In everyday life, authentication means one thing above all: Username and password. Proving that a particular person is really who they say they are takes place as a single event. This system is widely established, whereas alternatives or extensions e. g. continuous authentication on the basis of the typing behavior are still not very widespread.
In this article, we will introduce what continuous authentication via keystroke dynamics is, what the implementation options are, and we will take a closer look at the user side. With a user study, we want to find out how users‘ understanding of continuous authentication can be improved. For this purpose, we provide users with information about deviations in their typing behavior in the form of feedback within an application.
Continuous Authentication
In general, authentication is conventionally divided in these three categories:
- Something that you know: Authentication process is characterized by secrecy or obscurity.
- Something that you have: Authentication process is possible through physical possession e.g. a digital certificate.
- Something you are: Authentication process works with uniqueness to one person e.g. biometric data like fingerprint, voiceprint
The traditional login with a username and password is an example for something that you know. Continuous authentication sees authentication as a process rather than a one-time event at the beginning of a session. It is also referred to as a zero-trust approach, which can protect user accounts and devices from unauthorized access more than the standard login approach by constantly checking for deviation, such as different typing behavior. With this form of authentication, it is obvious to use behavioral biometrics as input for identification, since they can be checked indirectly and continuously. So that means we can classify continuous authentication via keystroke dynamics into something that you are.
A perfectly operating continuous authentication system e.g. using keystroke dynamics is often described like that: A user just sits at the device, starts typing, and the device then recognizes the legitimate user. In this scenario, there are no more passwords that could be stolen or users could forget or lose. For another approach to overcome the disadvantages of the traditional login see this blog by Anna Sinitsyna about passwordless authentication.
Although research has been conducted on the subject of continuous authentication for decades, the methods and concepts are still rare in practical application. This is an indication that one should observe and understand the user side in order to gather insights into what users’ perceptions and opinions are and adapt continuous authentication systems based on this knowledge. But first, we will take a look at several implementation options.
Implementation of Authentication via Keystroke Dynamics
An authentication system working with keystroke dynamics is an identity verification of a user by analyzing a sequence of key events (press, release) and their timings. Keystroke analysis can be divided into five different ways of implementation:
Static at login |
This method verifies the user identity based on the typing behavior for a predetermined text e.g. a known keyword. It can be considered as an additional security layer of the login process. |
Periodic dynamic |
The user is authenticated during a logged in session. The verification process can be intermitted. This method works with any text input of the user. |
Continuous dynamic |
The user is authenticated during the whole session. This method also works with any text input by the user. |
Keyword-specific |
Considering the metrics of specific keywords can be a method which extends the periodic or continuous monitoring. |
Application-specific |
The idea is that different applications develop different keystroke profiles from the same user. This method can also be an extension for periodic and continuous keystroke analysis. |
Analysis of Keystroke Dynamics
There is a variety of possible keystroke metrics to analyse the typing behavior. We introduce the most frequently mentioned terms:
- Digraph latency: Digraph latency measures the delay between a key-up and a subsequent key-down event.
- Trigraph latency: Trigraph latency is an extension of the previous metric to measure the delay between three consecutive key events.
- Flight time: The time between the current key-up and the next key-down, in simple words: The time it takes for the finger to fly from one key to another.
- Dwell time: The time between the current key-down and the next key-up, hence the duration that a finger remains on a key.
- Keyword latency: Keyword latency measures the delay between the key events for a complete word or considers combinations of digraphs or trigraphs within a word-specific context.
- Mean error rate: The mean error rate is not user-specific but it can provide a classification of users in terms of their typing competence. This can be used as a supplementary authentication method.
- Mean typing rate: Users can also be classified in terms of their average typing speed.
Flight time and digraph latency are different terms that describe the same metric. The terms flight time and dwell time refer to the position of the finger in their definitions.
This graphic visualizes digraph latency / flight time, dwell time and trigraph latency based on the typed word AND. At the same time, this case could also be an example of keyword latency with AND as keyword.
All methods and metrics just presented can be implemented on a standard computer without additional hardware. It is also possible to combine or customize different metrics, e.g. instead of using trigraph latency one could implement a tetragraph latency, where four keys in a sequence would be considered or one could also combine the flight time with the following dwell time and consider these time intervals.
There are a few APIs that allow to implement authentication methods via keystroke dynamics, e.g. typingDNA. In a demo you can try out how authentication via typing behavior works. However, typingDNA works with a machine learning algorithm to analyze the typing behavior. It is therefore not obvious how exactly the deviation from the normal typing behavior is measured.
Reauthentication
When considering usability of continuous authentication systems, one important point is the reauthentication process. Reauthentication is necessary if the anomalies in behavioral biometrics exceed a threshold value so that the user can no longer be authenticated as legitimate. Thus, if a legitimate user needs to reauthenticate, the reason for that is a false rejection.
A perfectly working continuous authentication would not need any reauthentication process but a false rejection rate of exactly 0 % is not yet possible and as long as this is the case, we have to deal with reauthentication processes. This process can be annoying for users. There are already approaches which tried to address this problem for example with varying levels of screen transparency prior to a reauthentication event so that needed reauthentication is not that unpredictable.
We also deal with the topic of reauthentication within continuous authentication, but we configure the part after the reauthentication event. We want to find out if feedback information about the reason for a needed reauthentication has positive effects on the user.
Feedback
One could assume that feedback via information about anomalies in the typing behavior given to the users leads to changes in their perception and contributes to a better understanding. To find out if that is true, we developed an online platform (React app with typescript and firebase backend) and conducted a user study. On the website, users could register, log in, and enter a chat where they answered a few questions to the chatbot Monika.
All users were logged out automatically three times while they were in the chat. That means we simulated the reauthentication process. We set this fixed number of reauthentications so that all users would have a similar experience.
The users were divided into two groups to explore the effect of the feedback: One group received feedback information after the reauthentication, the other did not. After logging in again, users from the feedback-group were shown a pop-up window with the information that they were logged out for security reasons and what the deviation in their typing behavior was. The other group did not get this information and was immediately back in the chat.
Here you can see what the pop-up looks like for the users in the feedback-group:
Possible feedbacks were:
- You typed unusually fast.
- You typed unusually slowly.
- You made unusually short pauses between words or sentences.
- You made unusually long pauses between words or sentences.
The feedback was calculated as follows:
In the first message that the user types, the normal typing behavior was observed. After an automatic logout for example during answering the second message a user then received the feedback that was most applicable at the time of the set logout. Therefore the current general mean typing speed and the mean pause length between words and sentences was calculated and compared to the mean typing speed and mean pause length in the first message.
Exploring User Perception and Understanding
Let’s have a look at the results to see to what extent the feedback has an impact. We collected the data in online questionnaires and telephone interviews which the subjects answered after using the website.
User Annoyance
Our thought was that users who got the information about why they were logged out may be less annoyed about the logout. In fact, there is a significant difference between the group that received feedback and the group that did not. However, exactly the opposite is true. People who received feedback were more likely to be annoyed.
There could be several reasons for this. Perhaps it is due to the additional pop-up window that they still have to close in order to return to their task. Maybe it’s because they perceive the feedback as criticism or they don’t know how they could benefit from the information which leads to annoyance.
User Ideas about the Reason for Reauthentication
Subjects in the group which received feedback were more likely to understand that the automatic logout was related to the typing behavior. So the feedback seems to improve understanding in that regard. But how deep or shallow is this understanding? There are about 42 % of the subjects in the feedback-group who have both: The understanding that the logout is connected to the typing behavior and confusion about the feedback. So these people developed a kind of understanding about the authentication method but at the same time they wondered about the feedback and thus didn’t really understand the content of the feedback.
Overall, we can say that feedback improves a shallow understanding. That means, feedback can partly encourage users to better understand that typing behavior is the reason for reauthentication, but this does not mean that they understand how typing behavior can be the reason for reauthentication.
Plausibility of the Feedback
There were 27 % of subjects in the feedback-group that were very confused about the feedback information. The participants gave different reasons why the feedback was not considered credible: Some of them expressed that they had the feeling that the information did not match their pattern. Their gut feeling, so to speak, told them that it was not quite right.
Some subjects that perceived their own typing behavior as normal could simply not imagine that this was a reason for reauthentication. Another observation that is similar to this idea of normal typing behavior is the statement that subjects could not notice any difference. We think that the feeling of implausibility could come from the fact that deviations, which are already decisive for a reauthentication in the keystroke dynamics analysis, are not yet in the perceptible range of human subjects.
A final aspect is reference value: Some subjects expressed the idea that their typing behavior was compared to that of others. When they received feedback that they typed too slowly, they thought this meant in comparison to others and not in comparison to their own typing behavior in the past. One respondent sums up this finding: If I’m slow, is there anyone who can do it faster?
Conclusion
Overall, we can say that there is a connection between the understanding of continuous authentication using keystroke dynamics and feedback: A person who receives feedback is more likely to have the idea that the necessary reauthentication is due to typing behavior. However, it was also found that despite this idea about the typing behavior there was confusion and a lack of understanding about the feedback info among several participants. Thus, we conclude that the feedback may help users to better understand that typing behavior is the reason for the necessary reauthentication, but it doesn’t help to understand it deeply.
In general, the problem of credibility argues that the content of the feedback should be modified and perhaps no longer refer to typing speed. An alternative would be, for example, a more abstract formulation: Your typing behavior has deviated greatly from your usual typing behavior or You have typed more irregularly than usual. Another approach would be, instead of describing the deviation in words, to graphically represent the deviation to increase credibility and improve understanding.
Continuous authentication is still in its infancy despite long research. More focus needs to be placed on usability and practical application. Implementations of continuous authentication are not yet perfect, still have false rejections, and there are too few approaches so that users can better understand the authentication method. As long as that is the case, the password will probably remain the dominant authentication method.
It is important to improve the understanding of users and to take that into account in the implementation. It is well known that users tend to create easily crackable passwords when there are no guidelines during registration on what a secure password looks like. Continuous authentication should learn from these past failures of established authentication methods and take user understanding into account and improve it.
To me, the thought of being identifyable by my typing pattern sounds quite scary. Even when I do not consent to cookies, when I use the private mode of my browser, even when using a different browser a web page is able to identify me.
I’m somewhat comforted by the fact that continuous authentication is still in its infancy. And I’m quite optimistic that it stays that way. That my typing behaviour on a phone differs greatly from that on a laptop. That it differs when I’m tired or in a good mood or when I have a baby on one arm. And that it’s quite simple for a browser to implement anti-tracking measures.
We have only indirectly considered the implications of biometric tracking for privacy, but this is an important aspect.
However, one thing can be stated: Tracking requires a lower level of confidence in biometric matchings. In order to track someone, a much lower probability is sufficient than for secure authentication. So even continuous authentication might not be ready for wide use, biometric tracking might be. Nevertheless, it is doubtful that it works cleanly across multiple devices.