Rick Joyce
Abstract
The variables that help make a handwritten signature a unique human identifier also provide a unique digital signature in the form of a stream of latency periods between keystrokes. This article describes a method of verifying the identity of a user based on such a digital signature, and reports results from trial usage of the system.
- 1 Card, S.K., Moran, T.P., and Newell, A. The keystrok,-level model for user performance time with interactive systems. Commun. ACM 23, 7 (July 1980), 396-409. Google Scholar
Digital Library
- 2 Gaines, R., Lisowski, W., Press, S., and Shapiro, N. Authentication by user performance time with interactive systems. commun. ACM NSF. Rand Corporation, Santa Monica, CA, 1980.Google Scholar
- 3 Garcia, J. Personal identification apparatus. Patent Number 4,621,334. U.S. Patent and Trademark Office. Washington. D.C. 1986.Google Scholar
- 4 Joyce, R., and Gupta, G. User authentication based on keystroke latencies. Technical Report #5, Department of Computer Science, james Cook University, Australia, 1989.Google Scholar
- 5 Leggett, J., and Williams, G. Verifying identity via keyboard characteristics. Int. J. Man-Machine Studies 23, 1 (Jan. 1988), 67-76. Google ScholarDigital Library
- 6 Leggett ,williams,G. and Umphress, D.Verification of user identity ia keyboard characteristics. In Human Factors in Management Information Systems, J.M. Carey, Ed., Ablex Publishing, Norwood, NJ. Google ScholarDigital Library
- 7 Urnphress, D., and Williams, G. Identity verification through keyboard characteristics. Int. J. Man-Machine Studies 23, 3 (Sept. 1985), 263-273.Google Scholar
- 8 Young, J.R., and Hammon, R.W. Method and apparatus for verifying an individual's identity. Patent Number 4,805,222. U.S. Patent and Trademark Office, Washington, D.C., 1989.Google Scholar
Index Terms
- Identity authentication based on keystroke latencies
Recommendations
Identity-Based signcryption from identity-based cryptography
WISA'11: Proceedings of the 12th international conference on Information Security ApplicationsA signcryption scheme encrypts and signs data in a single operation which is more efficient than using an encryption scheme combined with a signature scheme. Identity-based cryptography (IBC) does not require users to pre-compute key pairs and obtain ...
Multi-use unidirectional identity-based proxy re-encryption from hierarchical identity-based encryption
At ACNS 2007, Ateniese and Green proposed the concept of ID-based proxy re-encryption (IBPRE), where a semi-trusted proxy with some information (a.k.a. re-encryption key), can transform a ciphertext under an identity to another ciphertext under another ...
Fuzzy identity based signature with applications to biometric authentication
We introduce a new cryptographic primitive which is the signature analog of fuzzy identity based encryption (FIBE). We call it fuzzy identity based signature (FIBS). It possesses similar error-tolerance property as FIBE that allows a user with the ...
Reviews
Stanley A. Kurzban
The authors present a thorough and useful description of their work on the use of keystroke latencies (the intervals between successive ke ystrokes) to authenticate the identity of a computer user. Their approach requires each user to enter four strings at logon: identifier, password or personal identification number (PIN), first name, and last name. The experiments employed relatively few people with many shared characteristics: they were “university students or staff” and “between the ages of 20 [and] 45.” With this limited population, they were able to achieve simultaneous error rates of 1 percent false acceptances, representing successful impersonations, and 7 percent false rejections, representing unsuccessful accurate claims of identity. The authors say, “A false alarm rate of 5 percent could well be acceptable since it would be nothing more than a nuisance in that a genuine user would, on the average, fail to get access to the system 1 out of 20 attempts.” This contradicts McEnroe and Verschoor [1], who report that false rejection is more important than false acceptance in the very industry—banking—that is the authors' focus. The authors apparently give little weight to the likelihood that users whose integrity computers seemed to question might take their accounts to places where the computers' behavior was less offensive. They recommend use of keystroke latencies in conjunction with “secret information.” This would permit tuning of their method to a rather higher false acceptance rate and a more user-friendly false rejection rate, while the password was used to reduce the number of false acceptances permitted by the two methods together. They do not provide data on simultaneous error rates for such a combination. A significant problem the authors mention is capture of timing data from devices attached to a time-sharing system. The solution they mention, borrowed from a patent, is capture of timing data within a terminal. The authors say that keystroke latencies are among “actions,” such as signature dynamics, that can contribute to identity authentication. Other authors use the term “biometric” to refer to both actions and what Joyce and Gupta call “physiology,” such as voice, then evaluate each biometric technique against all the others. By distinguishing between actions and physiology and saying, inaccurately, “To date, the `actions' category has been virtually ignored,” the authors place their method in a category by itself and avoid having to make such useful comparisons.
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments