Information vulnerable to data breaches includes names, addresses, dates of birth and social security numbers. Users of many websites are commonly asked to submit these details online when they set up new accounts or forget their passwords.

Typing Hands on Keyboard

The team’s solution to overcome this vulnerability is to replace the existing knowledge-based authentication system with a continuous, behavior-based one. Rather than simply requiring passwords or fingerprint scans, this new behavior-based authentication system will analyze how we interact with our devices. Specifically, it will analyze how we use our keyboards, mice and other mobile devices, and compile data that identify a specific user. By monitoring these unique usage patterns, this new authentication system will learn who we are and verify our identities before allowing us to continue accessing our online accounts and apps on our devices. The team has already amassed a database of approximately 12 million keystrokes and is currently collecting additional data on mouse and mobile-device usage patterns.

To demonstrate the feasibility of their proposal, the investigators used their keystroke data to test their keyboard algorithm. In this scenario, users enrolled themselves by each typing 10,000 characters on the keyboard.

Using the keyboard algorithm alone, the investigators could detect an intruder with 97 percent accuracy within three minutes. “Still, we aim to shorten this lead time in order to provide denser protection to the user,” says Hou.

What happens if an enrolled user is unusually slow in typing because of an injury, or when the user makes mistakes? The team believes that their algorithm will still be able to verify the user’s identity. “The underlying algorithm looks at more than just the typing speed. It also analyzes the user’s more subtle traits such as relative speeds between different keystroke patterns,” Hou says.

“As you change over time, your profile on your devices will have to keep up with you,” Banavar says. Future research will investigate such scenarios more closely.

Behavioral Biometrics Group
(L-R) Professors Mahesh Banavar, Stephanie Schuckers and Daqing Hou.

The researchers plan to incorporate safety features and combine these features with traditional biometrics and protections that lock a user out if the algorithm detects a certain number of mistakes in succession. This measure is similar to the one often used in classic authentication methods, when a user is locked out of an online account after entering the wrong password multiple times.

The team also plans to include a “transfer learning” feature in the algorithm that will allow user profiles to be transferred from one device to another, even when the types of data collected are different, such as keystrokes and mouse usage versus swipes and gestures.

The team is collaborating with several companies through Clarkson’s Center for Identification Technology Research (CITeR), a National Science Foundation Industry/University Cooperative Research Center, of which Schuckers is the director. The investigators believe that these collaborations will help them fine-tune their algorithm design and help protect data in today’s digital world.