Patricia Loring, a research associate at Carnegie Mellon University, presses tiny blue dots on my fingers and the back of my hand. She tells me to adjust the keyboard as she maneuvers three webcams. On a monitor, I see a split screen, displaying images of my hands and posture (which is terrible). The blue stickers make it easier for the cameras to record my finger movements.
She tells me to look at a picture, Norman Rockwell’s Girl with Black Eye, and compose an email about it. I must type uninterrupted until I fill a text box, which probably holds about 400 words. I cannot talk and she tells me to not worry about my grammar or errors.
I am typing as a participant in a study led by Roy Maxion, a PhD research professor of computer science at CMU. He thinks that typing rhythms and the timing of keystrokes might be able to be used as a biometric, adding another level of security to computers. Keystroke biometrics could also be used in criminal cases.
Computer scientists have known about keystroke biometrics for years, but the research has been conducted in a haphazard way. Maxion is taking a fresh look. If the theories are correct, each person’s typing rhythm is different. Nobody could mimic another person's rhythm.
Since the 1800s and the rise of the telegraph, there has been evidence that each individual possesses a unique typing style.
“The original idea came from the 1800s with the telegraph—one person could tell who was on the other end of the line because of the rhythm of the dots and dashes,” Maxion says.
During World War II, telegraph operators transmitted covert messages using Morse code. While each side used encrypted messages, the British still listened to the German cables and soon discovered they could identify certain telegraph operators by their typing rhythms, what telegraph operators (and ham radio aficionados) refer to as an operator’s fist. After realizing what operator was attached to what battalion, the British could track the German troop movement—even though they didn’t understand the messages.
In the 1970s, a researcher with the Rand Corporation produced a small study on keystroke rhythms. The researcher looked at six different typists, noticing each one had a different tempo and he could identify each by their typing beat. In the following decades, researchers replicated the studies, but sometimes there were too many variables. For example, some researchers ask participants to log into a site from their home computer to type, but this presents a problem. “Everyone has a different keyboard so you don’t know if the keyboard influences typing,” Maxion explains. (The keyboard in Maxion’s lab felt tight, which probably slowed my typing.)
Maxion conducts a variety of different experiments to determine typing rhythm. In one set, he asked a number of subjects to come to the lab and learn a password, which is 10 characters long. At first, all the subjects struggle to learn the string of characters, but soon they do, a pattern emerges—each person’s beat is different. Of 28 people typing the 10-character passwords, Maxion can identify typists with 99.97 percent accuracy. Even though this is an incredibly low error rate, Maxion feels he cannot say with certainty that everyone has a unique typing style.
“Our own work would suggest that keystrokes are unique,” Maxion says. But he adds a caveat: “The more people, the more likely that two people’s typing rhythms will be too similar to tell them apart.”
By including an individual’s typing rhythm as an additional layer of protection, it makes it almost impossible for an imposter to access a computer from the keyboard login. “If you knew my password, you could access my computer,” he says. But it is exceedingly difficult (if not impossible) to mimic another’s typing cadence.
In the lab, as I typed an email to my mother about my fictitious redheaded child who'd gotten into a fight because a classmate called her a ginger, I was helping Maxion and Loring gather data for a different experiment—to see if a typist can be identified by her unique style as she types throughout the day, offering continuous re-authentication. In some high security jobs, it is important to prompt the user to re-identify herself to prevent imposters from accessing information or changing sensitive documents. This might also prove useful for prosecutors in white-collar crimes, where documents may have been altered.
After I finish weaving a tale about my imaginary offspring, Loring asks me to place my right hand on what looks like grid paper used in high school math classes. She positions my hands, spreading my fingers wider, asking me to keep my wrist straight. She snaps a picture. On to the left. My hands will join pictures of hundreds of others.
“Even the size of hands can influence keystrokes,” Maxion explains.
Loring tells me I'm a well-behaved typist—I show the hallmarks of someone who learned to type in a class. My typing teacher would be pleased.
For more information about Maxion’s research, check out his publications at cs.cmu.edu.