(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 7, October 2010
Minimizing the number of retry attempts in keystrokedynamics through inclusion of error correctingschemes.
Pavaday Narainsamy, Student member IEEE
Computer Science Department,Faculty of EngineeringUniversity Of Mauritiusn.email@example.com
Faculty of EngineeringUniversity of Mauritius
— One of the most challenging tasks, facing the securityexpert, remains the correct authentication of human beings.Throughout the evolution of time, this has remained crucial tothe fabric of our society. We recognize our friends/enemies bytheir voice on the phones, by their signature/ writing on a paper,by their face when we encounter them. Police identify thieves bytheir fingerprint, dead corpse by their dental records and culpritsby their deoxyribonucleic acid (DNA) among others. Nowadayswith digital devices fully embedded into daily activities, nonrefutable person identification has taken large scale dimensions.It is used in diverse business sectors including health care,finance, aviation, communication among others. In this paper weinvestigate the application of correction schemes to the mostcommonly encountered form of authentication, that is, theknowledge based scheme, when the latter is enhanced with typingrhythms. The preliminary results obtained using this concept inalleviating the retry and account lock problems are detailed.
Keywords-Passwords, Authentication, Keystroke dynamics,errors, N- gram, Minimum edit distance.
Although a number of authentication methods exist, theknowledge based scheme has remained the de-facto standardand is likely to remain so for a number years due to itssimplicity, ease of use, implementation and its acceptance. Itsprecision can be adjusted by enforcing password-structurepolicies or by changing encryption algorithms to achievedesired security level. Passwords represent a cheap andscalable way of validating users, both locally and remotely, toall sorts of services [1, 2]. Unfortunately they inherently sufferdeficiencies reflecting from a difficult compromise betweensecurity and memorability.On one hand it should be easy to remember and provideswift authentication. On the other for security purposes itshould be difficult to guess, composed of a special combinationof characters, changed from time to time, and unique to eachaccount . The larger number and more variability in the setof characters used, the higher is the security provided as itbecomes difficult to violate. However such combinations tendto be difficult for end users to remember, particularly when thepassword does not spell a recognizable word (or includes non-alphanumeric characters such as punctuation marks or othersymbols. Because of these stringent requirements, users adoptunsafe practices such as recording it close to the authenticationdevice, apply same passwords on all accounts or share it withinmates.To reduce the number of security incidents making theheadlines, inclusion of the information contained in the“actions” category has been proposed [4, 5]. An intruder willthen have to obtain the password of the user and mimick thetyping patterns before being granted access to systemresources.The handwritten signature has its parallel on the keyboardin that the same neuro-physiological factors that account for itsuniqueness are also present in a typing pattern as detected inthe latencies between two consecutive keystrokes. Keystrokedynamics is also a behavioural biometric that is acquired overtime. It measures the manner and the rhythm with which a usertypes characters on the keyboard. The complexity of the handand its environment make both typed and written signatureshighly characteristics and difficult to imitate. On the computer,it has the advantage of not requiring any additional and costlyequipment. From the measured features, the dwell time andflight times are extracted to represent a computer user. The"dwell time" is the amount of time you hold down a particularkey while "flight time" is the amount of time it takes to movebetween keys. A number of commercial products using suchschemes already exist on the market [6, 7] while a number of others have been rumored to be ready for release.Our survey of published work has shown that suchimplementations have one major constraint in that the typistshould not make use of correction keys when keying in therequired password. We should acknowledge that errors arecommon in a number of instances and for a number of reasons.Even when one knows how to write the word, ones fingers mayhave slipped or one may be typing too fast or pressing keyssimultaneously. In brief whatever be the skills and keyboardingtechniques used, we do make mistakes, hence the provision forcorrection keys on all keyboards. Nowadays, typical of wordprocessing softwares, automatic modification based on storeddictionary words can be applied particularly for long sentences.Unfortunately with textual passwords, the text entered isdisplayed as a string of asterisks and the user cannot spot the