bio Chec Keystroke Authentication Its All in How

bio. Chec™ Keystroke Authentication It’s All in How You Type John C. Checco, CISSP

Overview What is Keystroke Biometrics How Effective is Keystroke Biometrics Advantages of Keystroke Biometrics Markets for Keystroke Biometrics Future for Keystroke Biometrics

What is Keystroke Biometrics Biological Measurements q Physical aspects of a person that determine identity q Static measurement p Absolute match q Quality of measurement is only variable by the quality of the capture device q Examples: p p p DNA Iris/Retina Scan Fingerprint Hand Geometry / Vein Structure Facial Recognition

What is Keystroke Biometrics Behavioral Measurements q Characteristic traits exhibited by a person that can determine identity q Dynamic measurement p Confidence match q Quality of measurement varies by behavioral and other external factors q Examples: p p Keystroke Heuristics Handwriting Analysis Voice Verification Language Removal Identification

What is Keystroke Biometrics Pattern exhibited by an individual using an input device in a consistent manner q Input Device p Keyboard, Keypad, Stylus, … q Raw measurements available by the input device p Dwell time p Flight time p Absolute versus Relative timing q Factors p p Timing / Cadence Content Spatial Configuration Consistency (as well as consistent inconsistencies) q Signature Processing p Deduction of key factors from an arbitrary data stream p Robotic vision, Economic trending, Quantum physics

What is Keystroke Biometrics History of the World, Part I q 1979: p Technology originally developed by SRI International. q 1984: p National Bureau of Standards (NBS) study concluded that computer keystroke authentication of 98% accuracy. q 1988: p Keystroke authentication hardware device passes NIST Computer Security Act of 1987. q 2000: p Keystroke authentication passes the Financial Services Technology Consortium (FSTC) / International Biometric Group (IBG) Comparative Testing program. q Patents (partial list): p 4621344, 5557686, 4805222, 4962530, 4998279, 5056141

How Effective is Keystroke Biometrics q Fingerprint p FAR= ~0% p FRR= ~1% þ Keystroke Biometrics p FAR= ~0. 01% p FRR= ~3. 0% □ Manufacturer recommended settings □ Variable (application-defined) q Facial Recognition p FAR/FRR vary according to: compression, distance, illumination, media, pose, resolution, and other temporal factors. q Voice Recognition p FAR= ~1. 6% p FRR= ~8. 1%

How Effective is Keystroke Biometrics What If …. q I injure my hand? p How many people have you met that have had hand injuries? p How many people have you met that forgot their password? q I enrolled on one keyboard and want to login on another? p Tactile versus membrane p Full-size versus compact p Key-character layout q My connection is hijacked and someone replays my keystrokes? p Fraud detection methods vary by manufacturer q I have a bad day?

Advantages of Keystroke Biometrics Technology Advantages q Performance: p Inherently narrows the identification pool to achieve lower FAR/FRR q Portability: p Users are not limited to individual or specific workstations q Flexibility: p Dynamically managed threshold for acceptance q Security: p Constant biometric refinement of templates over time q User Acceptance: p Non-invasive capture p Support for invisible (background) enrollment p Works better with pass phrases familiar to the user □ translation: passwords can be easy to remember q Paradigm: p Only solution that provides for limited liability risk mitigation. p Capabilities based policies, not simply role based

Advantages of Keystroke Biometrics Implementation Advantages q Deployment / Maintenance: p No physical hardware to install or maintain p No manpower needed on client-side deployment for installations or upgrades q Coverage: p Support for remote access and telecommuting p Software-only components allow integration into any software solution q Policy Management: p Secondary authorization does not change current policies p Application and/or user managed levels of security q Audit Control: p Promote proper use of existing licensing p Logging of biometric access creates better forensic evidence q Exit / Override Strategies p No additional resources needed to override or temporarily disable biometric. p No invasive exit strategy …. Just turn off server-side secondary authentication process.

Markets for Keystroke Biometrics Network / Intranet Security: q Single Sign-on Solutions q RADIUS q Corporate Application Access q x. FS Volume Protection q Document Control Management q Corporate Internet Access

Markets for Keystroke Biometrics Asset Identification: q Online Training / Testing q Document Signing q Software Licensing and Registration Personal Information Security: q Primary Authorization for individual document encryption q Secondary Authorization mechanism for online purchases q Secure Laptop Access

Future for Keystroke Biometrics Consumer Market: q PDA / Tablet / Stylus Input q RIM q ATM q Cell phones q Home Security Access Pads

Questions and Comments Commonly Asked Questions: q Can keystroke biometrics determine if an employee is incapacitated due to inebriation or drug abuse? q How does keystroke biometrics protect against “Cyrano de Bergerac” breaches?

Q. E. D. John C. Checco President, bio. Chec™ Checco Services, Inc. John. Checco@bio. Chec. com http: //www. bio. Chec. com Stony Point, New York 1 -845 -942 -4246