Estimated read time: 2-3 minutes
PROVO — Just as every person has unique handwriting, people also have unique keystrokes they make while typing on a computer. BYU researchers are using that knowledge to protect users against identity fraud.
A group of information systems professors hypothesized that people develop muscle memory when typing their own name and passwords, resulting in quicker, more fluid movements than a person would have typing stolen information.
So BYU professors David Wilson and Jeffrey Jenkins, along with University of Arizona's Joseph Valacich and Texas Christian University's David Kim, decided to base technology off that premise.
"Typing should feel different when typing your own name versus typing a stolen name," Wilson said.
The tracking system detects online identity fraud by measuring interaction behaviors the researchers called "keystroke dynamics."
The researchers refined their detection technology over four observational studies with more than 1,000 participants. The tracker correctly determined "fraudulent activity" 95.5% of the time in experiments where participants entered personal information and information belonging to others into online forms.
"When you watch how someone interacts with devices, you gain insight into mental processes," Wilson said. "Our motor movements and our cognitive activities are very intimately linked — subconsciously in many cases."
The experiment found people exhibit "very different behaviors, very different patterns of interaction," when entering their own information compared to someone else's information, Wilson said.
The identity fraud detection system is run on JavaScript, which makes it virtually invisible to users.
"The reason why this is such a compelling technology — and such a compelling idea — is that what we are measuring can be captured seamlessly by any device that can run JavaScript," Wilson said. "All of our capture technology is based on a script that's running behind the scenes in a browser. JavaScript will keep track of timings and how things are being typed and then JavaScript reports that back to our servers."
"Because there is no effect on the user experience, this technology can be used across an entire web-based platform," he added.
Wilson said this overcomes a weakness of existing fraud-detection systems, where friction is increased due to additional verification steps, causing people to be less likely to finish an application. This affects financial companies needing to accurately verify users' identities and prevent fraud, but also don't want to turn customers away through clunky application processes.
"It's a low-friction way to flag, say, the 10% most suspicious-looking applications and then have that smaller population do a few high-friction things to verify their identity," Wilson said. "And then you protect the customer experience for a majority of your customer base."
The technology provides a novel way to balance fraud defense and friction, Wilson said.
