Seminar Topics

IEEE Seminar Topics

User Identification Through Keystroke Biometrics

Published on Apr 02, 2024


The increasing use of automated information systems together with our pervasive use of computers has greatly simplified our lives, while making us overwhelmingly dependent on computers and digital networks.

Technological achievements over the past decade have resulted in improved network services, particularly in the areas of performance, reliability, and availability, and have significantly reduced operating costs due to the more efficient utilization of these advancements.

Some authentication mechanisms recently developed requires users to perform a particular action and then some behavior of that action is examined. The traditional method of signature verification falls in this category. Handwritten signatures are extremely difficult to forge without assistance of some copier.

A number of identification solutions based on verifying some physiological aspect - known as BIOMETRICS - have emerged. Biometrics, the physical traits and behavioral characteristics that make each of us unique, are a natural choice for identity verification. Biometrics is an excellent candidate for identity verification because unlike keys or passwords, biometrics cannot be lost, stolen, or overheard, and in the absence of physical damage they offer a potentially foolproof way of determining someone's identity. Physiological (i.e., static) characteristics, such as fingerprints, are good candidates for verification because they are unique across a large section of the population. Indispensable to all biometric systems is that they recognize a living person and encompass both physiological and behavioral characteristics.

Biometrics is of two kinds. One deals with the physical traits of the user and the other deals with the behavioral traits of the user. Retinal scanning, fingerprint scanning, face recognition, voice recognition and DNA testing comes under the former category, while typing rhythm comes under the later category.

Physiological characteristics such as fingerprints are relatively stable physical features that are unalterable without causing trauma to the individual. Behavioral traits, on the other hand, have some physiological basis, but also react to a person's psychological makeup.

Most systems make use of a personal identification code in order to authentication the user. In these systems, the possibility of a malicious user gaining access to the code cannot be ruled out. However, combing the personal identification code with biometrics provides for a robust user authentication system.

Authentication using the typing rhythm of the user on keyboard or a keypad takes advantage of the fact that each user would have a unique manner of typing the keys. It makes use of the inter-stroke gap that exists between consecutive characters of the user identification code.

While considering any system for authenticity, one needs to consider the false acceptance rate and the false rejection rate.

The False Acceptance Rate (FAR) is the percentage of un-authorised users accepted by the system and the False Rejection Rate (FRR) is the percentage of authorised users not accepted by the system. An increase in one of these metrics decreases the other and vice versa. The level of error must be controlled in the authentication system by the use of a suitable threshold such that only the required users are selected and the others who are not authorised are rejected by the system.

In this technique, standard deviation of the user's training period entry is used as a threshold. The correct establishment of the threshold is important since too strong a threshold would lead to a lot of difficulty in entry even for the legal user, while a lax threshold would allow un-authorised entry


An authentication system based on key stroke pattern and measure of the inter stroke gap can be easily implemented. One major drawback in using other biometrics for authentication is the overhead incurred. Both the amount of space and the money incurred in using typing characteristics for authentication are comparatively less. As the security mechanism is not visible, unauthorized users can’t have an idea of the security measure. Further, the operating system doesn’t have to perform any task other than maintaining the database of each user and running the program every time one logs onto the system.

The time gap between consecutive keystrokes is a unique characteristic of the user. The typing rhythm is self-tuned by the user to suit his needs. As the keyboard has duplicate keys, the typing rhythm also depends on whether the user is a left handed person or a right-handed person.

Both the FAR and the FRR depend to some extent on the deviation allowed from the reference level and on the number of characters in the identification code. It has been observed that providing a small deviation lowers the FAR to almost nil but at the same time tends to increase the FRR. This is due to the fact that the typing rhythm of the user depends to some extent on the mental state of the user. A balance would have to be established taking both the above factors into consideration.

Keystroke dynamics include several different measurements which can be detected when the user presses keys in the keyboard. Possible measurements include:

• Latency between consecutive keystrokes.

• Duration of the keystroke, hold-time.

• Overall typing speed.

• Frequency of errors (how often the user has to use backspace).

• The habit of using additional keys in the keyboard, for example writing numbers with the numpad.

• In what order does the user press keys when writing capital letters, is shift or the letter key released first.

• The force used when hitting keys while typing (requires a special keyboard).


When a user types his authentication code, there exists a particular rhythm or fashion in typing the code. If there does not exist any abrupt change in this rhythmic manner, this uniqueness can be used as an additional security constraint. It has been proved experimentally that the manner of typing the same code varies from user to user. Thus this can be used as a suitable biometric. Further, if the user knows beforehand about the existence of this mechanism, he can intentionally introduce the rhythm to suit his needs.

The mechanism: As the user logs onto the system for the first time, a database entry is created for the user. He is then put through a training period, which consists of 15-20 iterations. During this time, one obtains the inter-stroke timings of all the keys of the identification code. The mean and standard deviation of the above code are calculated. This is done in order to provide some leverage to the user typing the code. The system has to incur the additional overhead of maintaining the database, which would contain all the user’s information. These details can also be incorporated onto the system’s password files in order to save the additional overhead incurred.

The inter stroke interval between the keys is measured in milliseconds. The system’s delay routine can be used to serve the purpose. The delay routine measures in milliseconds and the amount of delay incurred between successive strokes can be used as a counter to record this time interval. Like any other normal system, a new user is asked to register in order to add his name onto the database. The only difference that exists now is that he would have to go through a training period of about 15-20 iterations wherein one obtains the reference level and the deviation for the user. The reference level that we chose is the mean of the training period and the rounded standard deviation is used as the leverage allotted per user. These values are fed into the database of the user.

Are you interested in this topic.Then mail to us immediately to get the full report.

email :-

Related Seminar Topics