College of Engineering News • Iowa State University

Keystrokes yield ID clues

Written by Perry Beeman
Des Moines Register

The way you type on your computer’s keyboard is as unique as your handwriting, and may even be a matter of national security, says an Iowa State University engineering professor.

Morris Chang
Morris Chang

The U.S. Department of Defense, looking for better ways than hacker-prone passwords to protect its systems, is betting a $500,000 research grant that ISU professor Morris Chang is right.

Chang, an associate professor of electrical and computer engineering, said we all take unique pauses between keystrokes, especially when typing complicated words.

“When you spell a particular word, you may have a tendency to pause at a certain character,” Chang said. “Your pause would be different than mine.”

The Defense Advanced Research Projects Agency, part of the Defense Department, wants a security system that doesn’t rely on passwords and is capable of continuously ensuring that the authorized user is the only one on any particular computer.

A system that can tell who is using a computer by tracking those telltale pauses could block someone from, say, jumping on a computer and working after the authorized user signs off and leaves the building.

The military could use a fingerprint or retina scanner to accomplish similar results. But it also wants a technology that doesn’t require equipment and would let it monitor usage without an imposter’s knowledge.

“Let’s say you walk to the office and start unlocking a computer,” Chang said. “You work for a few hours, and then you may leave. So potentially there could be an intruder pretending to be you and continuing to use your computer. The system that we are trying to use is specific to the user.”

More and more, such so-called “biometrics” are making news these days. A team of European scientists has theorized that people can also be identified by the way they bring a cellphone to their ear — the angle and speed, for example, the New York Times has reported.

Other studies are looking at how people move their computer mouse.

The technique is called “active authentication.”

At ISU, some 3,000 students and staff members will log onto a website, from any location, to go through some tasks. They’ll be asked to type some sentences, respond to an email, and surf the Web a bit.

Their keystrokes will be monitored in the background, and patterns will be analyzed.

Chang hopes to get research money for two more phases over the next three years. The second would involve developing software to detect intruders based on typing patterns. The third would look for holes in the system.

“Everyone knows we have problems with passwords,” said Richard Guidorizzi, the defense agency’s program manager. People forget passwords, or make them too easily guessed by hackers, for example.

“I want to move to a world where you sit down on the console and you identify yourself and you begin working and the authentication happens in the background invisible to you while you continue to do your work without interruption,” he said.

Guidorizzi said at the time that the Defense Department does not intend to use the results of the research to spy. Nor will the keyboarding data gathered to identify authorized users be stored.

“We don’t want to store this information,” he said. “Otherwise, hackers would get to that and the system would be worthless.”

But some privacy advocates worry such safeguards could have negative consequences if misused.

Rebecca Jeschke of the nonprofit Electronic Frontier Foundation in San Francisco said such technologies could raise privacy questions, even if they also help match consumers with products they might want, for example.

“The freedoms and protections in the physical world need to come with us into the digital world,” said Jeschke, a digital rights analyst. “The future I don’t want is one in which you can’t use a new tool because you don’t know what information they will share.”

She added: “To me, what’s concerning right now is that people don’t know when they are being tracked.”


This article also appeared in USA Today.