In the continuous search for more effective security methods, old people known as Key-Pattern Analysis sometimes return to public discussion. This time the research focuses on the times and pauses when typing a password on a keyboard in order to increase the entropy of it, trying to isolate the habit of each individual, but keeping the margin of error at a reasonable value. It also tries to support this measure of microtimes with others such as the sound of the keys or the overall rhythm of the keystrokes.
Although it may be something unknown to many, authentication by analysis of typing patterns is not something new. It is rumored that it was already used in the former Soviet Union to determine the mental state of pilots. They were made to type a control paragraph under normal conditions, and then compared to the way they wrote it before each flight. More in our days, years ago since many banks incorporate this additional authentication method in accessing their web services. Research has even been done to try to define an algorithm that manages to determine our mood from our way of typing, which would allow, for example, to assess the nervousness of the subject when trying to impersonate an identity.
However, these methods have not yet been massively successful due to problems that remain to be solved. For example, with the current trend to use virtual keyboards on smartphones and tablets, the possibility of analyzing mechanical noise is eliminated, not to mention that the greater discomfort of its use makes the user make many more mistakes and in general does not type passwords always in the same way.
Another problem that has been detected, for example in the aforementioned banking web services, is the use of the same username and password by several different people. In this case the system appreciates several different ways of typing, ending up choosing only one of them, usually the slowest, resulting in a problem for others.
Finally, as in any decision system, it is difficult to define the threshold. If it is minimally high, legitimate users will have to re-enter their password several times until they are accepted. If, on the other hand, we want to avoid this hassle by choosing a more permissive threshold, there is a good chance that a person with a similar writing pattern can succeed in authentication. In addition, it is not difficult that in the process of spying on the legitimate user to know their password, their writing rhythm is also learned, either in person or through keylogging software. However, it could be tremendously effective against automated mass attacks.
In short, in analysis of typing patterns it is a good idea like so many others, whose success or failure depends on the approach that is applied to it, and that finally the problems that appear when implementing it in the real world are effectively solved.
Source: EquipoM45
