<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta />
    <article-meta>
      <title-group>
        <article-title>Two-factor User Authentication Using Biometrics</article-title>
      </title-group>
      <contrib-group>
        <aff id="aff0">
          <label>0</label>
          <institution>National Aviation University</institution>
          ,
          <addr-line>Kyiv</addr-line>
          ,
          <country country="UA">Ukraine</country>
        </aff>
        <aff id="aff1">
          <label>1</label>
          <institution>National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”</institution>
          ,
          <addr-line>Kyiv</addr-line>
          ,
          <country country="UA">Ukraine</country>
        </aff>
      </contrib-group>
      <fpage>0000</fpage>
      <lpage>0002</lpage>
      <abstract>
        <p>The article is devoted to the biometrics algorithms of authentication in web application. The authors conduct an overview of biometrics algorithms. Described benefit of most popular biometrics' algorithms and two-factor user authentication. Selected one which most prefer for web application and doesn't require additional devices. Modeled this approach and tested it on real data. The modification of the keystroke dynamics algorithm, as the collection of input characteristics on the keyboard during a visit to the site had been proposed. The authors come to the conclusion that the use of a larger set of date for training will improve the algorithm and will be possible to increase the accuracy.</p>
      </abstract>
      <kwd-group>
        <kwd>authentication</kwd>
        <kwd>biometrics</kwd>
        <kwd>keystroke dynamics</kwd>
        <kwd>machine learning</kwd>
        <kwd>optimization</kwd>
      </kwd-group>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>-</title>
      <p>
        Biometric data [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ] allows to identify and authenticate a person on the basis of a set of
unique and specific for him identifiable and verifiable characteristics. Biometric
authentication is data comparison on a person's characteristics with that person's
biometric characteristics, that are taken to be true, to determine similarities. The
peculiarity of this comparison is that these two datasets coincide should be almost identical,
but not completely identical. This makes it possible use different methods to improve
and compare biometric methods. The reason is that biometrics, even one person,
almost cannot match by 100%.
      </p>
      <p>The initial model is first stored in a database. Person who try to be authenticated is
“visitor”. Stored data is then compared with the biometric characteristics of the
“visitor”. Because the biometric characteristics are unique to everyone, they cannot be
seen or stolen.</p>
      <p>In order to be able to identify the individual, the first thing you need to do is to get
the data from that user. The data obtained depend entirely on the method by which the
user will be identified. For example, for the voice recognition it can be a record of
their voices, for the face recognition it can be a photo of their face. These data are
then compared with the biometric data which person provide to special device, which
can read out the information.</p>
      <p>In a fast moving world, biometrics has quickly established itself as the most
appropriate means of identification and authentication of individuals, as it is a fast way to
use unique biological characteristics.</p>
      <p>Today, this technology is used in many areas, such as web applications, specially
protected objects, mobile access and others.</p>
      <p>Please note that the first paragraph of a section or subsection is not indented. The first
paragraphs that follows a table, figure, equation etc. does not have an indent, either.</p>
      <p>Subsequent paragraphs, however, are indented.
2</p>
    </sec>
    <sec id="sec-2">
      <title>Types of biometric</title>
      <p>
        Biometrics [
        <xref ref-type="bibr" rid="ref2">2</xref>
        ] is a science that analyzes the physical or behavioral characteristics
inherent in each individual in order to be able to authenticate their identity. To
describe biometrics in simple terms, we would describe it in such words as
"measurement of the human body". Main characteristics on Fig 1.
      </p>
      <p>There are two categories of biometric technologies: physiological and behavior
measurements.</p>
      <p>
        The physiological measurements can be either morphological or biological [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ].
They consist mainly of fingerprints, hand, finger, vein, iris and retina, and face shapes
for morphological analysis.
      </p>
      <p>
        The most common behavioral measurements [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ] are voice recognition, signature
dynamics (pen speed, acceleration, pressure, tilt), key dynamics, how to use objects,
gait, step sound, gestures, etc.
      </p>
      <p>The various methods used are the subject of constant research and development
and are, of course, constantly being improved. However, not all measurements have
the same level of reliability. Physiological measurements are generally considered to
have the advantage of remaining more stable throughout a person's life.
3</p>
    </sec>
    <sec id="sec-3">
      <title>Biometric authentication</title>
      <p>
        Biometric authentication [
        <xref ref-type="bibr" rid="ref4">4</xref>
        ] devices use physical and behavioral characteristics such
as fingerprints, facial patterns, iris, keyboard or retina handwriting to verify a user's
identity. Biometric authentication is becoming increasingly popular for many
purposes, including network logon. As it is hard to always carry with yourself special
devices to confirm the authenticity of the identity.
      </p>
      <p>A biometric template or identifier (a sample known to belong to an authorized
user) should be stored in a database so that the device can compare it with the new
sample received during the login process. Biometric data is often used in combination
with smart cards in highly secure environments. The most popular types of biometric
devices are:
 Fingerprint scanners
 Facial pattern recognition devices
 Hand geometry recognition devices
 Iris scan identification devices
 Retinal scan identification devices
 Keystroke Dynamics</p>
      <p>
        Behavioral key biometrics [
        <xref ref-type="bibr" rid="ref5">5</xref>
        ] uses a manner and rhythm in which individual
characters are printed on the keyboard. The rhythms of user key presses are measured to
develop a unique biometric template of the user's text set for subsequent
authentication. Vibration information can be used to create a template for future use in both
identification and authentication tasks.
      </p>
      <p>
        For web applications on of the best approach of two-step authentication is
keystroke dynamics. Mainly, because this method requires only keyboard. Everyone has
their own unique handwriting, which is very difficult to forge. The same can be said
about keyboard handwriting. The main idea of this method is on Fig 2.
The dynamics [
        <xref ref-type="bibr" rid="ref5">5</xref>
        ] of key presses usually includes analysis of characteristics such as
the duration of key presses or groups of keys and the delay between successive keys,
i.e. the time elapsed between one key and the next.
      </p>
      <p>Typically, all keystroke evaluations include (1) a set of subjects to collect data and
provide them with input assignments, (2) recording of keystroke times, (3) retrieval of
elements suitable for training and testing the classifier, (4) training the classifier using
one part of the printed data, and (5) performance testing of the classifier using another
part of the printed data.</p>
      <p>Before discussing the approaches used by researchers in the dynamics of
keystrokes, the features that can be extracted from printed data are described here. When
typing, the computer can record the time the key is pressed (waiting time), the time
the key is pressed, and the time the key is delayed between the keys of the managers,
i.e. the time elapsed between one key and the next. The time measured between key
up and the key down is called Flight time. Thus, three timing functions can be derived
from the source data: Pressure printing (PP), Release to release (RR) and Release to
Press (RP). You can also retrieve other temporary information, such as the time it
takes to write a word, a digital graph (two letters) or a three-letter graph (three letters).
This item belongs to the category "press to press".</p>
      <p>Digital charts contain two consecutive keystrokes, while trigrams contain three;
this continues for any number of combinations, resulting in n-charts. Using this
terminology, the word "renown" will have three digital charts (“re”,”no”,”wn”) and two
trigrams (“ren”,”own”).</p>
      <p>The recorded keystroke times are then processed to produce simple templates
derived from performance statistics, such as average and standard deviation from the
complex pattern recognition algorithm. All this information can be obtained during
user input.
4.1</p>
      <sec id="sec-3-1">
        <title>Traditional Benchmarks or Matrices for Keystroke Dynamics</title>
        <p>
          Nowadays, there are many classifiers for keystroke dynamics, so these models are
tested based on security parameters [
          <xref ref-type="bibr" rid="ref6">6</xref>
          ] such as false acceptance rate (FAR), false
rejection rate (FRR) and equal error rate (EER). Graphic of FAR and FRR show on
Fig. 3.
FAR – is ratio of the number of false matches divided by the total number of fraud
attempts. Thus, FAR shows the number of scammers or impostors who are not exactly
allowed to be genuine users.
        </p>
        <p>FRR – is ratio of the number of false refusals divided by the total number of
genuine attempts at a match. Thus, FRR gives the number of true users who are denied
access to the system. A higher FRR is preferred in higher security systems.</p>
        <p>EER is a FAR attitude divided by FRR. A lower EER value means a better system.
4.2</p>
      </sec>
      <sec id="sec-3-2">
        <title>Feature Subset Selection</title>
        <p>Nowadays, there are many classifiers for keystroke dynamics, so these models are
tested based on security parameters such as false acceptance rate (FAR), false
rejection rate (FRR) and equal error rate (EER).</p>
        <p>
          The procedure of generation of subsets is a search procedure within which subsets
of candidate characteristics are created on the basis of the evaluation criterion. The
evaluation function is used to evaluate the subsets under study, the stop criterion is
used to determine when to stop, and the validation procedure is used to check the
validity of the subsets. FSS algorithms [
          <xref ref-type="bibr" rid="ref7">7</xref>
          ] are divided into three categories, and this
classification is based on different evaluation criteria, namely: filter model, wrapper
model and hybrid model. In all categories, the algorithms can be further differentiated
by how the space of a subset of features is studied and the exact nature of their
evaluation function.
        </p>
        <p>
          The filter model [
          <xref ref-type="bibr" rid="ref8">8</xref>
          ] is required to evaluate and select subsets of elements without
using any learning algorithm. Sometimes the required set of functions is not selected
or the filtering method does not allow selecting the required set of functions if the
criterion used deviates from the criterion used for training the training machine.
Another disadvantage of the filtering model is that the filtering approach may also not
find a subset of parameters that could jointly maximize the criterion, since most filters
evaluate the significance of each parameter only by evaluating one parameter at a
time. Thus, the quality of training models deteriorates.
        </p>
        <p>
          The wrapper model [
          <xref ref-type="bibr" rid="ref9">9</xref>
          ] is required to evaluate and select subsets of elements
without using any learning algorithm. Sometimes the required set of functions is not
selected or the filtering method does not allow selecting the required set of functions if
the criterion used deviates from the criterion used for training the training machine.
        </p>
        <p>
          The hybrid model [
          <xref ref-type="bibr" rid="ref10">10</xref>
          ] takes advantage of both the filter and the wrapper model,
using their different evaluation criteria at different stages of the search. Hybrid
methods are more effective because they combine the advantages of winding and filtering,
because they do not allow you to retrain the predictor from scratch for every subsets
of characteristics under study. However, they are very complex and limited to a
specific training machine.
4.3
        </p>
      </sec>
      <sec id="sec-3-3">
        <title>Classification</title>
        <p>
          After the extraction of the feature and the selection of the feature, the next step is the
classification step, which compares the saved template with the sample provided
during the session. There are various methods used for classification. These classification
algorithms are divided into four main categories [
          <xref ref-type="bibr" rid="ref11">11</xref>
          ]: Statistical Algorithms,
Artificial Neural Networks, Pattern Recognition and learning based algorithms, Search
heuristics and combination of algorithms.
        </p>
        <p>Statistical approaches calculate the average, standard deviation of characteristics
in the template. Distance measurement methods such as Euclidean distance, weighted
Euclidean distance, Manhattan distance, etc. are used to compare the training data set
with the test data set. There is no need for the data collected for authentication and
verification at the push of a button to be linear, so sometimes these linear statistical
approaches do not produce good results.</p>
        <p>Thus, there is a need for some approaches that use probabilistic data rather than
deterministic data. Other statistical methods can also be used for classification, such
as the decision tree, Bayes classification (based on a hindsight probability), etc. In
addition, the Montecarlo method [12] can be used for the dynamics of keystrokes and
thus achieve an average false alarm rate of 9.62% and an average acceptance rate of
0.88%. Another approach used for classification purposes is the use of an artificial
neural network.</p>
        <p>Ting-Yi Chang [14] used ANN technology and keystroke capabilities to
dynamically generate a long-lived private key, and found out that if the password was
opened, the probability of hacking the private key would decrease. The advantage of
this approach is that it can handle many of the parameters and thus gives good results.
This method shown on Fig. 4.
Image recognition is defined as the act of obtaining initial data (samples, objects) and
their classification into different categories based on algorithms. Pattern recognition
includes machine learning algorithms, various classification methods, such as the
closest neighbour, Bayesian classifier, and support vector machine, clustering
methods such as K-means, etc.</p>
        <p>Hyoung-joo Lee [13] used SVM, and it was noticed that retraining increases the
efficiency of authentication and that quantization of vector learning to detect novelties
surpasses other widely used novelty detectors. This method shown on Fig. 5.
The fourth approach usually includes evolutionary algorithms, such as genetic
algorithm, Ant colony optimization, Particle swarm optimization etc. The advantage of
using these evolutionary methods is that they can work with large databases. Ant
colony optimization method shown on Fig. 6.
In the course of this work, a two-factor authentication simulation was developed in a
web application. The keystroke dynamics was chosen. This method allows to very
accurately determining the identity of the person who enters the username and
password without special devices. BeiHang Keystroke Dynamics Database" was selected
as the data set for training. Further, the results were checked on the “Stonybrook
Keystroke Patterns as Prosody in Digital Writings” of this data set. The algorithm has
shown good results. On average, the accuracy was 99.5%.</p>
        <p>Also, to improve this algorithm it will be possible to use a larger set date for
training, which can increase the accuracy even more. Also, a modification of this
algorithm is the collection of input characteristics on the keyboard during a visit to the
site. This will increase the accuracy of data taken for the truth for the user.
12. Yong Sheng, Vir V. Phoha and Steven M. Rovnyak, A Parallel Decision Tree-Based
Method for User Authentication Based on Keystroke Patterns‖, IEEE Transactions On
Systems, Man, And Cybernetics – Part B: Cybernetics, vol. 35, No. 4, 2005, pp. 826-833
13. Alon Schclar, Lior Rokach, Adi Abramson, and Yuval Elovici, User Authentication Based
on Representative Users‖, IEEE Transactions on systems, man, and cybernetics –part c:
applications and reviews, vol. 42, №. 6, pp. 1669-1678, 2012.
14. Ting-Yi Chang, Dynamically generate a long-lived private key based on password
keystroke features and neural network, Information Sciences 211, pp. 36-47, 2012.
15. Dychka, I., Tereikovskyi, I., Tereikovska, L., Pogorelov, V., Mussiraliyeva, S.
Deobfuscation of computer virus malware code with value state dependence graph // Advances in
Intelligent Systems and Computing. 2018. Vol. 754, pp 370-379.
16. Aitchanov, B., Korchenko, A., Tereykovskiy, I., Bapiyev, I. Perspectives for using
classical neural network models and methods of counteracting attacks on network resources
of information systems., News of the national academy of sciences of the republic of
Kazakhstan series of geology and technical sciences. Vol. 5, № 425 (2017), pp. 202-212.</p>
      </sec>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          1. “Biometrics: authentication &amp; identification” - 2019, https://www.gemalto.com/govt/inspired/biometrics last accessed
          <year>2019</year>
          /10/20
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          2.
          <string-name>
            <given-names>Paul</given-names>
            <surname>Benjamin</surname>
          </string-name>
          <string-name>
            <given-names>Lowry</given-names>
            ,
            <surname>Jackson Stephens</surname>
          </string-name>
          , Aaron Moyes, Sean Wilson, and Mark Mitchell (
          <year>2005</year>
          ).
          <article-title>“Biometrics, a critical consideration in information security management”</article-title>
          , in Margherita Pagani, ed.
          <source>Encyclopedia of Multimedia Technology and Networks</source>
          , Idea Group Inc.
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          3.
          <string-name>
            <surname>Jain</surname>
          </string-name>
          , Anil K.;
          <string-name>
            <surname>Ross</surname>
          </string-name>
          ,
          <string-name>
            <surname>Arun</surname>
          </string-name>
          (
          <year>2008</year>
          ).
          <article-title>“Introduction to Biometrics”</article-title>
          . In Jain, AK; Flynn; Ross,
          <string-name>
            <surname>A</surname>
          </string-name>
          . Handbook of Biometrics. Springer. pp.
          <fpage>1</fpage>
          -
          <lpage>22</lpage>
          .
          <source>ISBN 978-0-387-71040-2</source>
          .
          <fpage>09</fpage>
          .03.2011
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          4. “What is Biometrics?”. Biometrics Research Group. Michigan State University.
          <volume>27</volume>
          .08.
          <year>2017</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          5.
          <string-name>
            <given-names>Kasem</given-names>
            <surname>Wangsuk</surname>
          </string-name>
          and
          <article-title>Tanapat Anusas-amornkul, Trajectory Mining for Keystroke Dynamics Authentication</article-title>
          .
          <source>in Procedia Computer Science</source>
          <volume>24</volume>
          ,
          <year>2013</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          6.
          <string-name>
            <surname>Ziyandinov</surname>
            <given-names>A.I.</given-names>
          </string-name>
          <article-title>Principles of building biometric authentication systems / Ziyandinov A</article-title>
          .
          <string-name>
            <surname>I. - M.: MIPT</surname>
          </string-name>
          ,
          <year>2005</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          7.
          <string-name>
            <given-names>M.</given-names>
            <surname>Dash</surname>
          </string-name>
          and
          <string-name>
            <given-names>H.</given-names>
            <surname>Liu</surname>
          </string-name>
          ,
          <article-title>Feature Selection for Classification‖</article-title>
          ,
          <source>in Intelligent Data Analysis 1</source>
          ,
          <year>1997</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          8.
          <string-name>
            <given-names>Jinjie</given-names>
            <surname>Huang</surname>
          </string-name>
          , Yunze Cai and
          <string-name>
            <given-names>Xiaoming</given-names>
            <surname>Xu</surname>
          </string-name>
          ,
          <article-title>A hybrid genetic algorithm for feature selection wrapper based on mutual information</article-title>
          <source>In Pattern Recognition Letters</source>
          <volume>28</volume>
          ,
          <year>2007</year>
        </mixed-citation>
      </ref>
      <ref id="ref9">
        <mixed-citation>
          9.
          <string-name>
            <given-names>M.</given-names>
            <surname>Hall</surname>
          </string-name>
          ,
          <article-title>Correlation based feature selection for machine learning</article-title>
          ,
          <source>Doctoral dissertation</source>
          , University of Waikato,
          <year>1999</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref10">
        <mixed-citation>
          10.
          <string-name>
            <surname>M.E ElAlami</surname>
          </string-name>
          ,
          <article-title>A filter model for feature subset selection based on genetic algorithm‖</article-title>
          ,
          <source>in Knowledge-Based Systems 22</source>
          ,
          <year>2009</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref11">
        <mixed-citation>
          11.
          <string-name>
            <surname>Salil</surname>
            <given-names>P.</given-names>
          </string-name>
          <string-name>
            <surname>Banerjee</surname>
          </string-name>
          , Damon L.
          <article-title>Woodard, Biometric Authentication and Identification using Keystroke Dynamics: A Survey‖</article-title>
          ,
          <source>Journal of Pattern Recognition Research 7</source>
          , pp.
          <fpage>116</fpage>
          -
          <lpage>139</lpage>
          ,
          <year>2012</year>
          .
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>