You are on page 1of 9

computers & security 28 (2009) 85–93

available at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/cose

Keystroke dynamics-based authentication for mobile


devices

Seong-seob Hwang, Sungzoon Cho*, Sunghoon Park


Seoul National University, 599 Gwanangno, Gwanak-gu, Seoul 151-742, Republic of Korea

article info abstract

Article history: Recently, mobile devices are used in financial applications such as banking and stock
Received 26 November 2007 trading. However, unlike desktops and notebook computers, a 4-digit personal identifica-
Received in revised form tion number (PIN) is often adopted as the only security mechanism for mobile devices.
2 June 2008 Because of their limited length, PINs are vulnerable to shoulder surfing and systematic
Accepted 29 October 2008 trial-and-error attacks. This paper reports the effectiveness of user authentication using
keystroke dynamics-based authentication (KDA) on mobile devices. We found that a KDA
Keywords: system can be effective for mobile devices in terms of authentication accuracy. Use of
Mobile device artificial rhythms leads to even better authentication performance.
Keystroke dynamics ª 2008 Elsevier Ltd. All rights reserved.
Artificial rhythms
Tempo cues
Biometrics
User authentication

1. Introduction by International Biometric Group as ‘‘the automated use of


physiological or behavioral characteristics to determine or
Use of mobile devices is diversified more and more (Chen verify identity.’’ Physiological biometrics relies upon a phys-
et al., 2008). Cell phones and personal digital assistants (PDA) ical attribute such as a fingerprint, a face and an iris, whereas
are used for banking and stock trading nowadays. However, behavioral approaches utilize some characteristic behavior,
there are three reasons why security of mobile devices has such as the way we speak or sign our name (Clarke and Fur-
a lot to be desired. First a PIN comprises only four digits, thus, nell, 2005). Clarke and Furnell (2007a) concluded that the two-
the number of candidate passwords is limited to only 10,000 factor authentication, combining PIN code and biometrics,
(from 0000 to 9999). It is much easier for a potential impostor improves the overall reliability of authentication.
to acquire the password by shoulder surfing and systematic Keystroke dynamics-based authentication (KDA) is one of
trial-and-error attacks. Second, mobile devices may be easily biometrics-based authentication methods, motivated by the
lost or stolen because of their small sizes. For example, more observation that a user’s keystroke patterns are consistent
than one million mobile phones are stolen in Europe for and distinct from those of other users. When implemented for
a typical year (Kowalski and Goldstein, 2006). Third, we tend to mobile devices, KDA has the following advantages over other
lend mobile phones easily to other people, thus they are biometrics-based methods. First, most biometrics-based
exposed to a higher risk of surreptitious use. methods require an extra device, e.g. a finger-scanner or an
Recently, biometrics has been proposed to improve the iris-scanner (Clarke and Furnell, 2005), which restricts
security of mobile devices. The term ‘‘biometrics’’ is defined mobility as well as increases cost. On the other hand, KDA

* Corresponding author. Tel.: þ82 2 880 6275; fax: þ82 2 889 8560.
E-mail addresses: hss9414@snu.ac.kr (S.-s. Hwang), zoon@snu.ac.kr (S. Cho), shpark82@snu.ac.kr (S. Park).
0167-4048/$ – see front matter ª 2008 Elsevier Ltd. All rights reserved.
doi:10.1016/j.cose.2008.10.002
86 computers & security 28 (2009) 85–93

requires no additional device. Second, users tend to be reluc-


tant to provide their fingerprints or irises. On the other hand,
a user always has to type his or her password to log in, so
collecting keystroke patterns can be done without causing any
extra inconvenience to the user. Third, a scanned fingerprint
or iris requires a large volume of memory, a higher computing
power and communication bandwidth than keystroke timing
Fig. 1 – A keystroke pattern is transformed into a timing
vectors. The efficiency of KDA is particularly important in
vector when a user types a string ‘‘5805.’’ The duration and
mobile environment which tends to have a smaller memory,
interval times are measured by milliseconds.
a lower computing power and slower wireless Internet than
a PC on the wired Internet.
Behavioral attributes are more subject to deviation from
norms than physical ones. A high variability leads to a high measured by milliseconds. A user can get access only if his
authentication error. The variability is a measure of data timing vector is similar enough to those already registered in
quality. Another measure of data quality is how unique the the server. Thus, he or she can only get access if the password
typing patterns are. The more unique, the less likely the is typed with the correct rhythm.
patterns are similarly replicated by impostors. Recently, arti- Three steps are involved in KDA as illustrated in Fig. 2.
ficial rhythms and tempo cues were proposed to improve the First, a user enrolls his/her keystroke patterns. A keystroke
quality of typing patterns: uniqueness and consistency in pattern is defined as depicted in Fig. 1. A password of m
particular (Cho and Hwang, 2006). Improving the data quality characters is transformed into a (2m  1)-dimensional timing
by decreasing variability and increasing uniqueness helps us vector. A ‘‘duration’’ denotes a time period during which a key
alleviate the weakness of a short PIN. is pressed while an ‘‘interval’’ is a time period between
In this paper, we propose KDA with artificial rhythms and releasing a key and stroking the next key. Second, a classifier
tempo cues for mobile user authentication. To compare is built using the keystroke patterns. The classifier, in a sense,
between ‘‘Natural Rhythm without Cue’’ and ‘‘Artificial is a prototype of the valid user patterns. Third, when a new
Rhythms with Cues,’’ we completed the following tasks. First, keystroke pattern is given, one will reject it as an impostor
we implemented KDA system on a mobile phone which is pattern if the distance between the prototype and the pattern
connected to a remote server through a wireless network. The is greater than some threshold, or accept it as the valid user’s
novelty detector classifier was built since only valid users’ pattern otherwise.
patterns are available in practice. Second, subjects were asked KDA can help us improve security for various services
to perform enrollment, login, and even intrusion to other involving mobile devices (Hwang et al., 2007). Even when an
subjects’ accounts. Whenever a subject types his or her impostor obtains both PIN and the mobile device, KDA can still
password, the typing pattern is collected, sent to a server and prevent him from logging in through the strengthened
stored. Third, a comparative analysis was conducted to verify authentication process. Recently, Clarke and Furnell (2005,
the superiority of artificial rhythms and cues over natural 2007a,b) studied user identification using KDA on mobile
rhythms without cues. We also tested hypotheses to compare devices. They utilized the keystroke of 11-digit telephone
the performance involving different typing strategies. numbers and text messages as well as 4-digit PINs to classify
The organization of this paper is as follows. The following users. Their identification models were based on feed forward
section introduces keystroke dynamics-based authentication multi-layer perceptron (FF-MLP), radial basis function (RBF)
for mobile devices and describes our methods to improve the networks, and generalized regression neural networks (GRNNs).
quality of typing patterns. Section 3 presents the data Our approach is different from that of Clarke and Furnell
collected and experimental results. Finally, conclusions and (2005, 2007a,b) in the following aspects. First, they built
a list of future work are discussed in Section 4. a classifier using impostors’ patterns as well as the valid user’s
patterns. In reality, however, impostors’ patterns are not
available unless the password be disclosed to potential
2. Keystroke dynamics-based authentication impostors and their patterns are collected. Rather, we
for mobile devices employed novelty detection framework where only the valid
user’s patterns are used for training. Second, each user in their
2.1. Keystroke dynamics-based authentication (KDA) experiments enrolled 30 typing patterns. In practice, users
would not endure such a long enrollment procedure. More-
The password-based authentication is the most commonly over, the typing speed on mobile devices is much slower than
used in identity verification. However, it becomes vulnerable that on a local PC. In our study, we collected only five patterns
when the password is stolen. Keystroke dynamics-based from each user for enrollment. We compensated the reduced
authentication was proposed to provide additional security data quantity with improved data quality through use of
(Gaines et al., 1980; Umphress and Williams, 1985). Keystroke artificial rhythms and cues strategy. Third, they utilized
dynamics-based authentication (KDA) is to verify a user’s various patterns such as 4-digit PINs, 11-digit telephone
identity using not only the password but also keystroke numbers, and text messages while we focused only on 4-digit
dynamics. For example, a keystroke pattern is transformed PIN since PIN has been fixed to four digits for decades. Fourth,
into a timing vector when a user types a string ‘‘5805’’ as their subjects used an SW interface developed on a laptop
illustrated in Fig. 1. The duration and interval times are while our subjects used a real mobile phone, which is a third
computers & security 28 (2009) 85–93 87

Fig. 2 – Three steps of KDA framework: enrollment, classifier building, and user authentication.

generation synchronized IMT-2000 cellular system the positions and lengths of pauses. The more combinations
(CDMA2000 1xEV-DO) (Qualcomm). there are, the harder an impostor can guess it correctly.
In order to prevent pauses from being inconsistent, tempo
2.2. Improving data quality cues are provided (Cho and Hwang, 2006). Tempo cues (Fig. 6)
work like a metronome helping the user keep the beat. Given
One way to cope with the lack of data quantity is to improve the tempo beat, the user only needs to remember the number
data quality. Data quality in KDA can be measured in terms of of beats for each pause. Usually, they can be provided in three
uniqueness, consistency, and discriminability (Cho and modes: auditory, visual, and audio-visual. In addition, users
Hwang, 2006). Uniqueness is concerned with how different are allowed to choose the tempo of the cue. It has another
a valid user’s typing patterns used to build a classifier are from advantage of improving uniqueness since only the valid user
those of potential impostors’. Also, consistency is concerned knows the tempo.
with how similar a valid user’s access typing patterns are to Fig. 3 presents the timing vectors of password ‘‘5805’’ from
his enroll typing patterns. Finally, discriminability is con- strategies ‘‘Natural Rhythm without Cue’’ (Fig. 3a) and ‘‘Arti-
cerned with how well access typing patterns and impostor ficial Rhythms with Cues’’ (Fig. 3b). The dotted lines represent
typing patterns could be separated. The definition of the enroll patterns, x, while the solid line represents the
discriminability implies that two possible approaches exist to prototype, m. Note that the timing vectors depicted in Fig. 3
improve discriminability. The first is to improve uniqueness, were normalized, or divided by the two-norm. When
and the second is to improve consistency. comparing timing vectors between strategies, there are
As one way to improve uniqueness, it has been proposed to differences in terms of both uniqueness and consistency.
type a password with artificial rhythms reproducible by the First, observe the intervals between ‘5’ and ‘8’ from ‘‘Artificial
valid user only (Cho and Hwang, 2006). Table 1 represents Rhythms with Cues’’ are very large compared to those from
various artificial rhythms to increase typing uniqueness. In ‘‘Natural Rhythm without Cue.’’ An impostor’s pattern would
this paper, pauses are selected among various artificial be more similar to those from ‘‘Natural Rhythm without Cue’’
rhythms since they are simple and easy to control. A user and it is highly likely to be distinct from those from ‘‘Artificial
inserted a number of intervals where deemed necessary to Rhythms with Cues.’’ Same can be said for intervals between
make the timing vector unique. As shown in Fig. 3, ‘‘5805’’ can ‘0’ and ‘5.’ Thus, long intervals improve uniqueness of a user’s
be typed as ‘‘5_ _ _80_ _5’’ with a three beat long pause between patterns. Second, observe that the differences between the
‘5’ and ‘8’, and another two beat long pause between ‘0’ and ‘5.’ enroll patterns and the prototype are smaller from ‘‘Artificial
There are many combinations of inserting pauses in terms of Rhythms with Cues’’ than from ‘‘Natural Rhythm without

Table 1 – Various artificial rhythms.


Artificial Rhythms Advantages Disadvantages Remedies

Pauses Flexible Inconsistent when long Use of cues


Musical rhythm Consistent, Easy to remember Rhythmical sense required
Staccato Consistent Limited
Legato Consistent Limited, Exact duration Use of cues
Slow tempo Flexible Inconsistent Use of cues
88 computers & security 28 (2009) 85–93

Fig. 3 – Timing vectors of a password ‘‘5805.’’

Cue.’’ Tempo cues improved the consistency of the patterns the FRR and the FAR are equal. In practice, a threshold has to
from ‘‘Artificial Rhythms with Cues.’’ be decided empirically. For a more detailed discussion of
proper threshold selection, see Fawcett (2006). Without KDA,
2.3. Mobile application an impostor could login as a valid user if he knows the pass-
word, FAR ¼ 100% results. On the other hand, the valid user
The experiments were performed on the third generation will always be able to log in, which corresponds to FRR ¼ 0%,
synchronized IMT-2000 cellular system (CDMA2000 1xEV-DO) i.e., FAR ¼ 100% and FRR ¼ 0%.
(Qualcomm). The mobile device used is SAMSUNG SCH-V740
(Korean model number; Samsung Electronics website) as
shown in Fig. 4. The software authentication module was 3. Performance evaluation
implemented in WIPI (wireless Internet platform for interop-
erability), developed by the Mobile Platform Special Subcom- 3.1. Data collection
mittee of the Korea Wireless Internet Standardization Forum
(KWISF). These are standard specifications necessary for A total of 25 users aged from 22 to 33 (the average is 25.3)
providing an environment for mounting and implementing participated in our experiment in July 2006. In the experiment,
applications downloaded via the wireless Internet on the a 4-digit numeric PIN was used. Two strategies were
mobile communication terminal. For more details, see the employed: ‘‘Natural Rhythm without Cue’’ and ‘‘Artificial
WIPI website. Rhythms with Cues.’’ The same password for each user was
Any user authentication including KDA has two types of used in both strategies. Each user enrolled five typing patterns
error, i.e. false acceptance rate (FAR) and false rejection rate for each strategy. After enrollment, each user made 30 login
(FRR) (Golarelli et al., 1997). One type of error can be reduced at attempts using each strategy. Users were also given pass-
the expense of the other by varying a threshold. Thus, in order words of other users and told to act as ‘‘impostor’’ to those
to avoid effects of arbitrary threshold selection, the models passwords, i.e., typing it twice each. Since there are 24 ‘‘other’’
were compared in terms of the equal error rate (EER) where users, each user typed passwords 48 times. In summary, for

Fig. 4 – Mobile phone used in the experiment: SAMSUNG SCH-V740.


computers & security 28 (2009) 85–93 89

Fig. 5 – User interface for a virtual stock exchange.

each password, we collected five enroll typing patterns, 30 candidate passwords used for the mobile handset is only
legitimate access typing patterns, and 48 impostor typing 10,000 (from 0000 to 9999). It is not difficult to guess a PIN
patterns. because an impostor might know the owner’s birth date or
The data above were collected from a scenario involving telephone number, and a PIN easy for one person to type
a virtual stock exchange (Fig. 5). A user designs one’s own would be also easy for another to type. For ‘‘Typing Hands,’’
artificial rhythm (Fig. 3) and chooses the type of tempo cues (see the fifth column of Table 2), 68% indicated ‘‘both hands’’
(Fig. 6). The tempo of the cue was fixed to 500 ms for while 32% indicated ‘‘one hand.’’ This implies that each user
convenience. might have a particular way to type on a mobile device as on
All users were asked the reason why a particular password a keyboard.
was chosen (Table 2). There are three different kinds of
reasons (see the fourth column of Table 2) for selecting 3.2. Experimental results
a password. First, familiar numbers were chosen such as
favorite combination, birth date, or telephone number. We introduced artificial rhythms and cues to improve data
Second, numbers that are easy to remember were selected. quality. Thus, we have to show from experiments that the
For instance, both users 09 and 19 chose ‘‘2580’’ because that quality actually improved. Hwang et al. (submitted for publi-
is an ‘‘easy’’ number for them although with different reasons. cation) showed that typing patterns from ‘‘Artificial Rhythms
The number keys used in ‘‘2580’’ are located in the middle with Cues’’ were significantly more unique and consistent
column of a keypad on the mobile phone, so it is easy to type. than those patterns from ‘‘Natural Rhythm without Cue.’’
‘‘2580’’ is also the title of a very popular TV investigative show Thus, we instead here show that the authentication accuracy
in Korea, similar to ‘‘60 Minutes’’ in the US. Thus, it is easy to improves.
remember. Third, certain passwords were chosen for no Table 3 presents the authentication results from two
particular reason at all. Of all users, 44% indicated ‘‘Famil- strategies ‘‘Natural Rhythm without Cue’’ and ‘‘Artificial
iarity,’’ and 32% indicated ‘‘Ease,’’ while only 24% indicated Rhythms with Cues.’’ Out of 25 users, 19 users’ EER decreased
‘‘Randomness.’’ This clearly suggests that introduction of 19% on average while six users’ EER increased 4% on average.
artificial rhythms and tempo cues could enhance security. Four users’ EER decreased to zero. Especially, the EERs of user
A PIN has been fixed to 4-digits for decades and the number of 03 and 14 were dramatically decreased, both from 40% to 0%
90 computers & security 28 (2009) 85–93

Table 2 – User passwords and answers to questionnaire


(R [ randomness, F [ familiarity, E [ ease).
User Age Password Selection Use of Elapsed time
reason hand(s) (natural
rhythm)
(ms)

01 23 1223 R Both 1163


02 24 3143 R Both 832
03 23 0083 F (favorite #) Both 1408
04 23 1472 F (favorite #) Both 1017
05 28 7118 F (phone #) þ E One hand 897
06 23 7265 R Both 921
07 30 2385 F (phone #) Both 812
08 25 5805 F (phone #) Both 1442
09 24 2580 F (favorite #) þ E One hand 1013
10 28 3784 R One hand 1755
11 24 3579 F (a sequence One hand 1069
of odd #)
12 22 1379 E Both 671
13 25 0822 R One hand 1357
14 27 4569 R Both 1276
15 23 0203 F (birth date) Both 1222
16 24 1004 R Both 794
17 24 5472 R Both 2151
18 23 3887 F (privacy) One hand 792
19 28 2580 E Both 906
20 23 2220 E One hand 870
21 33 1133 E Both 675
22 25 1258 F (phone #) One hand 1105
23 27 5262 E Both 1020
24 30 1125 E Both 739
25 24 0305 F (birth date) Both 632

Fig. 6 – Various tempo cues. three lines change in (b). Both login and enroll distances are
very small while impostor distances are quite large. This
separation of login distances from impostor distances
accounts for perfect discrimination between legitimate user
and 34% to 0%, respectively. The overall EER decreased from
and impostors.
13% to 4% by using ‘‘Artificial Rhythms with Cues.’’
Recently, Hwang et al. (submitted for publication) found
Fig. 7 shows a detailed picture of what really happened.
that artificial rhythms and cues were particularly useful to
First, note that the classifier in our study is a very simple
distance based one. A prototype of a user’ enroll patterns is
calculated and stored. When a new keystroke pattern is pre-
sented, the distance between the pattern and the prototype is
computed. If it is small enough, access is granted. If not, it is Table 3 – The equal error rate (%) from two strategies.
not granted. In order to gain good authentication perfor- User Natural Artificial User Natural Artificial
mance, three conditions have to be met. First, enroll patterns Rhythm Rhythm Rhythms Rhythms
have to be consistent, or the ‘‘enroll distances’’ between the without with without with
prototype and the enroll patterns have to be small. Second, Cue Cues Cue Cues
login patterns have to be close to the enroll prototype, or the User 01 14 0 User 15 18 4
‘‘login distances’’ between the enroll prototype and the login User 02 0 3 User 16 6 3
patterns have to be small. Third, enroll patterns have to be User 03 40 0 User 17 8 11
unique, or the ‘‘impostor distances’’ between the enroll User 04 15 2 User 18 6 4
User 05 0 4 User 19 30 3
prototype and impostor patterns have to be large better. User
User 06 16 3 User 20 4 3
03 reduced EER dramatically through use of ‘‘Artificial User 07 4 0 User 21 12 15
Rhythms and Cues.’’ Thus, we show in Fig. 7 the cumulative User 08 18 2 User 22 28 8
distributions of the three kinds of distances, ‘‘enroll,’’ ‘‘login,’’ User 09 6 3 User 23 8 4
and ‘‘impostor.’’ In (a), login distances (black) are larger than User 10 5 3 User 24 21 2
enroll distances (blue), which means the user’s login patterns User 11 18 3 User 25 1 3
User 12 0 7 Average 13 4
are somewhat different from the enrolled patterns. The real
User 13 23 8 Min 0 0
reason for user 3’s large error comes from the fact that
User 14 34 0 Max 40 15
impostor distances are not large (red). Now see how these
computers & security 28 (2009) 85–93 91

Table 5 – The average EERs (%) with respect to the


properties involving ‘‘Password Selection Reason’’ and
‘‘Typing Hands.’’
Section Natural Artificial Frequency
Rhythm Rhythms
without with Cues
Cue

Password Familiarity 14 3 11/25


Selection Ease 10 5 8/25
Reason Randomness 13 4 8/25
One hand vs. One hand 11 4 8/25
both hands Both hands 14 4 17/25

difference between typing hands. Also, when the users


employed ‘‘Artificial Rhythms with Cues,’’ average EER was
less than 5% for all cases. These results are comparable to
those reported in Hwang et al. (submitted for publication)
where authentication accuracy was greatly improved with
a PC keyboard by employing ‘‘Artificial Rhythms and Cues.’’
We tested hypotheses to compare the performance
Fig. 7 – Cumulative distributions of ‘‘enroll’’ (black), ‘‘login’’
involving different passwords and different typing strategies.
(blue), and ‘‘impostor’’ (red) distances when (a) ‘‘Natural
Specific hypotheses and p-values are summarized in Table 6.
Rhythm without Cue’’ and (b) ‘‘Artificial Rhythms with
Only the 1st H1 hypothesis was accepted with p-value of 0.0002
Cues’’ strategies were employed, respectively.
while all the others were rejected. The results indicate that the
EERs using ‘‘Artificial Rhythms and Cues’’ clearly decreased
compared to that using ‘‘Natural Rhythm without Cue.’’ We
poor typists in desktop keyboard environment. We now concluded that the effect of either ‘‘Password Selection
investigate if this is also true in mobile device environment. Reason’’ or ‘‘Typing Hands’’ was negligible on the
We call a user as a ‘‘poor typist’’ if his average elapsed time
with ‘‘Natural Rhythm without Cue’’ is greater than 1 s or as
a ‘‘good typist’’ otherwise. We identified 13 poor typists out of
Table 6 – Hypotheses and p-values involving password
25 users. The average EERs with respect to typing ability are
and typing hand(s).
shown in Table 4. For the good typists, the average EER from
Hypothesis H1 hypotheses p-Value
‘‘Natural Rhythm without Cue’’ was 8% while that from
‘‘Artificial Rhythms with Cues’’ was 4%. On the other hand, for Typing strategy The average EER involving 0.0002
the bad typists, the average EER from ‘‘Natural Rhythm ‘‘Artificial Rhythms with Cues’’
without Cue’’ was 18% while that from ‘‘Artificial Rhythms is lower than that involving
‘‘Natural Rhythm without Cue.’’
with Cues’’ was 4%. Although the poor typists yielded much
For natural rhythms, the 0.2339
higher error rates when ‘‘Natural Rhythm without Cue’’ was average EER of ‘‘Ease’’ is lower
used, they became comparable to the good typists when than that of ‘‘Familiarity.’’
‘‘Artificial Rhythms with Cues’’ was used. Clearly, artificial Natural rhythms For natural rhythms, the 0.2754
rhythms and cues are particularly beneficial to the users with average EER of ‘‘Ease’’ is lower
a poor typing ability in mobile user authentication. than that of ‘‘Randomness.’’
Table 5 compares the average EERs for different password For natural rhythms, the 0.4576
average EER of ‘‘Familiarity’’ is
selection reasons and ‘‘Typing Hands.’’ For ‘‘Password Selec-
lower than that of
tion Reason,’’ the average EER of ‘‘Ease’’ was the lowest from ‘‘Randomness.’’
‘‘Natural Rhythm without Cue.’’ However, there was little For artificial rhythms, the 0.1243
difference among password selection reasons. When the average EER of ‘‘Ease’’ is lower
users employed ‘‘Artificial Rhythms with Cues,’’ average EER than that of ‘‘Familiarity.’’
was less than 5% for all cases. For ‘‘Typing Hands,’’ we Artificial rhythms For artificial rhythms, the 0.3075
average EER of ‘‘Ease’’ is lower
observed essentially the same trend. There was little
than that of ‘‘Randomness.’’
For artificial rhythms, the 0.2636
average EER of ‘‘Familiarity’’ is
Table 4 – The average EER(%) for different typing ability lower than that of
and strategy. ‘‘Randomness.’’
Typing hand For ‘‘Typing Hand(s),’’ 0.2409
Natural Rhythm Artificial Rhythms
‘‘Artificial Rhythms with Cues’’
without Cue with Cues
are beneficial to users who
Good typists 8 4 typed using both hands.
Poor typists 18 4
A bold figure indicates an accepted hypothesis.
92 computers & security 28 (2009) 85–93

Table 7 – Comparing the performance with related works.


Input string Feature Artificial Rhythms No. of patterns for EER (%)
with Cues training (or validation)

Clarke and Furnell 4-Digit PIN Inter-keystroke latency No 30 9–16


(2005, 2007a,b) 11-Digit number Inter-keystroke latency No 30 5–13
6-Digit text msg. Inter-keystroke latency No 30 15–21
Hwang et al. (2007) 4-Digit PINs Duration and interval No 5 13
4-Digit PINs Duration and interval Yes 5 4

authentication. It was found from the results that the use of references
‘‘Artificial Rhythms with Cues’’ improves the accuracy for user
authentication.
Table 7 compares the performance with related works. The Chen GD, Chang CK, Wang CY. Ubiquitous learning website:
experiments of Clarke and Furnell (2005, 2007a,b) involving 4- scaffold learners by mobile devices with information-aware
digit PINs resulted in EERs ranging from 9% to 16%. When the techniques. Computers & Education 2008;50(1):77–90.
users adopted the ‘‘Natural Rhythm without Cue,’’ we Cho S, Hwang S. Artificial rhythms and cues for keystroke
dynamics-based authentication. Lecture Notes in Computer
obtained the EER of 13%, which is similar to the ones from
Science (LNCS) 2006;3832:626–32.
Clarke and Furnell. When they employed ‘‘Artificial Rhythms Clarke N, Furnell S. Authentication of users on mobile telephones
with Cues,’’ however, we found that the error was reduced to – a survey of attitudes and practices. Computers & Security
3%. Given the very small number of patterns for training (or 2005;24(7):519–27.
validation), we found that ‘‘Artificial Rhythms with Cues’’ did Clarke N, Furnell S. Advanced user authentication for mobile
improve authentication accuracies significantly. devices. Computers & Security 2007a;26(2):109–19.
Clarke N, Furnell S. Authenticating mobile phone users using
keystroke analysis. International Journal of Information
Security 2007b;6(1):1–14.
4. Discussion and conclusions Fawcett T. An introduction to ROC analysis. Pattern Recognition
Letters 2006;27(8):861–74.
For decades, the mobile environment has stabilized with Gaines R, Lisowski W, Press S, Shapiro N. Authentication by
stunning speed. Accordingly use of mobile devices, such as keystroke timing: some preliminary results. Rand Report
R-256-NSF. Rand Corporation; 1980.
cell phones and personal digital assistants (PDAs), is diversi-
Golarelli M, Maio D, Maltoni D. On the error reject trade-off in
fied. However, PINs are still adopted as the only security
biometric verification systems. IEEE Transactions on Pattern
mechanism for those mobile devices. Because of their limited Analysis and Machine Intelligence 1997;19(7):786–96.
length and alphabet, PINs are susceptible to shoulder surfing Hwang S, Cho S, Park S. Mobile User authentication using
and systematic trial-and-error attacks. This paper investi- keystroke dynamics analysis. In: Proceedings of the Korean
gated the effectiveness of user authentication using keystroke Operations Research and Management Science Society
dynamics-based authentication (KDA) on mobile devices. In (KORMS) conference, Seoul, Korea, 17 November, 2007; 2007a,
p. 652–655.
particular, we utilized artificial rhythms and tempo cues to
Hwang S, Lee H, Cho S. Improving authentication accuracy using
overcome problems resulting from short PIN length. Through
artificial rhythms and cues for keystroke dynamics-based
the experiments involving human subjects, we found that the authentication, submitted for publication.
proposed strategy reduced the error from 13% to 4%. International Biometric Group. How is biometrics defined? http://
A few limitations and future directions need to be www.biometricgroup.com/reports/public/reports/biometric_
addressed. First, comparison research for various mobile definition.html.
devices is needed to enhance the usability of KDA. Second, we Kowalski S, Goldstein M. Consumers awareness of, attitudes
towards and adoption of mobile phone security. In: 20th
have to apply to a more diverse group of users. Although most
international symposium on human factors in
people make use of mobile devices, various usage-patterns telecommunication, Sophia-Antipolis, France, 20–23 March
may exist. Third, we measured performance in terms of EER. 2006.
Thus, the error rates presented in the paper should be taken Qualcomm. CDMA2000 1xEV-DO overview. Available from: http://
only as a reference. In practice, depending on applications, www.cdmatech.com/download_library/pdf/QCOM_1xEV-DO.
FAR may be more important than FRR or vice versa. The issue pdf.
SAMSUNG Electronics website. http://www.samsung.com.
could be addressed by proper threshold selection.
Umphress D, Williams G. Identity verification through keyboard
characteristics. International Journal of Man Machine Studies
1985;23:263–73.
Acknowledgement WIPI website. http://www.wipi.or.kr/English/index.html.

This work was supported by grant no. R01-2005-000-103900- Seong-seob Hwang is currently a PhD candidate in the
0 from Basic Research Program of the Korea Science and Department of Industrial Engineering, Seoul National
Engineering Foundation, the Brain Korea 21 program in 2006 University, Korea. Before entering graduate school, He worked
and partially supported by Engineering Research Institute of as a system engineer at SAMSUNG SDS. His research interests
SNU.
computers & security 28 (2009) 85–93 93

include data mining, pattern recognition, and their journals and proceedings. He also holds a US patent and
applications. a Korean patent concerned with keystroke-based user
authentication.
Sungzoon Cho is a professor in the Department of Industrial
Engineering, College of Engineering, Seoul National Univer- Sunghoon Park received BS of Computer Science in 2005, and
sity, Korea. His research interests are neural network, pattern is currently a PhD candidate in the Department of Industrial
recognition, data mining, and their applications in various Engineering, College of Engineering, Seoul National Univer-
areas such as response modeling and keystroke-based sity, Korea. His research interests include financial engi-
authentication. He published over 100 papers in various neering and marketing applications.