Article Preview
TopIntroduction
The advancement of information and communication technologies in support of business and individual applications is changing the way people perform routine activities. For example, it is now common for individuals to shop and conduct financial transactions online from the comfort of their home or through automated teller machines and kiosks (Gefen, Karahanna, & Straub, 2003). Relatively complex queries that previously required human intermediaries (e.g., finding all credit card transactions over the past year with a given merchant) are routinely done by end users. With the US government's recent passage of a new health care bill, which will encourage the automation of electronic medical records (Blumenthal, 2009), patients will eventually be able to access their own health records online as easily as they order a book or pay a bill.
Such ubiquitous access to personal information can provide conveniences to individual users as well as the organizations that manage the systems. But with these changes come increased security concerns. Such applications can pose significant remote user authentication challenges. It can be quite difficult for an online service provider to know with certainty the identity of the remote person they are dealing with. This becomes even more complicated with the increasing number of computer breaches in which personal user data is stolen to construct counterfeit identities used to impersonate genuine users (Identity Theft Resource Center, 2009). Likewise, the fact that medical records will be electronically accessible at all times will increase their risk of inadvertent exposure to unauthorized parties. All of this calls for more reliable authentication. But organizations must also look at ways to protect information access that do not place too much burden on the end users themselves, as this can lead to systems that are difficult to use, and perhaps ultimately not used at all (Albrecht, 2001).
Current authentication in most organizations is done primarily using passwords in conjunction with a user login or other identifier. However, passwords have their innate weaknesses. They can suffer from the good password dilemma; if a password is easy to remember, then it is probably easy to crack (that is, guess or steal). If passwords are difficult to crack, then they are often difficult to remember. If a user cannot remember a needed password, they invariably write it down where it can be stolen. This dilemma explains why about 80% of all network intrusion problems are caused by bad (i.e., weak) passwords (O'Gorman, 2004).
An overall solution to secure information access will have to include a number of measures and countermeasures. One possible measure is to add an additional biometric “layer” to the current authentication systems. This additional layer would be difficult to separate from the genuine password owner since biometrics are more difficult to crack or forge. While there are many biometric options, this paper investigates a method which uses timing patterns made when typing passwords. Benefits of this method include low cost and transparent installation across any organization (Ord & Furnelli, 2000). Furthermore, our research results show that including key-press pressure features in addition to timing features leads to even better authentication accuracy. This will be most beneficial in situations where an organization has greater control over its information technology infrastructure (i.e., has access to keypad pressure data).
Biometric techniques can offer distinct advantages over traditional authentication methods. However, the adoption of biometric technologies has been slower than earlier forecasted (Albrecht et al., 2003). This may be because certain issues need to be addressed before a critical mass of potential users becomes comfortable with the routine use of biometrics. Thus, the proof of concept that an effective key-press authentication system can be built does not mean the technology would be well-received by end users. For example, about fifty percent of information technologies do not get accepted by users and are considered failures; that is, they fall short of meeting the expectations set forth by technology managers (Lippert & Davis, 2006). This suggests that we need to not only demonstrate the technical feasibility of the biometric keypad, but should also go one step further and investigate whether potential users will accept such a technology. This is the goal of the survey part of this research.