Skip to main content
September 20, 2016

Could How A Shopper Types Be The Best Authentication?

It's not what you say, but how you say it. That piece of advice, which has given to countless politicians and executives over the decades, might be the premise behind an intriguing knew approach to biometric authentication. Although to be precise, it's closer to "It's not what you type, but how you type it."

The value of any authentication system is based on a balancing act. How accurate an identification does it offer versus how much effort does it put the individual through? The U.S. State Department, for example, performs a very robust authentication approach to people applying for passports, but it's painful to go through.

With enterprise applications, the identities being checked are either employees/contractors or customers. In both cases, if they find the authentication mechanism too arduous, they'll either work around it or—in the case of customers—decide that your competitors' apps are worth another look.

In a study written by researchers for Michigan State University and China's Nanjing University, a method is proposed where the manner and speed that someone types could indicate whether that is the same person who the system originally recognized and authorized. At the very least, researchers theorize, it could give security software a heads-up that this individual merits further investigation.

The specific method the researchers propose leverages Wi-Fi signals but there may be other ways of examining how someone types to better server app security. But first, let's take a peek into that joint research.

"WiFi signals can be exploited to recognize keystrokes. The intuition is that while typing a certain key, the hands and fingers of a user move in a unique formation and direction and thus generate a unique pattern," the report said, describing this kind of tracking as WiKey. Fear not: Being the academics they are, they invent several more acronyms.

"WiKey consists of two Commercial Off-The-Shelf (COTS) WiFi devices, a sender (such as a router) and a receiver (such as a laptop). When a human subject types on a keyboard, WiKey recognizes the typed keys based on how the Channel State Information (CSI) values at the WiFi signal receiver end," the report said. "WiKey achieves more than 97.5 percent detection rate for detecting the keystroke and 96.4 percent recognition accuracy for classifying single keys. In real-world experiments, WiKey can recognize keystrokes in a continuously typed sentence with an accuracy of 93.5 percent."

The report considers two different ways to analyze these signals. "The acoustic emanations from different keys arrive at different surrounding smartphones at different time as the keys are located at different places in a keyboard. Electromagnetic emission based approaches recognize keystrokes based on the observation that the electromagnetic emanations from the electrical circuit underneath different keys in a keyboard are different."

But analyzing WiFi signals to try and extrapolate patterns is a complex approach, which requires as much of an understanding of the keyboard being used as how the user types. A user upgrading to a new phone might be challenged on that basis alone.

Then again, client-based software that examines input speed, touch-intensity (light touch, hard touch) and overall accuracy (plus specific words that are typically typed wrong by that person) could create a biometric profile that would be very difficult to fake and that would apply to a far higher percentage of people than fingerprint scans or facial recognition.

Fingerprint scans are ineffective for many people whose skin has thinned, often due to medication or frequent use of cleaning chemicals or even simply aging. Sometimes a finger burn can also cause problems. Facial recognition—including the popular selfie authentication—is dicey depending on the settings. Set it too precisely and a tan, not shaving for a day or a change in cosmetics could generate a false negative. Set it too lax and someone who looks like the intended party could fool the system.

None of those weaknesses would undermine a process that tracks how someone types. Some of those identification attributes—including typing speed, accuracy and words that user typically gets wrong—could operate as a server-based app. Others—primarily how hard a user presses the keys—would more likely need client software installed on that person's system.

Just wanted to broaden your options. This kind of approach could be both more cost-effective, accurate, resistant to fraud and applicable to a much wider audience than today's more popular biometric options.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for, RetailWeek, Computerworld and eWeek and his byline has appeared in titles ranging from BusinessWeek, VentureBeat and Fortune to The New York Times, USA Today, Reuters, The Philadelphia Inquirer, The Baltimore Sun, The Detroit News and The Atlanta Journal-Constitution. 

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.