computers & security 28 (2009) 85–93

available at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/cose

Keystroke dynamics-based authentication for mobile

devices

Seong-seob Hwang, Sungzoon Cho*, Sunghoon Park

Seoul National University, 599 Gwanangno, Gwanak-gu, Seoul 151-742, Republic of Korea

article info abstract

Article history: Recently, mobile devices are used in financial applications such as banking and stock
Received 26 November 2007 trading. However, unlike desktops and notebook computers, a 4-digit personal identifica-
Received in revised form tion number (PIN) is often adopted as the only security mechanism for mobile devices.
2 June 2008 Because of their limited length, PINs are vulnerable to shoulder surfing and systematic
Accepted 29 October 2008 trial-and-error attacks. This paper reports the effectiveness of user authentication using
keystroke dynamics-based authentication (KDA) on mobile devices. We found that a KDA
Keywords: system can be effective for mobile devices in terms of authentication accuracy. Use of
Mobile device artificial rhythms leads to even better authentication performance.
Keystroke dynamics ª 2008 Elsevier Ltd. All rights reserved.
Artificial rhythms
Tempo cues
Biometrics
User authentication

1. Introduction by International Biometric Group as ‘‘the automated use of

Use of mobile devices is diversified more and more (Chen
et al., 2008). Cell phones and personal digital assistants (PDA)
are used for banking and stock trading nowadays. However,
there are three reasons why security of mobile devices has
a lot to be desired. First a PIN comprises only four digits, thus,
the number of candidate passwords is limited to only 10,000
(from 0000 to 9999). It is much easier for a potential impostor
to acquire the password by shoulder surfing and systematic
trial-and-error attacks. Second, mobile devices may be easily
lost or stolen because of their small sizes. For example, more
than one million mobile phones are stolen in Europe for
a typical year (Kowalski and Goldstein, 2006). Third, we tend to
lend mobile phones easily to other people, thus they are
exposed to a higher risk of surreptitious use.
Recently, biometrics has been proposed to improve the
security of mobile devices. The term ‘‘biometrics’’ is defined
physiological or behavioral characteristics to determine or
verify identity.’’ Physiological biometrics relies upon a phys-
ical attribute such as a fingerprint, a face and an iris, whereas
behavioral approaches utilize some characteristic behavior,
such as the way we speak or sign our name (Clarke and Fur-
nell, 2005). Clarke and Furnell (2007a) concluded that the two-
factor authentication, combining PIN code and biometrics,
improves the overall reliability of authentication.
Keystroke dynamics-based authentication (KDA) is one of
biometrics-based authentication methods, motivated by the
observation that a user’s keystroke patterns are consistent
and distinct from those of other users. When implemented for
mobile devices, KDA has the following advantages over other
biometrics-based methods. First, most biometrics-based
methods require an extra device, e.g. a finger-scanner or an
iris-scanner (Clarke and Furnell, 2005), which restricts
mobility as well as increases cost. On the other hand, KDA

* Corresponding author. Tel.: þ82 2 880 6275; fax: þ82 2 889 8560.
E-mail addresses: hss9414@snu.ac.kr (S.-s. Hwang), zoon@snu.ac.kr (S. Cho), shpark82@snu.ac.kr (S. Park).
0167-4048/$ – see front matter ª 2008 Elsevier Ltd. All rights reserved.
doi:10.1016/j.cose.2008.10.002
86 computers & security 28 (2009) 85–93
requires no additional device. Second, users tend to be reluc-
tant to provide their fingerprints or irises. On the other hand,
a user always has to type his or her password to log in, so
collecting keystroke patterns can be done without causing any
extra inconvenience to the user. Third, a scanned fingerprint
or iris requires a large volume of memory, a higher computing
power and communication bandwidth than keystroke timing
vectors. The efficiency of KDA is particularly important in
mobile environment which tends to have a smaller memory,
a lower computing power and slower wireless Internet than
a PC on the wired Internet.
Behavioral attributes are more subject to deviation from
norms than physical ones. A high variability leads to a high
authentication error. The variability is a measure of data
quality. Another measure of data quality is how unique the
typing patterns are. The more unique, the less likely the
patterns are similarly replicated by impostors. Recently, arti-
ficial rhythms and tempo cues were proposed to improve the
quality of typing patterns: uniqueness and consistency in
particular (Cho and Hwang, 2006). Improving the data quality
by decreasing variability and increasing uniqueness helps us
alleviate the weakness of a short PIN.
In this paper, we propose KDA with artificial rhythms and
tempo cues for mobile user authentication. To compare
between ‘‘Natural Rhythm without Cue’’ and ‘‘Artificial
Rhythms with Cues,’’ we completed the following tasks. First,
we implemented KDA system on a mobile phone which is
connected to a remote server through a wireless network. The
novelty detector classifier was built since only valid users’
patterns are available in practice. Second, subjects were asked
to perform enrollment, login, and even intrusion to other
subjects’ accounts. Whenever a subject types his or her
password, the typing pattern is collected, sent to a server and
stored. Third, a comparative analysis was conducted to verify
the superiority of artificial rhythms and cues over natural
rhythms without cues. We also tested hypotheses to compare
the performance involving different typing strategies.
The organization of this paper is as follows. The following
section introduces keystroke dynamics-based authentication
for mobile devices and describes our methods to improve the
quality of typing patterns. Section 3 presents the data
collected and experimental results. Finally, conclusions and
a list of future work are discussed in Section 4.
2. Keystroke dynamics-based authentication
for mobile devices
2.1. Keystroke dynamics-based authentication (KDA)
The password-based authentication is the most commonly
used in identity verification. However, it becomes vulnerable
when the password is stolen. Keystroke dynamics-based
authentication was proposed to provide additional security
(Gaines et al., 1980; Umphress and Williams, 1985). Keystroke
dynamics-based authentication (KDA) is to verify a user’s
identity using not only the password but also keystroke
dynamics. For example, a keystroke pattern is transformed
into a timing vector when a user types a string ‘‘5805’’ as
illustrated in Fig. 1. The duration and interval times are
Fig. 1 – A keystroke pattern is transformed into a timing
vector when a user types a string ‘‘5805.’’ The duration and
interval times are measured by milliseconds.
measured by milliseconds. A user can get access only if his
timing vector is similar enough to those already registered in
the server. Thus, he or she can only get access if the password
is typed with the correct rhythm.
Three steps are involved in KDA as illustrated in Fig. 2.
First, a user enrolls his/her keystroke patterns. A keystroke
pattern is defined as depicted in Fig. 1. A password of m
characters is transformed into a (2m  1)-dimensional timing
vector. A ‘‘duration’’ denotes a time period during which a key
is pressed while an ‘‘interval’’ is a time period between
releasing a key and stroking the next key. Second, a classifier
is built using the keystroke patterns. The classifier, in a sense,
is a prototype of the valid user patterns. Third, when a new
keystroke pattern is given, one will reject it as an impostor
pattern if the distance between the prototype and the pattern
is greater than some threshold, or accept it as the valid user’s
pattern otherwise.
KDA can help us improve security for various services
involving mobile devices (Hwang et al., 2007). Even when an
impostor obtains both PIN and the mobile device, KDA can still
prevent him from logging in through the strengthened
authentication process. Recently, Clarke and Furnell (2005,
2007a,b) studied user identification using KDA on mobile
devices. They utilized the keystroke of 11-digit telephone
numbers and text messages as well as 4-digit PINs to classify
users. Their identification models were based on feed forward
multi-layer perceptron (FF-MLP), radial basis function (RBF)
networks, and generalized regression neural networks (GRNNs).
Our approach is different from that of Clarke and Furnell
(2005, 2007a,b) in the following aspects. First, they built
a classifier using impostors’ patterns as well as the valid user’s
patterns. In reality, however, impostors’ patterns are not
available unless the password be disclosed to potential
impostors and their patterns are collected. Rather, we
employed novelty detection framework where only the valid
user’s patterns are used for training. Second, each user in their
experiments enrolled 30 typing patterns. In practice, users
would not endure such a long enrollment procedure. More-
over, the typing speed on mobile devices is much slower than
that on a local PC. In our study, we collected only five patterns
from each user for enrollment. We compensated the reduced
data quantity with improved data quality through use of
artificial rhythms and cues strategy. Third, they utilized
various patterns such as 4-digit PINs, 11-digit telephone
numbers, and text messages while we focused only on 4-digit
PIN since PIN has been fixed to four digits for decades. Fourth,
their subjects used an SW interface developed on a laptop
while our subjects used a real mobile phone, which is a third
 computers & security 28 (2009) 85–93
Fig. 2 – Three steps of KDA framework: enrollment, classifier building, and user authentication.
generation synchronized IMT-2000 cellular system
(CDMA2000 1xEV-DO) (Qualcomm).
2.2. Improving data quality
One way to cope with the lack of data quantity is to improve
data quality. Data quality in KDA can be measured in terms of
uniqueness, consistency, and discriminability (Cho and
Hwang, 2006). Uniqueness is concerned with how different
a valid user’s typing patterns used to build a classifier are from
those of potential impostors’. Also, consistency is concerned
with how similar a valid user’s access typing patterns are to
his enroll typing patterns. Finally, discriminability is con-
cerned with how well access typing patterns and impostor
typing patterns could be separated. The definition of
discriminability implies that two possible approaches exist to
improve discriminability. The first is to improve uniqueness,
and the second is to improve consistency.
As one way to improve uniqueness, it has been proposed to
type a password with artificial rhythms reproducible by the
valid user only (Cho and Hwang, 2006). Table 1 represents
various artificial rhythms to increase typing uniqueness. In
this paper, pauses are selected among various artificial
rhythms since they are simple and easy to control. A user
inserted a number of intervals where deemed necessary to
make the timing vector unique. As shown in Fig. 3, ‘‘5805’’ can
be typed as ‘‘5_ _ _80_ _5’’ with a three beat long pause between
‘5’ and ‘8’, and another two beat long pause between ‘0’ and ‘5.’
There are many combinations of inserting pauses in terms of
Table 1 – Various artificial rhythms.
Artificial Rhythms Advantages
Pauses Flexible
Musical rhythm Consistent, Easy to remember
Staccato Consistent
Legato Consistent
Slow tempo Flexible
87
the positions and lengths of pauses. The more combinations
there are, the harder an impostor can guess it correctly.
In order to prevent pauses from being inconsistent, tempo
cues are provided (Cho and Hwang, 2006). Tempo cues (Fig. 6)
work like a metronome helping the user keep the beat. Given
the tempo beat, the user only needs to remember the number
of beats for each pause. Usually, they can be provided in three
modes: auditory, visual, and audio-visual. In addition, users
are allowed to choose the tempo of the cue. It has another
advantage of improving uniqueness since only the valid user
knows the tempo.
Fig. 3 presents the timing vectors of password ‘‘5805’’ from
strategies ‘‘Natural Rhythm without Cue’’ (Fig. 3a) and ‘‘Arti-
ficial Rhythms with Cues’’ (Fig. 3b). The dotted lines represent
the enroll patterns, x, while the solid line represents the
prototype, m. Note that the timing vectors depicted in Fig. 3
were normalized, or divided by the two-norm. When
comparing timing vectors between strategies, there are
differences in terms of both uniqueness and consistency.
First, observe the intervals between ‘5’ and ‘8’ from ‘‘Artificial
Rhythms with Cues’’ are very large compared to those from
‘‘Natural Rhythm without Cue.’’ An impostor’s pattern would
be more similar to those from ‘‘Natural Rhythm without Cue’’
and it is highly likely to be distinct from those from ‘‘Artificial
Rhythms with Cues.’’ Same can be said for intervals between
‘0’ and ‘5.’ Thus, long intervals improve uniqueness of a user’s
patterns. Second, observe that the differences between the
enroll patterns and the prototype are smaller from ‘‘Artificial
Rhythms with Cues’’ than from ‘‘Natural Rhythm without
Disadvantages Remedies
Inconsistent when long Use of cues
Rhythmical sense required
Limited
Limited, Exact duration Use of cues
Inconsistent Use of cues
88 computers & security 28 (2009) 85–93

Fig. 3 – Timing vectors of a password ‘‘5805.’’

Cue.’’ Tempo cues improved the consistency of the patterns
from ‘‘Artificial Rhythms with Cues.’’
2.3. Mobile application
The experiments were performed on the third generation
synchronized IMT-2000 cellular system (CDMA2000 1xEV-DO)
(Qualcomm). The mobile device used is SAMSUNG SCH-V740
(Korean model number; Samsung Electronics website) as
shown in Fig. 4. The software authentication module was
implemented in WIPI (wireless Internet platform for interop-
erability), developed by the Mobile Platform Special Subcom-
mittee of the Korea Wireless Internet Standardization Forum
(KWISF). These are standard specifications necessary for
providing an environment for mounting and implementing
applications downloaded via the wireless Internet on the
mobile communication terminal. For more details, see the
WIPI website.
Any user authentication including KDA has two types of
error, i.e. false acceptance rate (FAR) and false rejection rate
(FRR) (Golarelli et al., 1997). One type of error can be reduced at
the expense of the other by varying a threshold. Thus, in order
to avoid effects of arbitrary threshold selection, the models
were compared in terms of the equal error rate (EER) where
the FRR and the FAR are equal. In practice, a threshold has to
be decided empirically. For a more detailed discussion of
proper threshold selection, see Fawcett (2006). Without KDA,
an impostor could login as a valid user if he knows the pass-
word, FAR ¼ 100% results. On the other hand, the valid user
will always be able to log in, which corresponds to FRR ¼ 0%,
i.e., FAR ¼ 100% and FRR ¼ 0%.
3. Performance evaluation
3.1. Data collection
A total of 25 users aged from 22 to 33 (the average is 25.3)
participated in our experiment in July 2006. In the experiment,
a 4-digit numeric PIN was used. Two strategies were
employed: ‘‘Natural Rhythm without Cue’’ and ‘‘Artificial
Rhythms with Cues.’’ The same password for each user was
used in both strategies. Each user enrolled five typing patterns
for each strategy. After enrollment, each user made 30 login
attempts using each strategy. Users were also given pass-
words of other users and told to act as ‘‘impostor’’ to those
passwords, i.e., typing it twice each. Since there are 24 ‘‘other’’
users, each user typed passwords 48 times. In summary, for

Fig. 4 – Mobile phone used in the experiment: SAMSUNG SCH-V740.

 computers & security 28 (2009) 85–93
Fig. 5 – User interface for a virtual stock exchange.
each password, we collected five enroll typing patterns, 30
legitimate access typing patterns, and 48 impostor typing
patterns.
The data above were collected from a scenario involving
a virtual stock exchange (Fig. 5). A user designs one’s own
artificial rhythm (Fig. 3) and chooses the type of tempo cues
(Fig. 6). The tempo of the cue was fixed to 500 ms for
convenience.
All users were asked the reason why a particular password
was chosen (Table 2). There are three different kinds of
reasons (see the fourth column of Table 2) for selecting
a password. First, familiar numbers were chosen such as
favorite combination, birth date, or telephone number.
Second, numbers that are easy to remember were selected.
For instance, both users 09 and 19 chose ‘‘2580’’ because that
is an ‘‘easy’’ number for them although with different reasons.
The number keys used in ‘‘2580’’ are located in the middle
column of a keypad on the mobile phone, so it is easy to type.
‘‘2580’’ is also the title of a very popular TV investigative show
in Korea, similar to ‘‘60 Minutes’’ in the US. Thus, it is easy to
remember. Third, certain passwords were chosen for no
particular reason at all. Of all users, 44% indicated ‘‘Famil-
iarity,’’ and 32% indicated ‘‘Ease,’’ while only 24% indicated
‘‘Randomness.’’ This clearly suggests that introduction of
artificial rhythms and tempo cues could enhance security.
A PIN has been fixed to 4-digits for decades and the number of
89
candidate passwords used for the mobile handset is only
10,000 (from 0000 to 9999). It is not difficult to guess a PIN
because an impostor might know the owner’s birth date or
telephone number, and a PIN easy for one person to type
would be also easy for another to type. For ‘‘Typing Hands,’’
(see the fifth column of Table 2), 68% indicated ‘‘both hands’’
while 32% indicated ‘‘one hand.’’ This implies that each user
might have a particular way to type on a mobile device as on
a keyboard.
3.2. Experimental results
We introduced artificial rhythms and cues to improve data
quality. Thus, we have to show from experiments that the
quality actually improved. Hwang et al. (submitted for publi-
cation) showed that typing patterns from ‘‘Artificial Rhythms
with Cues’’ were significantly more unique and consistent
than those patterns from ‘‘Natural Rhythm without Cue.’’
Thus, we instead here show that the authentication accuracy
improves.
Table 3 presents the authentication results from two
strategies ‘‘Natural Rhythm without Cue’’ and ‘‘Artificial
Rhythms with Cues.’’ Out of 25 users, 19 users’ EER decreased
19% on average while six users’ EER increased 4% on average.
Four users’ EER decreased to zero. Especially, the EERs of user
03 and 14 were dramatically decreased, both from 40% to 0%
90 computers & security 28 (2009) 85–93

Table 2 – User passwords and answers to questionnaire

(R [ randomness, F [ familiarity, E [ ease).
User Age Password Selection Use of Elapsed time
reason hand(s) (natural
rhythm)
(ms)

01 23 1223 R Both 1163

02 24 3143 R Both 832
03 23 0083 F (favorite #) Both 1408
04 23 1472 F (favorite #) Both 1017
05 28 7118 F (phone #) þ E One hand 897
06 23 7265 R Both 921
07 30 2385 F (phone #) Both 812
08 25 5805 F (phone #) Both 1442
09 24 2580 F (favorite #) þ E One hand 1013
10 28 3784 R One hand 1755
11 24 3579 F (a sequence One hand 1069
of odd #)
12 22 1379 E Both 671
13 25 0822 R One hand 1357
14 27 4569 R Both 1276
15 23 0203 F (birth date) Both 1222
16 24 1004 R Both 794
17 24 5472 R Both 2151
18 23 3887 F (privacy) One hand 792
19 28 2580 E Both 906
20 23 2220 E One hand 870
21 33 1133 E Both 675
22 25 1258 F (phone #) One hand 1105
23 27 5262 E Both 1020
24 30 1125 E Both 739
25 24 0305 F (birth date) Both 632

Fig. 6 – Various tempo cues. three lines change in (b). Both login and enroll distances are
very small while impostor distances are quite large. This
separation of login distances from impostor distances
accounts for perfect discrimination between legitimate user
and 34% to 0%, respectively. The overall EER decreased from
and impostors.
13% to 4% by using ‘‘Artificial Rhythms with Cues.’’
Recently, Hwang et al. (submitted for publication) found
Fig. 7 shows a detailed picture of what really happened.
that artificial rhythms and cues were particularly useful to
First, note that the classifier in our study is a very simple
distance based one. A prototype of a user’ enroll patterns is
calculated and stored. When a new keystroke pattern is pre-
sented, the distance between the pattern and the prototype is
computed. If it is small enough, access is granted. If not, it is Table 3 – The equal error rate (%) from two strategies.
not granted. In order to gain good authentication perfor- User Natural Artificial User Natural Artificial
mance, three conditions have to be met. First, enroll patterns Rhythm Rhythm Rhythms Rhythms
have to be consistent, or the ‘‘enroll distances’’ between the without with without with
prototype and the enroll patterns have to be small. Second, Cue Cues Cue Cues
login patterns have to be close to the enroll prototype, or the User 01 14 0 User 15 18 4
‘‘login distances’’ between the enroll prototype and the login User 02 0 3 User 16 6 3
patterns have to be small. Third, enroll patterns have to be User 03 40 0 User 17 8 11
unique, or the ‘‘impostor distances’’ between the enroll User 04 15 2 User 18 6 4
User 05 0 4 User 19 30 3
prototype and impostor patterns have to be large better. User
User 06 16 3 User 20 4 3
03 reduced EER dramatically through use of ‘‘Artificial User 07 4 0 User 21 12 15
Rhythms and Cues.’’ Thus, we show in Fig. 7 the cumulative User 08 18 2 User 22 28 8
distributions of the three kinds of distances, ‘‘enroll,’’ ‘‘login,’’ User 09 6 3 User 23 8 4
and ‘‘impostor.’’ In (a), login distances (black) are larger than User 10 5 3 User 24 21 2
enroll distances (blue), which means the user’s login patterns User 11 18 3 User 25 1 3
User 12 0 7 Average 13 4
are somewhat different from the enrolled patterns. The real
User 13 23 8 Min 0 0
reason for user 3’s large error comes from the fact that
User 14 34 0 Max 40 15
impostor distances are not large (red). Now see how these
 computers & security 28 (2009) 85–93 91

Table 5 – The average EERs (%) with respect to the

properties involving ‘‘Password Selection Reason’’ and
‘‘Typing Hands.’’
Section Natural Artificial Frequency
Rhythm Rhythms
without with Cues
Cue

Password Familiarity 14 3 11/25

Selection Ease 10 5 8/25
Reason Randomness 13 4 8/25
One hand vs. One hand 11 4 8/25
both hands Both hands 14 4 17/25

difference between typing hands. Also, when the users

employed ‘‘Artificial Rhythms with Cues,’’ average EER was
less than 5% for all cases. These results are comparable to
those reported in Hwang et al. (submitted for publication)
where authentication accuracy was greatly improved with
a PC keyboard by employing ‘‘Artificial Rhythms and Cues.’’
We tested hypotheses to compare the performance
Fig. 7 – Cumulative distributions of ‘‘enroll’’ (black), ‘‘login’’
involving different passwords and different typing strategies.
(blue), and ‘‘impostor’’ (red) distances when (a) ‘‘Natural
Specific hypotheses and p-values are summarized in Table 6.
Rhythm without Cue’’ and (b) ‘‘Artificial Rhythms with
Only the 1st H1 hypothesis was accepted with p-value of 0.0002
Cues’’ strategies were employed, respectively.
while all the others were rejected. The results indicate that the
EERs using ‘‘Artificial Rhythms and Cues’’ clearly decreased
compared to that using ‘‘Natural Rhythm without Cue.’’ We
poor typists in desktop keyboard environment. We now concluded that the effect of either ‘‘Password Selection
investigate if this is also true in mobile device environment. Reason’’ or ‘‘Typing Hands’’ was negligible on the
We call a user as a ‘‘poor typist’’ if his average elapsed time
with ‘‘Natural Rhythm without Cue’’ is greater than 1 s or as
a ‘‘good typist’’ otherwise. We identified 13 poor typists out of
Table 6 – Hypotheses and p-values involving password
25 users. The average EERs with respect to typing ability are
and typing hand(s).
shown in Table 4. For the good typists, the average EER from
Hypothesis H1 hypotheses p-Value
‘‘Natural Rhythm without Cue’’ was 8% while that from
‘‘Artificial Rhythms with Cues’’ was 4%. On the other hand, for Typing strategy The average EER involving 0.0002
the bad typists, the average EER from ‘‘Natural Rhythm ‘‘Artificial Rhythms with Cues’’
without Cue’’ was 18% while that from ‘‘Artificial Rhythms is lower than that involving
‘‘Natural Rhythm without Cue.’’
with Cues’’ was 4%. Although the poor typists yielded much
For natural rhythms, the 0.2339
higher error rates when ‘‘Natural Rhythm without Cue’’ was average EER of ‘‘Ease’’ is lower
used, they became comparable to the good typists when than that of ‘‘Familiarity.’’
‘‘Artificial Rhythms with Cues’’ was used. Clearly, artificial Natural rhythms For natural rhythms, the 0.2754
rhythms and cues are particularly beneficial to the users with average EER of ‘‘Ease’’ is lower
a poor typing ability in mobile user authentication. than that of ‘‘Randomness.’’
Table 5 compares the average EERs for different password For natural rhythms, the 0.4576
average EER of ‘‘Familiarity’’ is
selection reasons and ‘‘Typing Hands.’’ For ‘‘Password Selec-
lower than that of
tion Reason,’’ the average EER of ‘‘Ease’’ was the lowest from ‘‘Randomness.’’
‘‘Natural Rhythm without Cue.’’ However, there was little For artificial rhythms, the 0.1243
difference among password selection reasons. When the average EER of ‘‘Ease’’ is lower
users employed ‘‘Artificial Rhythms with Cues,’’ average EER than that of ‘‘Familiarity.’’
was less than 5% for all cases. For ‘‘Typing Hands,’’ we Artificial rhythms For artificial rhythms, the 0.3075
average EER of ‘‘Ease’’ is lower
observed essentially the same trend. There was little
than that of ‘‘Randomness.’’
For artificial rhythms, the 0.2636
average EER of ‘‘Familiarity’’ is
Table 4 – The average EER(%) for different typing ability lower than that of
and strategy. ‘‘Randomness.’’
Typing hand For ‘‘Typing Hand(s),’’ 0.2409
Natural Rhythm Artificial Rhythms
‘‘Artificial Rhythms with Cues’’
without Cue with Cues
are beneficial to users who
Good typists 8 4 typed using both hands.
Poor typists 18 4
A bold figure indicates an accepted hypothesis.
92 computers & security 28 (2009) 85–93
Table 7 – Comparing the performance with related works.
Input string Feature
Clarke and Furnell 4-Digit PIN Inter-keystroke latency
(2005, 2007a,b) 11-Digit number Inter-keystroke latency
6-Digit text msg. Inter-keystroke latency
Hwang et al. (2007) 4-Digit PINs Duration and interval
4-Digit PINs Duration and interval
authentication. It was found from the results that the use of
‘‘Artificial Rhythms with Cues’’ improves the accuracy for user
authentication.
Table 7 compares the performance with related works. The
experiments of Clarke and Furnell (2005, 2007a,b) involving 4-
digit PINs resulted in EERs ranging from 9% to 16%. When the
users adopted the ‘‘Natural Rhythm without Cue,’’ we
obtained the EER of 13%, which is similar to the ones from
Clarke and Furnell. When they employed ‘‘Artificial Rhythms
with Cues,’’ however, we found that the error was reduced to
3%. Given the very small number of patterns for training (or
validation), we found that ‘‘Artificial Rhythms with Cues’’ did
improve authentication accuracies significantly.
4. Discussion and conclusions
For decades, the mobile environment has stabilized with
stunning speed. Accordingly use of mobile devices, such as
cell phones and personal digital assistants (PDAs), is diversi-
fied. However, PINs are still adopted as the only security
mechanism for those mobile devices. Because of their limited
length and alphabet, PINs are susceptible to shoulder surfing
and systematic trial-and-error attacks. This paper investi-
gated the effectiveness of user authentication using keystroke
dynamics-based authentication (KDA) on mobile devices. In
particular, we utilized artificial rhythms and tempo cues to
overcome problems resulting from short PIN length. Through
the experiments involving human subjects, we found that the
proposed strategy reduced the error from 13% to 4%.
A few limitations and future directions need to be
addressed. First, comparison research for various mobile
devices is needed to enhance the usability of KDA. Second, we
have to apply to a more diverse group of users. Although most
people make use of mobile devices, various usage-patterns
may exist. Third, we measured performance in terms of EER.
Thus, the error rates presented in the paper should be taken
only as a reference. In practice, depending on applications,
FAR may be more important than FRR or vice versa. The issue
could be addressed by proper threshold selection.
Acknowledgement
This work was supported by grant no. R01-2005-000-103900-
0 from Basic Research Program of the Korea Science and
Engineering Foundation, the Brain Korea 21 program in 2006
and partially supported by Engineering Research Institute of
SNU.
Artificial Rhythms No. of patterns for EER (%)
with Cues training (or validation)
No 30 9–16
No 30 5–13
No 30 15–21
No 5 13
Yes 5 4
references
Chen GD, Chang CK, Wang CY. Ubiquitous learning website:
scaffold learners by mobile devices with information-aware
techniques. Computers & Education 2008;50(1):77–90.
Cho S, Hwang S. Artificial rhythms and cues for keystroke
dynamics-based authentication. Lecture Notes in Computer
Science (LNCS) 2006;3832:626–32.
Clarke N, Furnell S. Authentication of users on mobile telephones
– a survey of attitudes and practices. Computers & Security
2005;24(7):519–27.
Clarke N, Furnell S. Advanced user authentication for mobile
devices. Computers & Security 2007a;26(2):109–19.
Clarke N, Furnell S. Authenticating mobile phone users using
keystroke analysis. International Journal of Information
Security 2007b;6(1):1–14.
Fawcett T. An introduction to ROC analysis. Pattern Recognition
Letters 2006;27(8):861–74.
Gaines R, Lisowski W, Press S, Shapiro N. Authentication by
keystroke timing: some preliminary results. Rand Report
R-256-NSF. Rand Corporation; 1980.
Golarelli M, Maio D, Maltoni D. On the error reject trade-off in
biometric verification systems. IEEE Transactions on Pattern
Analysis and Machine Intelligence 1997;19(7):786–96.
Hwang S, Cho S, Park S. Mobile User authentication using
keystroke dynamics analysis. In: Proceedings of the Korean
Operations Research and Management Science Society
(KORMS) conference, Seoul, Korea, 17 November, 2007; 2007a,
p. 652–655.
Hwang S, Lee H, Cho S. Improving authentication accuracy using
artificial rhythms and cues for keystroke dynamics-based
authentication, submitted for publication.
International Biometric Group. How is biometrics defined? http://
www.biometricgroup.com/reports/public/reports/biometric_
definition.html.
Kowalski S, Goldstein M. Consumers awareness of, attitudes
towards and adoption of mobile phone security. In: 20th
international symposium on human factors in
telecommunication, Sophia-Antipolis, France, 20–23 March
2006.
Qualcomm. CDMA2000 1xEV-DO overview. Available from: http://
www.cdmatech.com/download_library/pdf/QCOM_1xEV-DO.
pdf.
SAMSUNG Electronics website. http://www.samsung.com.
Umphress D, Williams G. Identity verification through keyboard
characteristics. International Journal of Man Machine Studies
1985;23:263–73.
WIPI website. http://www.wipi.or.kr/English/index.html.
Seong-seob Hwang is currently a PhD candidate in the
Department of Industrial Engineering, Seoul National
University, Korea. Before entering graduate school, He worked
as a system engineer at SAMSUNG SDS. His research interests
 computers & security 28 (2009) 85–93 93

include data mining, pattern recognition, and their journals and proceedings. He also holds a US patent and
applications. a Korean patent concerned with keystroke-based user
authentication.
Sungzoon Cho is a professor in the Department of Industrial
Engineering, College of Engineering, Seoul National Univer- Sunghoon Park received BS of Computer Science in 2005, and
sity, Korea. His research interests are neural network, pattern is currently a PhD candidate in the Department of Industrial
recognition, data mining, and their applications in various Engineering, College of Engineering, Seoul National Univer-
areas such as response modeling and keystroke-based sity, Korea. His research interests include financial engi-
authentication. He published over 100 papers in various neering and marketing applications.