jump to navigation

The Future of Passwords: Biometrics September 30, 2013

Posted by lorenmurphy2 in Security.

For many years two-factor authentications have become the standard method of securing authorization for a network. According to the article “Password Security: A Case History”, the underlying goal of these types of authentications has been to provide password security at minimal inconvenience to the user of the system. For many systems, having users provide a username and password establishes authorization. However, hackers are more likely to successfully break into a system by gaining access to the system’s password file or by guessing the user’s easy password.

As technology advances, the methods for securing authorization are also advancing in order to increase network security. Instead of a two factor authentication, new biometric and cognitive tools are being developed to revolutionize how users are authorized. Biometric technologies are “automated methods of verifying or recognizing the identity of a living person based on a physiological or behavioral characteristic” (1). The two biometric tools that will be discussed in this blog are keystroke dynamics and facial recognition.

Keystroke dynamics is the ability of a system to recognize unique and habitual patterns in a user’s typing pattern. There are two types of keystroke authorization techniques. One method, often referred to as static verification, is when the system has a user enter in a particular string of words a few times in order to create the users “signature” within the database system. Then when the user logs in again, the system is able to determine if the user logged in with the same typing signature (2). The second type of authorization technique is referred to as continuous. Instead of only verifying the user keystroke during login, the system continues to analyze the user’s unique typing style during their entire use of the system.  There are many aspects of one’s typing pattern that can determine the signature. These include the “rest time” between successive keystrokes, keystroke duration, finger placement and applied pressure on the keys (1).

The use of keystroke dynamics is not a new technology for determining ones authorization. In fact, during World War II it was used by the military to determine if an enemy or ally was sending a particular telegraph/Morse code (3). If the code breakers could determine the signature of an important enemy telegraph transmitter, then they could automatically distinguish which messages were of most importance and which messages were falsified.

Unlike other biometric tools, such as fingerprint readers, the use of keystroke dynamics is inexpensive and convenient for the user. This is because the only hardware required is a keyboard which the user will already be using. Although there could be many variables that affect how a person types (are they stressed, are they typing late at night when tired, are they typing while talking on the phone), overall, keystroke dynamics has proven to be a reliable method for determining ones identity and there are several companies (ID Control, Watchful Software, BehavioSec) that are investing in developing this technology.  Since keystroke dynamics relies on a person’s physical characteristic, it is a lot more difficult for a hacker to fake or easily guess therefore making the system more secure.

Another biometric tool that is being developed for authorization is facial recognition. With facial recognition users have to identify a series of people that they know. This tool relies on a person’s cognitive ability to recognize human faces (2). One well-known company that has used this method for authorization is Facebook. If the system is unsure about a user’s identity, it may prompt the user to recognize several of their Facebook friends. Another company that is investing research into this area is PassFaces. Like keystroke dynamics, facial recognition is able to uniquely authenticate users in a way that is hard for hackers to mimic.

Are biometric tools the future of network authorization? Or do you think users will oppose a system being able to identify them based upon their physiological and behavioral patterns, which they cannot control.


  1. Vance, Jeff. “Beyond Passwords: 5 new ways to authenticate users.” Network World. 30 May 2007
  2. Monrose, F; Rubin, A. “Keystroke dynamics as a biometric for authentication.” Courant Institute of Mathematical Science. Future Generation Computer Systems. 3 March 1999.
  3. Kline, Ryan. “Keystroke dynamics: Biometrics at your fingertips.” SecureIDNews. 15 June 2007
  4. Morris, R; Thompson, K. “Password Security: A Case History” Communications of the ACM. Nov 1979.


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: