Reading the rhythms of your keyboard
Crumbs in the keyboard or questionable web browsing history aren’t the only ways to tell who’s been using your computer. A newly patented biometric technology makes it possible to identify the person at the monitor based on keystroke habits and mouse movements alone.
Potential for the technology, developed over the last 12 years by Issa Traore, University of Victoria professor in the department of electrical and computer engineering and his former PhD student Ahmed Ahmed, reaches well beyond the realm of surveilling a home office. The security of Internet banking, military communications and online testing stand to be revolutionized through the technology.
It works by capturing and profiling user rhythms on the keyboard and mouse. This profile is then used to lock out any other users from that account or computer.
When applied to password logins, the security protocol can identify users within five or six seconds based on how they type in their password. Even if someone else types in your password, its unlikely they could match the subtle differences in keystroke timing and behaviour.
It can also be set to continuously monitor a computer between login and logout – an application that requires about three to seven minutes of computer use, depending on how many keystrokes or mouse movements are made.
In the event an intended user is called away from a work station and another user attempts to use the computer, the technology will immediately recognize an unintended user and lock them out.
Biometric technology, which compares physical or behavioral traits to a database, includes fingerprint, facial or retinal scans – methods of identification which can be flawed by a person’s physical, rather than behavioural changes.
"Instead of a more traditional biometric system, like retinal or fingerprint recognition, that requires expensive hardware and is limited by users only being able to access the network from a specific computer, our system can be used by anyone from any location," Traore said.
The system could solve the problem for universities of verifying student identification for high-level exams.
“This is also very accurate way of ensuring a student (taking an online exam) hasn’t given their password to someone else to take the exam, because right now we don’t have any other way to do that,” he said.
In addition to development via 200 users at UVic, Traore tested the technology with software installed on his own home computer, where his 15-year-old son was recently locked out after he attempted to login under another family member’s unrestricted user account.
The system has logged a 98 per cent success rate at UVic on a standard keyboard and mouse. Traore said they are working to adapt the technology to touch screens and tablet computers.
“This technology has the potential to solve a big problem and that problem is identity theft … and hacking,” said Chris Flores, industry liaison officer for UVic Industry Partnerships, an arm’s length branch of the university devoted to helping protect intellectual properties or new innovations developed on campus.
Flores assisted Traore and Ahmed in forming Plurilock Security Solutions Inc. after Traore approached UVic Industry Partnerships in 2004.
“(Plurilock) is pioneering the concept of continuous authentication technology,” Flores noted.
The technology was U.S. patent approved earlier this month, while a Canada patent remains pending.
Already it has sparked global interest from a range of investors, including Brazilian post-secondary institutions interested in online testing, and the government of Canada, where it is being considered for use in the fields of law enforcement and health care. A Japanese telecommunications company was one of Plurilock’s first clients.
Traore hopes next to apply the innovation to tightening Internet banking security.