The authors present a thorough and useful description of their work on the use of keystroke latencies (the intervals between successive keystrokes) to authenticate the identity of a computer user. Their approach requires each user to enter four strings at logon: identifier, password or personal identification number (PIN), first name, and last name. The experiments employed relatively few people with many shared characteristics: they were “university students or staff” and “between the ages of 20 [and] 45.” With this limited population, they were able to achieve simultaneous error rates of 1 percent false acceptances, representing successful impersonations, and 7 percent false rejections, representing unsuccessful accurate claims of identity. The authors say, “A false alarm rate of 5 percent could well be acceptable since it would be nothing more than a nuisance in that a genuine user would, on the average, fail to get access to the system 1 out of 20 attempts.” This contradicts McEnroe and Verschoor [1], who report that false rejection is more important than false acceptance in the very industry--banking--that is the authors’ focus. The authors apparently give little weight to the likelihood that users whose integrity computers seemed to question might take their accounts to places where the computers’ behavior was less offensive. They recommend use of keystroke latencies in conjunction with “secret information.” This would permit tuning of their method to a rather higher false acceptance rate and a more user-friendly false rejection rate, while the password was used to reduce the number of false acceptances permitted by the two methods together. They do not provide data on simultaneous error rates for such a combination.

A significant problem the authors mention is capture of timing data from devices attached to a time-sharing system. The solution they mention, borrowed from a patent, is capture of timing data within a terminal.

The authors say that keystroke latencies are among “actions,” such as signature dynamics, that can contribute to identity authentication. Other authors use the term “biometric” to refer to both actions and what Joyce and Gupta call “physiology,” such as voice, then evaluate each biometric technique against all the others. By distinguishing between actions and physiology and saying, inaccurately, “To date, the ‘actions’ category has been virtually ignored,” the authors place their method in a category by itself and avoid having to make such useful comparisons.