AI-based typing biometrics might be authentication's next big thing

Advances in machine learning pave the way for typing-based authentication services like TypingDNA

Research in the field of keystroke dynamics spans decades.
Martyn Williams/IDG

Identifying or authenticating people based on how they type is not a new idea, but thanks to advances in artificial intelligence it can now be done with a very high level of accuracy, making it a viable replacement for other forms of biometrics.

Research in the field of keystroke dynamics, also known as keyboard or typing biometrics, spans back over 20 years. The technique has already been used for various applications that need to differentiate among computer users, but its widespread adoption as a method of authentication has been held back by insufficient levels of accuracy.

Keystroke dynamics relies on unique patterns derived from the timing between key presses and releases during a person's normal keyboard use. The accuracy for matching such typing-based "fingerprints" to individual persons by using traditional statistical analysis and mathematical equations varies around 60 percent to 70 percent, according to Raul Popa, CEO and data scientist at Romanian startup firm TypingDNA.

Some vendors have invested a lot of money over the past 10 years in an attempt to improve the precision of typing biometrics, but true success has only been achieved over the past two or three years due to advances in machine learning, Popa said.

Popa's company has used these advances to develop AI-powered typing pattern recognition technology that it claims has an accuracy of more than 99 percent and can even reach 99.9 percent when there is a sufficiently large typing profile built for the user over time.

The technique involves recording small pieces of information about how users type, like the time it takes them to move from one key to another or the length of time they keep each key pressed. This is used to create unique typing patterns that are represented as feature vectors made up of 320 values.

TypingDNA's technology only records statistics about the 44 most used keys on a keyboard and doesn't record sequences between two or more keys because such information could potentially be used to reconstruct text.

Keystroke recognition is not meant to replace passwords or to be used alone as a method of authentication. Instead, it can be used in a multifactor authentication system and is easier to implement than other forms of biometric verification.

To use fingerprint, face or voice recognition, websites have to ask users for access to their microphones, webcams or fingerprint readers. Gathering the data needed to build typing patterns, however, can be done from JavaScript with no additional permissions other than what websites already have by default inside browsers.

In order to build typing profiles, TypingDNA's technology needs users to type a minimum of 60-70 characters, but this can vary depending on what the service is being used for, according to Popa.

For example, an application that needs to check a user's identity more frequently can use a longer text of 170-180 characters for initial enrollment and then use shorter texts when performing verification. Meanwhile, for applications that rarely need to verify the user's identity -- for example for password reset attempts -- the enrollment can be shorter and the verification text much longer.

Since different applications have different requirements, the error threshold can also be adjusted to suit the application owners' needs, helping them find the right balance between usability and accuracy. For example, an e-learning platform that uses typing biometrics to ensure that the people taking online exams are the actual account holders might have an acceptable error rate that's higher than a bank that wants to use typing biometrics for transaction authorization.

Tricking one or several typing recognition algorithms is technically possible using various techniques, Popa said. That's why TypingDNA uses 10 different algorithms in parallel so that the system is more resilient against potential fraud attempts, he said.

Ultimately though, typing patterns are as vulnerable to cloning as other types of biometrics. Just as attackers can copy someone's fingerprint, record their voice or obtain a high-resolution picture of their face, it is theoretically possible to record how someone types over a long period of time and then replicate that to defeat typing-based verification.

One common question that often comes up when discussing typing biometric technologies is how they handle various incidents that can affect the user's style of typing. For example, when users are inebriated or experience dizziness, they'll probably type slower and make more errors, which changes their typing profiles. Accidents can also temporarily leave users unable to type normally with one of their hands.

According to Popa, TypingDNA's system is smart enough to figure out when a user continues to type normally on one half of the keyboard and differently on the other half, which suggests that they have a problem with one of their hands. A lower score on one half of the keyboard can be compensated by asking the user to type a longer text so that more data from the unaffected half is collected.

In cases where the overall typing style changes too much, authentication success or failure depends on the configured accuracy threshold.

To account for smaller changes in a person's typing over time, the system can also perform so-called continuous enrollment, where the user's typing profile is enriched with new typing information collected over time. For example, new data collected from every typed verification text can be used to refresh the user's stored typing pattern.

TypingDNA provides access to its typing-based authentication service through an API (application programming interface) and developers can add the functionality into their web apps through a software development kit.

Trying out the service is free for the first 1,000 authentication requests. Beyond that users have to buy prepaid packages that include basic and professional plans and a variety of pricing tiers. For example, a basic package for 5,000 requests is priced at $99 and a basic package for 50,000 requests is priced at $999. The company plans to add a monthly subscription plan, but for now you can only buy these prepaid packages and add more credit when you reach the limit. API access is available through the firm's website and the company says it works for users typing in any language.

The company is also developing an application for desktops and laptops that performs "continuous authentication." The application sits in the background and learns the computer owner's typing patterns. It can then quickly lock out any unauthorized user who tries to use the computer when it's left unlocked and unattended.

Typing pattern analysis can also have applications beyond authentication. TypingDNA is currently conducting research into the area of user profiling and has built an experimental system that attempts to determine a person's gender, age, IQ, openness and personality (Myers–Briggs Type Indicator) based on how they type.

The large number of data breaches announced by online service providers over the past few years is a clear indication that password-based authentication is no longer enough. Two-factor authentication systems, often based on one-time-use codes sent via text messages or generated by mobile apps, have now become the norm.

But SMS is not a secure channel for transmitting authentication codes and users might not always have their mobile phones with them. AI-powered typing biometrics could be a viable alternative for the web, much more so than other forms of biometrics that require special access to peripheral devices.


Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)