Skip to main content

One-Finger, Two-Factor Authentication with Number Pads

Researcher: Roy Maxion

Research Area: Security of Cyber-Physical Systems


In a meeting with leaders from the financial services industry, the group concurred that the number one issue in the financial services sector is two factor authentication. This research will address two-factor authentication in a novel way that facilitates using one-finger keypads on bank machines, keyboards, cell phones and wall-mounted entry systems in an authentication scheme based on the unique typing algorithms of individual users. One authentication factor would be the password or PIN itself (perhaps in the form of a challenge string, customized for an individual user) and the second authentication factor would be the pattern or rhythm by which the user types the password or PIN.

The novel aspect of this work is to restrict user input to just the keypad, as on a telephone or a bank machine or the number pad section of a typical keyboard. While traditional work in keystroke dynamics has examined the much broader range of typing alphabetic passwords, pass phrases, and entire paragraphs of text, we will focus only on PIN-type number strings. We anticipate that users can indeed be discriminated when using a single finger to type numbers on a keypad. This anticipation is based on fundamental work in psychology where individual rhythms of finger-tapping have been used to detect subtle indicators of brain injury and of neuropsychological syndromes such as psychiatric disorders, multiple sclerosis, Parkinson's, Alzheimer's and other conditions.

The appeal of using only a number pad is that it is simple to implement and simple to test, unlike traditional keystroke applications that must span the entire range of 101-key keyboard. Success in using numbers on keypads for two factor identification can be broadened into using more of the keyboard, but that would come in a later phase.

Success criteria means meeting practical and important standards of accuracy, which requires a commercial biometric system to have a false-accept rate of less than 1% and an impostor-pass rate (IPR) of less than 0.001. We will achieve such levels or will identify the impediments to doing so. Our specific goal for this project is to make keypad biometrics reliable and stable and repeatable enough to be universally viable in two-factor authentication mechanisms. We will achieve this by gathering real-user experimental data, and applying new-wave machine-learning, feature-selection and classification techniques to that data.