signatures by typing his/her username, password, first name and last name eight times. The number 8 was chosen to provide sufficient data to obtain an accurate estimation of the user’s mean digital signature as well as information about the variability of his/her signatures. We discuss the impact of February 1990 Volume 33 Number 2 selecting fewer reference signatures in the upcoming section, “Evaluating the Verifier.” A signature or a component of a signature can be visualized by plotting characters typed versus latency times between successive keystrokes. The points thus obtained may be joined to obtain a signature “curve.” In the present system the signature curve has four component curves (one corresponding to each of login name, password, first name, last name). A sample curve for a user with last name “Stephenson” is shown in Figure 1. As illustrated in Figure 1, the first latency time stored is the elapsed time from the keystroke of the first letter to the second. The last latency time shown is the time from the last character to the carriage return. The latency from the time of the prompt to the striking of the first character is discarded as its variance can be high. As noted earlier, the identity verifier would need to compare a test signature provided by the user wishing to access a computer system with the reference signature; allowing access if the test signature is similar to the reference signature. To carry out the comparison, a mean reference signature is first computed by calculating the mean and standard deviation of the 8 values for each latency. For each latency, the mean is then compared with each of the 8 values of that latency and any outliers (datum greater than three standard deviations above the mean) are discarded. This resulted in 0.85 percent of the latencies being discarded, the discards being distributed nearly uniformly over the string. The mean of the remaining values for each latency is now calculated. This process is repeated for each latency of the four login strings to produce four sets of mean latency values for each user. These four sequences (or “curves”) are collectively referred to as the meun reference signature for the user. Some of the reference signatures that had a latency discarded were studied to decide if all latencies from such signatures should be discarded and an additional reference signature requested. We found that the discarded latencies were isolated instances of large variances and the strings containing them usually had acceptable values of other latencies. n <Cb tephenso Last Name FIGURE1. Latency Signature for “Stephenson” Communications of the ACM 171 Articles A suitable technique is now needed for comparing a test signature with the mean reference signature. The approach used by [7.] involves comparing individual latencies of the test signature with mean reference latenties and accepting the test signature as having been verified if more than 60 percent of the test latencies are valid. As discussed earlier, a latency was considered valid if it was within 0.5 profile standard deviations of the mean reference digraph latency. This approach has a major weakness in that some of the latencies in the two signatures being compared could differ substantially but the test signature could still pass the verification test. Empirical investigations were carried out to evaluate the effectiveness of the approach used by [7] in our environment. The parameter values 6.5 and 0.6 used in the test were varied and results studied. Preliminary results suggest that the approach is not particularly reliable for comparing signatures. Another approach of comparing two signatures is to look at each signature as a vector that consists of the set of 4 vectors of latency values. The mean reference signature, M, is then given by: Now comparing M with a test signature, T, involves comparing the two vectors and determining the magnitude of the difference between them. In the ensuing discussion, let M = (ml, rrz2, . . . , m,) and T = (fl, tz, . . . , tn) where n is the total number of latencies in the signature. The present verifier computes the magnitude of the difference between M and T as the & norm: IIM - UI given by: i=n Xl I mi - ti I Although this approach works very well it has a weakness in that it does not take into account the shape of the signature curves. The difference between the shapes of the test and reference signatures could be significant even if the differences in the latency values are small. A more reliable comparison of M and T would probably include some technique of comparing the shapes of the signatures. We discuss some preliminary work on using the slopes of the lines between successive latencies as a measure of shape later in this article. Once the magnitude of the difference between a given T and M has been computed, a suitable threshold for an acceptable size of the magnitude is required. We have chosen to set the threshold for each user based on a measure of the variability of his/her signatures. A user that has little variability in his/her signatures would have a small threshold while another user with large variability should have larger threshold for accepting his/her test signatures. We therefore need to 172 Communications of the ACM comnute a measure of variation between the 8 reference signatures, and the mean reference signature obtained from them as described above. Let the 8 training signatures be, S,, S2, . . . , S,. We calculate ] M - Si ]I1 for i = 1 to 8. The mean and standard deviati.on of these norms are used to decide a threshold for an acceptable norm value of the latency difference vector between a given T and M. If we set the threshold value to be mean plus one standard deviation, we would expect the user to successfully login about 84 percent of the time (a false alarm rate of about 16 perc:ent) assuming that the latency differences between the 6 reference signatures and the mean signature are normally distributed. A threshold value based on two standard deviations should provide a false alarm rate of less than 3 percent although the imposter pass rate wkth a larger threshold would obviously be expected to be larger. The threshold is presently defined as the mean plus one-and-one-half standard deviations. The verification algorithm now works as follows. The claimant attempts a login thereby providing ;a test signature, T, to the system. The norm I] M - 1’ ( 1 is computed and if this norm is less than the thre:;hLold for the user, the attempt is accepted, otherwise it is flagged as an imposter attempt. Figure z shows the four possible judgments of the verifier. EVALUATING THE VERIFIER The verifier was implemented on a SUNe 356 workstation. Thirty-three users with typing speeds, measured when login name/password and name was typed, varying from 14 to 111 wpm participated in the following trials of the authentication algorithm: (1) Each user provided his/her reference s:ignature by typing in their login name, password, first name and last name eight times. (4 Once the reference signature was obtained, each user attempted to log on to his/her own account five times, yielding 165 total self login attempts. The target user data, both reference and self login attempts, were collected during a single session. (3) Six of the above users were randomly selected as targets for the remaining 27 users. Each of the 27 users were allowed five imposter attempts for each of the six target users, yielding 810 imposter login attempts. All of the login information, including passwords, was given to each imposter but the imposters did not witness the target users’ trials. Not all users participating in the above trials knew about the purpose of the trials. One-half of the users were given no information about the verifier or the purpose of the trials. The remaining users were told what the trials were for and how the verifier worked, but were asked to login normally: i.e., they were asked not to try to exploit the verifier by employing unnatuSUN is a registered trademark of SUN Microsystems February 1990 Volume 33 Number 2 Articles user I typing number P 21 . cl , o, 0 1 . , : , , 44 ,a 2 3 4 5 0.17 set authentication threshold: best mlpostcr auempt: 0.80 set 1.42 set worst impaler aUempC 26.33 xc mean impostcr auempc 7.89 set 2- maI false alarms: 0 Attempt II 1 2 3 4 5 FIGURE3. Login Attempts Against User 1 Attempt 6 FIGURE2. Possible Judgments of the Verifier , user 2 typing ral timing quirks that would make their signature extremely difficult to match. The above 975 trials resulted in an imposter pass rate of 0.25 percent (2 out of 810) and a-false alarm rate of 16.36 percent (27 out of 165) over all the trials. How the false alarm rate can be significantly reduced will be discussed later in this article. We now present some results of the trials in detail. Figures 3-8 show results of six users (who were the targets of imposter attempts) logging in as themselves as well as attempts of other users logging in as imposters. Although each of the six users was the target of 27 imposters, we present results of only the eight closest imposters to keep the figures legible. The vertical axes in the graphs indicate jj M - T jjl in seconds. The horizontal axis shows the successive login attempts. Each line plotted depicts the 5 successive login attempts by one of the eight imposters. Each of the figures shows the target user typing rate, the number of characters in the signature, the mean and standard deviation of I( Si - M jjl. the authentication threshold, the best imposter attempt, the worst imposter attempt, the mean imposter attempt, and the number of false alarms and imposter passes. Figures 3-8 summarize results of 840 trials including 30 reference signatures and 810 imposter attempts, with a total of 5 false alarms and 2 imposter passes. This leads to a false alarm rate of 16.67 percent (5 out of 30) and an imposter pass rate of 0.25 percent (2 out of 810). The false alarm rate is high, although it amounts, on the average, to only 1 out of 6 attempts being rejected (and therefore requiring another attempt). This rate can however be reduced. The threshold used in the above trials was the mean plus 1.5 standard deviations. As noted earlier, if the threshold is increased, the imposter pass rate should increase and the false alarm rate should decrease. We have studied the impact of varying the threshold on the false alarm rate and the imposter pass rate, as shown in Figure 9. These results show that the false alarm rate could be reduced substantially without a significant increase in the imposter pass rate if the threshold for verification was increased from 1.5 standard deviations to 2. The imposter pass rate at twoand-one-half standard deviations was still under I per- Volume 33 Number 2 rate: 43wpm numberoichxacten: mean “Si February 1990 0.63 set stdv USi- MII: 1 0 0 70wpm mean IIS - MII: I . 8 I6.5 8 54 0.1 rate: oichamxers: sd” 26 MII: 1.80 set “Si - MII: 0.47 set aud~nticauon threshold: best impster 2.27 set attempt: worst imposer 2.15 see auempt: 30.32 set mean imp-aster aucmpt: kxal false &urns: 01 , , 0 1 2 , 3 Attempt 7.74 xc 1 , . , .’ 4 5 FIGURE4. Login Attempts Against User 2 user 3 typing numkr 5- rate: 52wpm of characters: mean “Si -MI,: 28 1.18 sec. p 4- stdv llSi 8 2 .c 3- authentication tireshold: best imposer attempt: z5 2- z 0 I- MII: 0.50 set worst imposer 1.68 set 1.83 see attempt: 25.42 SW mean imposteraltempt: total false alarms: total imposer O 0 1 2 3 Attempt 4 5 6\ user 7.58 SEX 2 passes: 0 3 FIGURE5. Login Attempts Against User 3 5 - rate: user 4 tvoinn I number mean llSi Mlk 0.07 see authentication tireshold: lxst attempt: wmt impaster imposter mean imposta mti 1 2 3 Attempt 4 5 \ user 0.56 xc 1.47 set auempt: 16.21 set atlempl: 5.73 see iabe alams: total impostcr 22 0.49 set stdv IIS - MII: 0 79wm of characters: 0 passes: 0 4 FIGURE6. Login Attempts Against User 4 cent (7 out of 810) while the false alarm rate fell to 6.67 percent (2 out of 30). A detailed study of the imposter passes and false alarms was carried out. This has led to the following observations: (1) Only two imposters were able to successfully pass as another user. The imposter passes involved a target user (user2) that had the highest authentication Communications of the ACM 173 Articles us1 5 typing rate: 49wpm nt”“kr of Characters: 25 mC-mllSi -MII: Llbsec stdv “Si - MII: 0.43 SCE suthntidon threshold: 1.59 ss best imposta attempt: 1.91 set worst imposta aucmpc 20.05 see mean imp&u auempc 6.23 set lmA falsea!arms: 1 FIGURE 7. Login Attempts Against User 5 FIGURE 8. Login Attempts Against User 6 50 ,..< , .,+,:- I (3) The variation of imposter pass rate and false alarm rate with the number of reference signatures obtained is given in Figure 10. The use of eight reference signatures is supported although the experiments suggest that as few as six reference signatures might be sufficient. Since the reference signatures are signature samples that are used to estimate mean and standard deviations of the signature latencies, to obtain good estimates any fewer than six reference signatures could not be recommended. (4) The experiments support the use of four strings in the signature. If only two strings were used (that is, login name and password), the imposter pass rate was found to be somewhat higher although the false alarm rate at one standard deviation threshold was about the same. Figure 11 shows two- and fourstring login imposter pass rates for thresholds varying from the mean to the mean plus 5 standard deviations. (5) During testing a number of users challenged the authors that they could successfully pass as another user. A number of such users were allowed to login as some other user. These imposter attempts were not organized and therefore detailed results are not presented but it is satisfying to note that all such attempts failed except one imposter who after observing the training session of the target, was able to pass as that user once in 57 attempts. DISCUSSION AND FURTHER AREAS OF RESEARCH imposm 0 pass rate 1 2 3 4 5 Standard deviations abov e the mean FIGURE 9. IPR and FAR versus Threshold threshold (2.27 seconds as compared to 0.80, 1.68, 0.56, 1.59, and 1.51 seconds for the other five users in the group user1 to user6), and in Figure 9, accounts for one-half of the imposter passes at 3 standard deviations, and one-third of the imposter passes at 5 standard deviations. Since the verification threshold was chosen to be one-and-one-half standard deviations away from the mean, a high variation gives imposters an easier target. This is similar to the problems faced by financial institutions when some elderly people and people with physical disabilities are unable to supply a precise signature. In such cases, the verification scheme suggested in this article may be inappropriate and some other means of identity verification could well be required. (2) There was no significant correlation between knowledge of the verifier and the ability of an imposter to match the reference signature of another user. 174 Communications of the ACM An earlier version of this experiment was carried out using 600 imposter login attempts against six users [4]. Although the analysis was not as comprehensive as the results presented here, there are a few points worth noting: l l l The results support those presented here, with a false alarm rate of 13.3 percent (4 out of SO), and an imposter pass rate of 0.17 percent (1 out of 600). Users with “easy-to-type” login sequences were easier targets for imposters than those with more complex typing patterns. Although “easy to type” is difficult to define, short signatures are generally easier targets for imposters. The target of the successful imposter attempt had only 16 characters in the four strings. Imposter login attempts with this user as the target showed the fastest mean typing rate of all imposter attempts, implying that users found the strings relatively easy to type. This is analogous to having a very simple signature that is relatively easy to forge. The difficulty arising from short signatures may be overcome in part by insisting on a minimum total length, and/or a minimum length for each of the four components of the signature. A zero imposter pass rate threshold exists for every target user in both experiments such that the false alarm rate is less than 40 percent (and typically is much lower). This means that there were no ob- February 1990 V olume 33 Number 2 Articles 1 .o Q IPR + FAR 0.5 0.01 2 4 6 a 10 Number of reference signatures FIGURE 10. Impact of Number of Reference Signatures Some preliminary testing has been done on a measure which measures the difference between the values of successive differences in latencies (which could be called “slopes” of the signature curves) in the test signature and the corresponding differences in the mean reference signature. Since we wish to highlight the outstanding differences in slopes as the distinctive features of a digital signature, the differences in the slopes were weighted by the amount of slope change in the reference signature. Let the vector of slopes of the mean reference signature M be denoted as I given by: 1 = (i,, i, . . , in-,), and similarly define J as the vector of slopes of the test signature T as: J = (j,, i, . . I , j,,-,), see Figure 12. A measure of the difference between the shapes of M and T is given by: n-* kx l s * 2 strings + 4 strings (1 ik - jk 1 + = 1 ik+ l max) 1 2 3 4 5 Standard deviations above the mean 6 FIGURE 11. IPR versus Threshold for 2 and 4 String Login served cases where an imposter did better than the target’s best self-login attempt. We now suggest a number of areas of further research. Firstly, a more comprehensive testing of the verifier is needed. Our testing included uses of varying computer literacy and typing abilities, but these were all between the ages of 20-45 years, and all were university students or staff. The “strongest” (i.e., most difficult to replicate) signatures appear to come from the most experienced computer users. A more comprehensive testing should include a wider cross section of users. Secondly, other measures of comparing M and T, and combinations of such measures need to be evaluated. Improving the Performance of the Verifier Although the present verifier is highly reliable with an imposter pass rate of less than I percent, further research is needed to reduce this rate. As discussed earlier, a possible approach to improving the performance of the verifier would be to extend the comparison of the test signature and the mean reference signature to include a comparison of the shapes of the signatures. Handwritten signatures often have outstanding characteristics such as large loops or straight lines that serve as focal points during the identification process. To capture analogous information in a digital signature, we have looked at alternative measures that take this into account. Digital signatures often show sharp changes between successive latencies as a result of an individual’s unique typing pattern. February 2990 V olume 33 Number 2 - jk+l 1 )wk where wk is defined as: wk 0 1 ik+ l - ik ik+ , - I ik) Figure 13 shows the imposter pass rate versus the false alarm rate for this measure over 100 imposter login attempts. Although the results are not quite as good as the total distance measure, we believe it is worthwhile to study the use of the combination of the two tests. Depending on the degree of correlation of the two measures, the combined test may bring the imposter pass rate to below 0.01 percent without increasing the false alarm rate significantly. Knowledge of how the verifier works may be exploited to provide additional security. A user may wish to add unusual timing characteristics to his signature making it very difficult to forge. Timing Accuracy For the verifier to work, it is necessary to obtain accurate timing information with sufficient resolution. On a dedicated machine this may not be a problem, however on a time-sharing system where access may be through a variety of networks and hard/firm/software, sufficiently accurate timing information may be difficult to obtain. The best solution to this, as suggested by [8] would probably be for the keyboard to capture the latencies and transmit this information upon request. Further work is needed to address this problem. Other Uses of the Verifier Although we have only discussed identity verification aspect of the present work, it is likely that the techniques described here would prove useful in detecting whether a user is under the influence of alcohol or other drugs or is excessively tired. It is expected that the signature of a use; would change, possibly substantially, under the influence of drugs although we have not had an opportunity to test this assumption. A mechanism for detecting an intoxicated or tired Communications of the ACM 175 Arf,icles imposter .P 0.6 jl Acknowledgments. The authors wish to thank Cameron Gregory and Jiang Yi for their efforts -in collecting the data, as well as all the users who happ:ily participated in our experiments. We also wish to thank the referees, one of whom made a number of interesting comments. m5 t3 33 0.4 t1 d ml 4A 0.2 0.0 I 0 & 1”3 ii t4 ,:I REFERENCES reference 13 1. Card, SK., Moran, T.P., and Newell, A. The keystroke-level model for user performance time with interactive systems. Commun.ACM 23, 7 (July 1960), 396-409. 2. Gaines, R., Lisowski, W.. Press, S., and Shapiro, N. Ac:.thentication by keystroke timing: Some preliminary results. Rand Report R-256NSF. Rand Corporation, Santa Monica, CA, 1960. 3. Garcia, J. Personal identification apparatus. Patent Number 4,6X,334. U.S. Patent and Trademark Office, Washington, D.C., 1986. 4. Joyce, R.. and Gupta, G. User authentication based sonkeystroke latencies. Technical Report #5, Department of Computer Science, JamesCook University, Australia, 1969. 5. Leggett, J., and Williams, G. Verifying identity via keyboard characteristics. Int. J. Man-Machine Studies 23, 1 (Jan. 1988), 67-76. 6. Leg&t, Williams, G., and Umphress, D. Verification of user identity via keyboard characteristics. In Human Factors in ManagementInformation Systems,J.M. Carey, Ed., Ablex Publishing, Norwood, NJ. 7. Umphress, D., and Williams, G. Identity verification through keyboard characteristics. Int. J Man-Machine Studies 2:;, :I (Sept. 1965), 263-273. 8. Young, J.R.. and Hammon, R.W. Method and apparatus for verifying an individual’s identity. Patent Number 4,605,~~. U.S. Patent and Trademark Office, Washington, DC., 1969. t5 m4 n I e . I S . 1 <CT> FIGURE12. Using Slopes to Measure Distance 60 0 1 2 3 4 5 Standard deviations above the mean 6 FIGURE13. IPR and FAR versus Threshold for Slope Measure user may be of use in security or safety sensitive installations where it may be important that the user (or operator) of the computer system be alert to deal with any emergencies that may arise. CONCLUSIONS We have described an identity verifier that uses keyboard latency information captured during a user’s login process to verify the identity of the user. The verifier described was found to have an imposter pass rate of less than one percent when the imposter knew the target user’s login name, first and last name, as well as the password. We have also reported preliminary results of using a technique based on comparing signature shapes for identity verification. These results are encouraging, suggesting the possibility of combining the two techniques proposed in this article to further reduce the imposter pass rate. 176 Communications of the ACM CR Categories and Subject Descriptors: K.6.m [Management of Computing and Information Systems]: Miscellaneous-security General Terms: Security Additional Key Words and Phrases: Authentication, identity verifi- cation, identification, keystroke latencies - ABOUT THE AUTHORS: RICK JOYCE is a member of the Technica! Staff at AT&T Bell Laboratories. His current research interests include design of client/server based common graphics platform for network operations, and dynamic identity authentication. Author’s Present Address: AT&T Bell Laboratories, 480 Red Hill Road, Middletown, NJ. GOPAL GUPTA is a professor and Head of the Department of Computer Science at James Cook University. Hi:: c.urrent research interests include data structures and database management systems. Author’s Present Address: James Cook University, Department of Computer Science, Townsville, Qld 4811, Australia. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. Februa y 1990 Volume 33 Number 2