DARPA Develops Keyboard Security System

KeyboardThe rhythm, timing and tactile characteristics of how a person types on a computer keyboard or presses keys on a smartphone screen can be used to verify identify and prevent hacking and computer fraud, according to an ongoing project with the Pentagon’s research arm and Louisiana Tech University.

Computer scientists with Louisiana Tech University are working on a collaborative project with the Defense Advanced Projects Research Agency, or DARPA, to refine algorithms able to authenticate computer and smartphone users. This is the sort of project that could release the military from having to use Common Access Cards to access government computers.

“We build a digital signature for someone. That digital signature captures the way a person interacts with the device. As you use the keyboard, algorithms that we have and software that we have verifies that you are the person using the keyboard. We can continuously authenticate,” said Michael O’Neal, a professor of computer science at Louisiana Tech University.

Louisiana Tech is  six months into the program with DARPA, but computer scientists there have spent more than 10 years working on the theoretical foundation for the technology.

“One way to think about it is my hand and your hand are different. My muscle memory and your muscle memory are different — so if I type the word ‘the,’ I will hold down the ‘T’ for a different amount of time. The timing and the spacing between the ‘T’ and the ‘H’ when I type will be different than when you type. We use those low level characteristics to build a model of how you interact with the keyboard,” O’Neal said.

O’Neal said the technology, which is currently about 95-perecent accurate, could have implications for securing military computers or even something like online banking.

“Passwords are too insecure. This is another way of authenticating that a person is the person who is using the device,” he added.

Similar technology is also being applied to smartphones, wherein a user’s swiping, typing, holding and even walking patterns can all be used to verify identify and therefore increase security.

In fact, the way someone holds a smartphone and types and swipes on the screen can all become part of security-minded algorithms designed to prevent the wrong person from using the device, said O’Neal and Vir Phoha, a computer science professor at Louisiana Tech University.

The algorithms can even calculate the precise gait and step with which a person walks in order to establish that the right person is walking with the phone. The algorithms are engineered to store the speed, timing and direction of swiping patterns as well as typing patterns and movements such holding the phone and even walking, Phoha explained.

“With mobile devices you can use the accelerometer and gyroscope to look at the way a person holds a phone and how they move the phone. In about 10 to 15 steps we can determine that you were not walking with your phone,” Phoha said. “The system is very robust against attacks.”

Referred to as behavioral biometrics based on behavior patterns, this type of authentication is designed to provide security without needing an external or physical device such as an iris scanner or fingerprint machine technology.

“We’re looking to find partners that are interested in this technology. We’re ready now to start building systems to utilize the technology,” Phoha said.

About the Author

Kris Osborn
Kris Osborn is the managing editor of Scout Warrior.
  • Uncle Bill

    Game changer. Again, increasing processing power has changed the rules.

    • William A. Peterson

      Uhmm, maybe, but more likely a disaster. Sure, it might work well 98% of the time, in peacetime, in most non-combat situations… and that’s worthwhile! But…
      What happens, in a combat situation, where the user is wounded, and the pain is throwing off his typing rythym? Is he left unable to identify himself, to call for help, or to report his position? For that matter, what happens if the peacetime soldier tries using it while suffering from a hangover? Not saying it’s doomed, just saying these questions need to be answered…

    • Nah

      Here’s the change: the tax payers just got screwed out of yet another pile of hard earned money. Got that Uncle BillS?

  • hibeam

    Can this new keyboard analysis software detect when a bonehead is putting the name of a CIA agent in an open e-mail? That would be a very useful feature in this administration.

  • Beno

    That is Idiotic. I cut my finger yesterday and cant use my fingerprint scanner with that finger. Can you imagin how a sprained wrist, or tennis elbow, never mind phycological effects of engament will mess with you typing rhythem !?!?!? what !

  • Dr. Judson

    I agree with Beno regarding “DARPA Develops Keyboard Security System” DARPA should have more important items to research than keyboard usage style.

  • Riceball

    This is pretty cool, sort of reminds me of how back in the days of MORSE each operator had his/her own distinct “signature” in the way they tapped out their messages. I think that this tech has some real potential.

  • JohnB

    A keyboard that can smell people ‘s odor would be more useful.

    • Isoroku Yamamoto

      Seat-bottom sensor?

  • Chris

    just like the old CW or Morse you could tell who was sending when you got good at it, this does look good

  • Mary ringo

    All the posts you have received are excellent, this has been tried before with poor results, we are each unique – encryption….counting, rythm, and mechanicalism is done by the brain, if you can keep the brain from maniuplating our hands then you may have something, there is an algorithm with the subconscious.

  • Isoroku Yamamoto

    If this “works” as well as predictive text we are doomed!

  • William

    The real question is how hard is it to duplicate someone else’s patterns or more seriously how hard is it to write some code that “tries all the patterns”. It would seem to be subject to the same brute force attacks that try all the possible passwords.

  • Mike

    With due respect folks, I am not a tech expert, nor qualified to give anyone a clear cut answer nor share my opinion about a topic that is of great concern to me and many others I’m sure, ”catching cyber hackers”! Here is a scenario in a ”nutshell”. Nobody on this Earth wants to feel violated by cyber hackers, who are in some ways worst than bank robbers, burglars & thieves! Just like there are ”mouse traps”, ”fish hooks”, are used to lure in rodents or a nice ”catch of fresh salmon” as an analogy, so there should be a ”cyber hacker trap”, which will signal a ”red flag” to the Cyber Authorities, right under the hackers nose, without the criminals knowing that they have just been caught with ”their pants down”, sort of speak! Before the cyber hacker is even aware of what hit them, they are arrested, & if they are overseas, extradited to the Authorities who are in charge of Cyber Division Team that has full Diplomatic Immunity, to bring any ”cyber hacker” around the Globe, who dare prey on anybodys personal privacy!