Typing articles catalog



Science of Keystoke Dynamics

The behavioral biometric of Keystroke Dynamics uses the manner and rhythm in which an individual types characters on a keyboard or keypad. The keystroke rhythms of a user are measured to develop a unique biometric template of the users typing pattern for future authentication. Raw measurements available from most every keyboard can be recorded to determine Dwell time (the time a key pressed) and Flight time (the time between key down and the next key down and the time between key up and the next key up ). The recorded keystroke timing data is then processed through a unique neural algorithm, which determines a primary pattern for future comparison

Data needed to analyze keystroke dynamics is obtained by keystroke logging. Normally, all that is retained when logging a typing session is the sequence of characters corresponding to the order in which keys were pressed and timing information is discarded. If I`m reading email from you, I can`t tell from reading the phrase "I saw 3 zebras!" whether:

  • that was typed rapidly or slowly
  • you used the left-shift, the right-shift, or the caps-lock key to make the "i" turn into a capitalized letter "I"
  • the letters were all typed at the same pace, or if there was a long pause before the letter "z" or the numeral "3" while you were looking for that letter
  • you typed any letters wrong initially and then went back and corrected them, or if you got them right the first time

Origin of Keystroke Dynamics

On May 24, 1844, the message "What hath God wrought" was sent by telegraph from Baltimore, Maryland, to our nations Capitol in Washington, D.C. A new era in long-distance communications had begun. By the 1860 s the telegraph revolution was in full swing and telegraph operators were a valuable resource. With experience, each operator developed their unique signature and was able to be identified simply by their tapping rhythm.

As late as World War II the military transmitted messages through Morse Code. Using a methodology called "The Fist of the Sender," Military Intelligence identified that an individual had a unique way of keying in a message`s "dots" and "dashes," creating a rhythm that could help distinguish ally from enemy.

Use as biometric data

Researchers are interested in using this keystroke dynamic information, that is normally discarded, to verify or even try to determine the identity of the person who is producing those keystrokes. This is often possible because some characteristics of keystroke production are as individual as handwriting or a signature. The techniques used to do this vary widely in power and sophistication, and range from statistical techniques to neural-nets to artificial intelligence.

In the simplest case, very simple rules can be used to rule out a possible user. For example, if we know that John types at 20 words per minute, and the person at the keyboard is going at 70 words per minute, it`s a pretty safe bet that it`s not John. That would be a test based simply on raw speed uncorrected for errors. It`s only a one-way test, as it`s always possible for people to go slower than normal, but it`s unusual or impossible for them to go twice their normal speed.

Or, it may be that the mystery user at the keyboard and John both type at 50 words per minute; but John never really learned the numbers, and always has to slow down an extra half-second whenever a number has to be entered. If the mystery user doesn`t slow down for numbers, then, again, it`s a safe bet this isn`t John.

The time to get to and depress a key (seek-time), and the time the key is held-down (hold-time) may be very characteristic for a person, regardless of how fast he is going overall. Most people have specific letters that take them longer to find or get to than their seek-time over all letters, but which letters those are may vary dramatically but consistently for different people. Right-handed people may be statistically faster in getting to keys they hit with their right hand fingers than they are with their left hand fingers. Index fingers may be characteristically faster than other fingers to a degree that is consistent for a person day-to-day regardless of their overall speed that day.

In addition, sequences of letters may have characteristic properties for a person. In English, the word "the" is very common, and those three letters may be known as a rapid-fire sequence and not as just three meaningless letters hit in that order. Common endings, such as "ing", may be entered far faster than, say, the same letters in reverse order ("gni") to a degree that varies consistently by person Try it yourself! Compare your speed at entering "ing ing ing ing" to "gni gni gni gni". This consistency may hold and may reveal the person`s native language`s common sequences even when they are writing entirely in a different language, just as revealing as an accent might in spoken English.

Common "errors" may also be quite characteristic of a person, and there is an entire taxonomy of errors, such as this person`s most common "substitutions", "reversals", "drop-outs", "double-strikes", "adjacent letter hits", "homonyms", hold-length-errors (for a shift key held down too short or too long a time). Even without knowing what language a person is working in, by looking at the rest of the text and what letters the person goes back and replaces, these errors might be detected. Again, the patterns of errors might be sufficiently different to distinguish two people.

Authentication versus identification

Keystroke dynamics patterns are statistical in nature, and are not as reliable as other biometrics used for authentication such as fingerprints or retinal scans or DNA. However, they can be captured continuously not just at the start-up time and may be adequately accurate to trigger an alarm to another system or person to come double-check the situation.

In some cases, a person at gun-point might be forced to get start-up access by entering a password or having a particularly fingerprint, but then that person could be replaced by someone else at the keyboard who was taking over for some bad purpose. In other less dramatic cases, a doctor might violate business rules by sharing his password with his secretary, or by logging onto a medical system but then leaving the computer logged-in while someone else he knows about or doesn`t know about uses the system. Keystroke dynamics is one way to detect such problems sufficiently reliably to be worth investigating, because even a 20% true-positive rate would send the word out that this type of behavior is being watched and caught.

Researchers are still a long way from being able to read a keylogger session from a public computer in a library or cafe somewhere and identify the person from the keystroke dynamics, but we may be in a position to confidently rule out certain people from being the author, who we are confident is "a left-handed person with small hands who doesn`t write in English as their primary language."

Temporal variation

One of the major problems that keystroke dynamics runs into is that a person`s typing varies substantially during a day and between different days. People may get tired, or angry, or have a beer, or switch computers, or move their keyboard tray to a new location, or be pasting in information from another source (cut-and-paste) or from a voice-to-text converter. Even while typing, a person, for example, may be on the phone or pausing to talk.

And some mornings, perhaps after a long night with little sleep and a lot of drinking, his typing may bear little resemblance to the way he types when he is well-rested. Extra doses of medication or missed doses could change his rhythm. There are hundreds of confounders.

Because of these variations, the results of keystroke dynamics have to be viewed more as suggestions than conclusions. There will be high error rates to almost any system, both false-postives and false-negatives. The most likely useful role for such a system in authentication is in triggering a secondary low-cost system, such as alerting a guard to check it out, but probably doesn`t justify having the guard`s gun drawn at the time.

Commercial products

There are several home and commercial software products which claim to use keystroke dynamics to authenticate a user.

BioPassword ( http://www.biopassword.com]) is a patented commercial system which uses keystroke dynamics to restrict access see the References section below for a link to a review from PC Magazine. The vendor, BioPassword, Inc., just received $8 million in new funding, according to a January, 2006 trade press release.

Deepnet Security ( http://www.deepnetsecurity.com) has also developed a keystroke biometric authentication system, TypeSense. It is claimed that their product employs advanced new algorithms such as auto-correlative training and adaptive learning, and achieve better result than other similar products.

iMagic Software makes Trustable Passwords, which is designed for use by large enterprises (they recommend 2,000+ users) and interfaces with all major enterprise infrastructure. Trustable Passwords just won the audience vote at the presigious Forrester IT Forum 2006 in Las Vegas there is a video of that demo on the iMagic Software website. iMagic was founded in 2002, and is based on new patent-pending algorithms. Trustable Passwords is presently being used in several major multi-hospital healthsystems for user authentication and, in terms of both recognition and user satisfaction, works better than fingerprints. Several major financial institutions are also in pilot. Historically, iMagic has kept quiet, but it seems they are beginning to publicize.

Anyone considering building a new product using keystroke dynamics should understand the legal issues (see below), and figure out as well how to have an authorized program`s use of keystroke interception survive the removal efforts of multiple anti-spyware programs. In this case, the security enhancing programs may be fighting with each other.

On top of that, if the desired result for a web-based product is to use keystroke dynamics to decide whether to cause a pop-up window to appear, asking for re-entry of a password or other verification question, new pop-up blockers may prevent that feature from functioning.

Legal and regulatory issues

Surreptitious use of key-logging software is on the rise, as of this writing. Use of such software may be in direct and explicit violation of local laws, such as the U.S. Patriot Act, under which such use may constitute wire-tapping. This could have severe penalties including jail-time. See spyware for a better description of user-consent issues and various fraud statutes. Spyware and its use for illegal operations such as bank-fraud and identity theft are very much in the news, with even Microsoft issuing new spyware defense products, and tougher laws in the near future being very likely.

Competent legal advice should be obtained before attempting to use or even experiment with such software and keystroke dynamic analysis, if consent is not clearly obtained from the people at the keyboard, even though the actual residual "content" of the message the resultant text is never analyzed, read, or retained. The status of the "dynamic context" of the text is probably in legal limbo.

There are some patents in this area. Examples:

  • J. Garcia. Personal identification apparatus. Patent No. 4 621 334, U.S. Patent and Trademark Office, 1986.
  • J.R. Young and R.W. Hammon. Method and apparatus for verifying an individual s identity. Patent No. 4 805 222, U.S. Patent and Trademark Office, 1989.

Other uses

Because keystroke timings are generated by human beings, they are not well correlated with external processes, and are frequently used as a source of hardware-generated random numbers for computer systems.

Why Hire a Professional Transcriptionist to Convert Your Dictation or Audios to Typed Text? - By Laurie Kristensen


In a discussion forum for non-fiction writers (where I had posted my introduction of myself and my professional transcription business), another member replied and mentioned that for simple dictation, she uses a voice recognition software program.

When what she had said really sank in, I felt like someone had punched me in the stomach!

Then my reaction was huge dismay and questioning, "Why should I even stay in business?" This came JUST after spending almost two months getting clear on why my transcription business feels exciting to me and realizing that I want to assist and support creative, positive, motivated people to succeed in ways they have not been able to before, working on interesting projects!

I imagined emptying my transcription business website of all information -- just leaving a notice (as a ?public service?) pointing out to the people who THINK they need me to transcribe their audios that they should go and buy that software instead!

Yikes! Drastic thoughts!

But seriously, then I started thinking some more

I mean, it`s a legitimate question! Why SHOULD someone hire me if they can buy software for dictation?

In what situations would dictation software be inferior than having a live, intelligent human being (who is passionate about helping her clients succeed) listening and transcribing their audio material instead?

Knowing such software exists, ANYONE might appropriately ask that question!

Since I`ve never worked with this kind of software, I realize I may not understand it perfectly, so I decided to ask some questions

With audio recordings of interviews, groups, or live teleclasses, seminars, and so forth, how does the software distinguish between multiple speakers? How does it know to punctuate and break the text into paragraphs appropriately?

When people just speak naturally, their speech is filled with tons of `ahs` and `ummms` and `you know`s` and so forth. Does the software know to filter those out when appropriate? People also string multiple sentences together with `and` forever! Does the software know when to break the sentences apart?

How about when the quality of the audio recording is not top-notch, such as when there is background noise or people speaking on top of each other how does it handle that?

Even when there is only a single speaker, if they do not dictate punctuation, paragraphs, etc., does the software intuit that correctly?

If the software does not handle these issues well, how much work is involved in cleaning up the text?

Also, in my relationships with the clients I`ve worked with, there is the unquantifiable element of me being an objective outsider who can catch errors or discrepancies in the CONTENT. And I often even come up with valuable ideas to help them improve their material!

There is a creative, collaborative give and take between my clients and me that often seems to be of benefit to us BOTH beyond the action of me ?just? transcribing their audio recordings.

So, I concluded, there IS still a need for my services by many people! Not all, but I?m sure enough to keep me busy. I actually do enjoy this kind of work under the right circumstances and with the types of clients I intend to connect with!

So in the end, I thanked that discussion forum member for her post and the internal thinking process it sent me through, because it helped me face a fear and come out stronger on the other side!

And then, as a welcome validation of everything I had deduced on my own, quickly after I had submitted my reply to her, she was kind enough to reply with a more detailed explanation of how the voice recognition software works and its definite limitations -- everything I had suspected, and even more!

I truly have a valuable, worthwhile service to offer my clients. I?m very proud of my skills, my dedication, and my opportunity to make a contribution to the entire world by assisting my clients to develop their own gifts in ways they might never on their own IF it was up to themselves alone to type out their wisdom and creativity!


Copyright Laurie Kristensen, 2005-Present. All rights reserved.

Laurie Kristensen owns and operates a successful audio transcription and typing business from home, visit http://www.LKTranscription.com (remember to subscribe to ?Your Partner in Success Newsletter?) -- also be sure to browse through Laurie?s Success Resources at http://www.LKSuccess.com

You have permission to publish this article in its entirety, unchanged, electronically or in print as long as the byline, URLs, and copyright are included.

Typing articles index