Keystroke Analysis Could Replace Passwords
In the land of digital investigations, investigators and data collectors may find, in the not too distant future, the need for a custodian to stand by to enter their password for system access.
Thanks to a $500,000 research grant from the U.S. Defense Department, they're looking for better ways than hacker-prone passwords to protect its systems, and are betting that ISU Professor Morris Chang is right. Chang, recently quoted in USA Today, an associate professor of electrical and computer engineering, said we all take unique pauses between keystrokes, especially when typing complicated words. "When you spell a particular word, you may have a tendency to pause at a certain character," Chang said. "Your pause would be different than mine."
The Defense Advanced Research Projects Agency, part of the Defense Department, wants a security system that doesn't rely on passwords and is capable of continuously ensuring that the authorized user is the only one on any particular computer.
A system that can tell who is using a computer by tracking those telltale pauses could block someone from, say, jumping on a computer and working after the authorized user signs off and leaves the building.
Other studies are looking at how people move their computer mouse.
The technique is called "active authentication."
At Iowa State, about 3,000 students and staff members will log onto a website from any location, to go through some tasks. They'll be asked to type some sentences, respond to an email, and surf the web a bit. Their keystrokes will be monitored in the background, and patterns will be analyzed.
Chang hopes to get research money for two more phases in the next three years. The second would involve developing software to detect intruders based on typing patterns. The third would look for holes in the system.