Two types of keystroke systems are discussed in the literature, for performing authentication in computer systems. These two classes are: fixed-text and free-text keystroke systems, also referred to as static and dynamic [18]. This section discusses the two classes in some detail, yet Section 2.8 will examine some of the significant studies conducted in each of these classes.
Fixed-text forces the users to use only a pre-defined text to produce the typing samples. The pre-defined text varies in the research done in this area in the way that some have utilized the same shared password for all users [52] and others used different short fixed text for each user such as using the user’s name [53], log-in IDs [54] or passwords [12]. Other research utilized long phrases of fixed text [55], while others focused on short words [56]. The main function of the fixed-text systems is applying the authentication scheme at log-in time in order to verify the user’s identity at the beginning of the session only [19]. This is done by forcing the user to retype their password, or any predefined text, a number of times at the enrolment phase in order to determine the user’s typing rhythm for that specific password. This is considered a critical usability issue because of the extra load it adds to the user. In addition, the user still needs to memorize the predefined text in order to use it at each log-in. Generally speaking, fixed-text keystrokes are mainly used for strengthening passwords [13, 57].
When the user is typing his or her password, in fixed-text keystroke dynamics, the system not only checks the accuracy of the password but also the typing manner that the user followed. Although Monrose et al. [13] have demonstrated that keystroke dynamics have the ability to make even weak passwords protected against brute force attacks, Song et al. [58] denoted that if the time between the keystrokes is exposed whilst the user types a certain password, it will considerably reduce the effort and time that it will take an attacker to guess the password
using the brute force attack. A valid solution for this problem is to use encryption to conceal the keystroke latency time, as done in [59].
The issue of the user’s increased familiarity with the password, after using it for a considerable amount of time was pointed out in [34]. This causes the user’s typing pattern to change and the overall typing speed to increase, which will negatively affect the authentication process. Moreover, the authors of [60] indicated the problem that occurs when a user wishes to change his or her password. In that case, the system will need to re-learn, which requires the user to go through the enrolment process again and re-type the new passwords repeatedly every time the password is changed.
Most of the early research in keystroke dynamics only focused on the keystrokes generated by typing fixed words, starting as early as 1975. In fact, the majority of work in the field of keystroke dynamics was performed using fixed text [18].
Free-text keystroke systems, on the other hand, don’t restrict users to a particular text; on the contrary, users are given complete freedom to use any text of any length without any constraints. Free-text authentication can be carried-out either periodically or continuously [4]. Unlike fixed-text, free-text systems can continue to collect the keystrokes, after successfully passing the log-in session, throughout the whole time that the user is logged-in. This can then ensure the identity of the user during the full duration of that session [40]. In continuous authentication, a static authentication is performed first at log-in, and then after, continuous authentication is carried-out during the remaining time of the session. Please refer to Figure 2.2 for further details about the flow of continuous authentication. In free-text systems, the user’s typing pattern is typically monitored during several days, in which he or she is performing regular typing tasks such as writing e-mails or typing word documents. While both free-text and fixed-text systems are quite similar in the way that they utilize the key press and release times to build a user’s behaviour profile, they clearly differ in the way that the system is trained and applied [42].
In 1980, Gaines et al. [39] first utilized long text in free-text authentication, and in 1995, Shepherd et al. [61] was the first to show interest in continuous free-text authentication. In 1997, the first organized attempt to use a free-text keystroke system was conducted by Monrose and Rubin [33] where both fixed-text and free-text were used. The overall performance was not encouraging for free-text giving only 23% correct classification, while fixed-text produced about 90% correct classification. This shows the complexity of using
free-text systems compared with the fixed-text systems. Nevertheless, free-text systems have gone a long way since that experiment and much better results have been obtained using more sophisticated techniques.
Figure 2.2: Continuous authentication.
Free-text keystrokes suffer from producing extremely long character streams, which has to be profiled in the most generalised manner over the whole system [62]. In addition, it is subject
N days Template Creation Match? Reject Y N Start End Feature extraction Data Collection Data Collection Start End Static Authentication Log‐in Continuous verification Data Collection Continuous Authentication Match? Reject Y N Enrolment phase
to more noise, since it is more likely for the user to introduce pauses in longer typing tasks compared with short and familiar passwords in the case of fixed-text keystrokes [62]. Furthermore, the usefulness of free-text keystroke systems had decreased since the development of the Graphical User Interface (GUI), which resulted in reducing the amount of typing that a user goes through when using his or her PC [63]. In contrast to using console systems, such as MS-DOS, in which users type commands to perform all operations, almost all operations can be performed via mouse clicks in the GUI system. This also applies to some services such as online banking, in which there is often no chance for entering text except for the time when the user logs-in [4].