Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Identity authentication based on keystroke latencies
Joyce R., Gupta G.  Communications of the ACM 33 (2): 168-176, 1990. Type: Article
Date Reviewed: Sep 1 1990

The authors present a thorough and useful description of their work on the use of keystroke latencies (the intervals between successive keystrokes) to authenticate the identity of a computer user. Their approach requires each user to enter four strings at logon: identifier, password or personal identification number (PIN), first name, and last name. The experiments employed relatively few people with many shared characteristics: they were “university students or staff” and “between the ages of 20 [and] 45.” With this limited population, they were able to achieve simultaneous error rates of 1 percent false acceptances, representing successful impersonations, and 7 percent false rejections, representing unsuccessful accurate claims of identity. The authors say, “A false alarm rate of 5 percent could well be acceptable since it would be nothing more than a nuisance in that a genuine user would, on the average, fail to get access to the system 1 out of 20 attempts.” This contradicts McEnroe and Verschoor [1], who report that false rejection is more important than false acceptance in the very industry--banking--that is the authors’ focus. The authors apparently give little weight to the likelihood that users whose integrity computers seemed to question might take their accounts to places where the computers’ behavior was less offensive. They recommend use of keystroke latencies in conjunction with “secret information.” This would permit tuning of their method to a rather higher false acceptance rate and a more user-friendly false rejection rate, while the password was used to reduce the number of false acceptances permitted by the two methods together. They do not provide data on simultaneous error rates for such a combination.

A significant problem the authors mention is capture of timing data from devices attached to a time-sharing system. The solution they mention, borrowed from a patent, is capture of timing data within a terminal.

The authors say that keystroke latencies are among “actions,” such as signature dynamics, that can contribute to identity authentication. Other authors use the term “biometric” to refer to both actions and what Joyce and Gupta call “physiology,” such as voice, then evaluate each biometric technique against all the others. By distinguishing between actions and physiology and saying, inaccurately, “To date, the ‘actions’ category has been virtually ignored,” the authors place their method in a category by itself and avoid having to make such useful comparisons.

Reviewer:  S. A. Kurzban Review #: CR114368
1) McEnroe, J. E. and Verschoor, C. C. Biometric personal identification systems: the potential for bank use. Bank Admin. 62, 11 (Nov. 1986), 40–46.
Bookmark and Share
Security (K.6.m ... )
Would you recommend this review?
Other reviews under "Security": Date
Behavioral cybersecurity: applications of personality psychology and computer science
Patterson W., Winston-Proctor C.,  CRC Press, Boca Raton, FL, 2019. 261 pp. Type: Book (978-1-138617-78-0)
Jun 21 2022
Engineering trustworthy systems: a principled approach to cybersecurity
Saydjari O.  Communications of the ACM 62(6): 63-69, 2019. Type: Article
Nov 4 2019
Application of big data for national security: a practitioner’s guide to emerging technologies
Akhgar B., Saathoff G., Arabnia H., Hill R., Staniforth A., Bayerl P.,  Butterworth-Heinemann, Waltham, MA, 2015. 316 pp. Type: Book (978-0-128019-67-2)
Sep 8 2016

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright © 2000-2022 ThinkLoud, Inc.
Terms of Use
| Privacy Policy