KeyTrac User Identification

Secure user identification by analyzing typing behavior

Problem
To ensure the success of e-commerce processes, having an effective risk management strategy, the protection of sensitive data
and the efficient detection and prevention of online fraud is essential. This requires a reliable method for verifying the identities
of online customers. The leading e-commerce providers use
usernames and passwords for this purpose. Yet this method for
the foolproof identification of persons in online environments is
weak and is, for the most part, not well-suited for detecting and
preventing fraud. Problems with password-based identity verification:

Passwords can be passed on to others.

Users select passwords that are too simple and insecure.
Passwords can be easily stolen.
Online registrations can be forged using data that is fake or copied.

Alternative authentication solutions such as hardware tokens, one-time passwords, public key infrastructures or fingerprint readers are very expensive, involve a great deal organizational complexity and are cumbersome for endusers to use. The use of these solutions leads to a massive reduction in the conversion.
Traditional keyboard biometrics
Methods developed in the field of keyboard biometrics are able to
identify a person by the way he or she types on a computer keyboard. No additional hardware needs to be purchased or used,
thus making it possible to integrate this security technology very
easily and inexpensively. Keyboard biometrics has already been
used successfully in practical applications for several years. However, these sorts of traditional typing biometrics have one major
drawback, which is why they can only penetrate a small market.
They use predefined text templates that have to be typed by all
users over and over again. Each user must always type the same
text in order to be identified. This disrupts smooth and speedy interaction with the customer.
Solution: KeyTrac background text recognition
The KeyTrac system identifies persons by the way they type on a computer keyboard, with impressive recognition
ability. Unlike traditional methods, KeyTrac works with any text the user enters, thus making it the first method able
to analyze any text input in the background, without disrupting the work flow of the end user.

The solution can be integrated into any existing input forms, for example,

the registration form used to create an account

when entering address and banking data
when entering product descriptions for online auctions
when writing forum posts
when rating articles or providers

It is also possible to evaluate keyboard input when working with standard applications (e.g. e-mail programs, Office
solutions). The concealed background recording, combined with the high level of security, offer a number of attractive options for implementing the system in e-commerce applications something that would not be possible using
traditional keyboard biometrics.
Use case: fraud prevention
Payment providers and online retailers operate complex risk management systems that help to recognize stolen payment data or identify
fraudsters who create user accounts using fake names. The KeyTrac system is able to identify these fraudsters based on the way they type, if
they create a new fake account or use stolen login data or payment details.
Use case: duplicate registrations recognition
Users often forget their login details for online portals, which is why they often simply create a new account with
different user details. The provider incorrectly assumes a new account has been registered, thus resulting in unnecessary costs (e.g. for credit and address verification). In addition, the customer's usage habits can therefore no longer be tracked. KeyTrac makes it possible to detect duplicate registrations and to consolidate multiple accounts.
Use case: intrusion detection
KeyTrac can permanently monitor a computer in a way similar to virus scanners,
thus making it possible to determine whether the user who is logged into the system is actually working on the computer, or whether a different person is typing
on the computer. If a stranger is detected, the computer can be automatically
locked (user is prompted to authenticate again), or the event can be logged or an
alarm triggered.

Use case: e-mail and document signatures

Based on his or her typing habits, the user "signs" by the mere act of
typing the text of the message or document. KeyTrac is able to verify
the authorship in the same way as a digital signature. This is used for
business correspondence or for e-learning tests and online surveys.

Use case: resetting passwords

The user's typing profile is recorded in the background while he or she uses a
secure, internal area of a web portal (e.g. when using a webmail client). If the
user forgets his or her password and cannot log in, he or she types a short piece
of text on a special "forgot-your-password website" in order to identify the user. This text is compared with the typing profile previously saved. If the identity
is verified successfully, a new password can be assigned in self-service mode.
This method can also be combined with other solutions used to reset passwords
(e.g. knowledge check question, e-mail reset).
Use case: password hardening
KeyTrac can monitor and analyze the input of a secret password, meaning that the way the password is typed must
also match the typing behavior of the authorized user. Since the typing behavior cannot be given to others or imitated, only an authorized person can be granted access. This also prevents multiple users from sharing an account by
giving out the password. Stolen login credentials can also be invalidated in this way. And it is possible to record the
keystroke data in a way that prevents the password from being reconstructed.
Create a KeyTrac profile
Creating a KeyTrac profile requires four steps:

The user types in a desired text into a form or other application. The keystrokes are recorded in the background on
the client side (see recording keystroke data). This data is transmitted to the KeyTrac Core Engine (server side). There
the calculation of KeyTrac profile is performed on the basis of several attributes that are extracted from the keystrokes that are recorded. The KeyTrac Core Engine produces the user's typing profile as a result, which is saved in a
database or a filesystem with a reference to the owner of the typing profile.

Identifying a user with the KeyTrac profile comparison

There are four steps involved in comparing a KeyTrac profile to newly recorded keystroke data:

During the identification process an unknown user types any piece of text into a form or other application. Again, the
keystrokes are first recorded in the background on the client side (see recording of the keystroke data) and then
transferred to the KeyTrac Core Engine (server side). Next, the KeyTrac profiles are loaded from the database, and
the KeyTrac Core Engine compares them with the recorded keystroke data. Depending on the application, all KeyTrac
profiles (duplicate registrations recognition), only certain profiles (fraud prevention) or only a single profile (intrusion
detection) are checked. KeyTrac is able to perform approximately 1,000 profile comparisons per second on a conventional server system. In load balancing environments, this capacity can be greatly increased. The KeyTrac Core Engine
determines a probability (biometric score) for the match with each individual profile. When the value exceeds a certain threshold defined for the specific application, the user has been identified successfully. Defining an appropriate
threshold value makes it possible to scale the level of security as desired.

Recording the keystroke data

The KeyTrac recording module is integrated into an existing form or into a standalone application. From this time on,
the keystrokes that users make while typing are recorded in the background. This involves the recording of each individual key with the time it is pressed and the time it is released. This is how the biometric keystroke data originates.
The recording works with millisecond accuracy1 on all common operating systems. Password hardening involves using an adapted version of the keystroke data recording, which prevents the password from being reconstructed from
the keystroke data.
Available recording modules:

Javascript (HTML forms, web applications)

Adobe Flash
Microsoft Silverlight
Java AWT / SWT, Java-Applets
Microsoft .NET
C / C++

International use
The text that is typed in and characters of the specific keys are irrelevant for KeyTrac. Instead, the system uses what
are known as keycodes which are used to uniquely identify the keys on the keyboard. This allows KeyTrac to be used
easily with any international keyboard layouts. The following illustration shows how keycodes are assigned to the
individual keys.

5
The time resolution between two keystrokes is generally 15.625 ms.

Security and recognition quality

The recognition quality of KeyTrac depends on the length of the text that is recorded and the specific application.
KeyTrac is able to distinguish people on the same level as that of a fingerprint recognition system. Please contact us
to discuss your particular use case.
Demo application
To test KeyTrac online, visit www.keytrac.de
For the test, you must first enter any short piece of text you wish. In a second step, you can test how well you are
recognized by KeyTrac. Here you can also ask someone else to type for you in order to test the reliability of the system. It will then become clear to you how secure your typing profile is.
Note: Please remember that the keystroke data is recorded in a practical application in the background. The user will
not be prompted to enter a piece of text as is the case with the demo application here.

Contact
TM3 Software GmbH
Dr. Thomas Wlfl
Bruderwhrdstr. 15b
93055 Regensburg, Germany
E-Mail: info@keytrac.de
Phone: +49 941 - 604 889 -741
6