Ahmed Anu Wahab
ABSTRACT
As account compromises and malicious online attacks are on the rise, multi-factor authentication (MFA) has been adopted to defend against these attacks. OTP and mobile push notification are just two examples of the popularly adopted MFA factors. Although MFA improve security, they also add additional steps or hardware to the authentication process, thus increasing the authentication time and introducing friction. On the other hand, keystroke dynamics-based authentication is believed to be a promising MFA for increasing security while reducing friction. While there have been several studies on the usability of other MFA factors, the usability of keystroke dynamics has not been studied. To this end, we have built a web authentication system with the standard features of signup, login and account recovery, and integrated keystroke dynamics as an additional factor. We then conducted a user study on the system where 20 participants completed tasks related to signup, login and account recovery. We have also evaluated a new approach for completing the user enrollment process, which reduces friction by naturally employing other alternative MFA factors (OTP in our study) when keystroke dynamics is not ready for use. Our study shows that while maintaining strong security (0% FPR), adding keystroke dynamics reduces authentication friction by avoiding 66.3% of OTP at login and 85.8% of OTP at account recovery, which in turn reduces the authentication time by 63.3% and 78.9% for login and account recovery respectively. Through an exit survey, all participants have rated the integration of keystroke dynamics with OTP to be more preferable to the conventional OTP-only authentication.
Supplemental Material
- Alejandro Acien, Aythami Morales, John V Monaco, Ruben Vera-Rodriguez, and Julian Fierrez. 2021. TypeNet: Deep learning keystroke biometrics. IEEE Transactions on Biometrics, Behavior, and Identity Science, Vol. 4, 1 (2021), 57--70.Google Scholar
Cross Ref
- Blaine Ayotte, Mahesh Banavar, Daqing Hou, and Stephanie Schuckers. 2020. Fast free-text authentication via instance-based keystroke dynamics. IEEE Transactions on Biometrics, Behavior, and Identity Science, Vol. 2, 4 (2020), 377--387.Google ScholarCross Ref
- Salil P Banerjee and Damon L Woodard. 2012. Biometric authentication and identification using keystroke dynamics: A survey. Journal of Pattern Recognition Research , Vol. 7, 1 (2012), 116--139.Google ScholarCross Ref
- Joseph Bonneau, Cormac Herley, Paul C Van Oorschot, and Frank Stajano. 2012. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In 2012 IEEE symposium on security and privacy. IEEE, 553--567.Google ScholarDigital Library
- Leon Bovs njak and Bovs tjan Brumen. 2019. Rejecting the death of passwords: Advice for the future. Computer Science and Information Systems , Vol. 16, 1 (2019), 313--332.Google ScholarCross Ref
- Heather Crawford and Ebad Ahmadzadeh. 2017. Authentication on the go: Assessing the effect of movement on mobile device keystroke dynamics. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association Santa Clara, 163--173.Google Scholar
- Matteo Dell'Amico, Pietro Michiardi, and Yves Roudier. 2010. Password strength: An empirical analysis. In 2010 Proceedings IEEE INFOCOM. IEEE, 1--9.Google ScholarCross Ref
- Yunbin Deng and Yu Zhong. 2013. Keystroke dynamics user authentication based on gaussian mixture model and deep belief nets. International Scholarly Research Notices , Vol. 2013 (2013).Google ScholarCross Ref
- Vivek Dhakal, Anna Maria Feit, Per Ola Kristensson, and Antti Oulasvirta. 2018. Observations on typing from 136 million keystrokes. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems. 1--12.Google ScholarDigital Library
- Jiaju Huang, Daqing Hou, Stephanie Schuckers, Timothy Law, and Adam Sherwin. 2017. Benchmarking keystroke authentication algorithms. In 2017 IEEE Workshop on Information Forensics and Security (WIFS). IEEE, 1--6.Google ScholarCross Ref
- Kevin S Killourhy and Roy A Maxion. 2009. Comparing anomaly-detection algorithms for keystroke dynamics. In 2009 IEEE/IFIP International Conference on Dependable Systems & Networks. IEEE, 125--134.Google ScholarCross Ref
- Saket Maheshwary, Soumyajit Ganguly, and Vikram Pudi. 2017. Deep secure: A fast and simple neural network based approach for user authentication and identification via keystroke dynamics. In IWAISe: First International Workshop on Artificial Intelligence in Security, Vol. 59.Google Scholar
- Karola Marky, Kirill Ragozin, George Chernyshov, Andrii Matviienko, Martin Schmitz, Max Mühlh"auser, Chloe Eghtebas, and Kai Kunze. 2022. " Nah, it's just annoying!" A Deep Dive into User Perceptions of Two-Factor Authentication. ACM Transactions on Computer-Human Interaction (2022).Google Scholar
- Robert Morris and Ken Thompson. 1979. Password security: A case history. Commun. ACM, Vol. 22, 11 (1979), 594--597.Google ScholarDigital Library
- Christopher Murphy, Jiaju Huang, Daqing Hou, and Stephanie Schuckers. 2017. Shared dataset on natural human-computer interaction to support continuous authentication research. In 2017 IEEE International Joint Conference on Biometrics, IJCB 2017, Denver, CO, USA, October 1--4, 2017. IEEE, 525--530. https://doi.org/10.1109/BTAS.2017.8272738Google ScholarDigital Library
- Kseniia Palin, Anna Maria Feit, Sunjun Kim, Per Ola Kristensson, and Antti Oulasvirta. 2019. How do people type on mobile devices? Observations from a study with 37,000 volunteers. In Proceedings of the 21st International Conference on Human-Computer Interaction with Mobile Devices and Services. 1--12.Google ScholarDigital Library
- Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent Seamons. 2019. A Usability Study of Five Two-Factor Authentication Methods. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). 357--370.Google Scholar
- Pin Shen Teh, Andrew Beng Jin Teoh, and Shigang Yue. 2013. A survey of keystroke dynamics biometrics. The Scientific World Journal , Vol. 2013 (2013).Google Scholar
- Ahmed Anu Wahab, Daqing Hou, Mahesh Banavar, Stephanie Schuckers, Kenneth Eaton, Jacob Baldwin, and Robert Wright. 2022. Shared Multi-Keyboard and Bilingual Datasets to Support Keystroke Dynamics Research. In Proceedings of the Twelveth ACM Conference on Data and Application Security and Privacy. 236--241.Google ScholarDigital Library
- Stephan Wiefling, Paul René Jørgensen, Sigurd Thunem, and Luigi Lo Iacono. 2022. Pump Up Password Security! Evaluating and Enhancing Risk-Based Authentication on a Real-World Large-Scale Online Service. ACM Transactions on Privacy and Security (2022).Google Scholar
- Yu Zhong and Yunbin Deng. 2015. A survey on keystroke dynamics biometrics: approaches, advances, and evaluations. Recent Advances in User Authentication Using Keystroke Dynamics Biometrics 1 (2015), 1--22. ioGoogle Scholar
Index Terms
- A User Study of Keystroke Dynamics as Second Factor in Web MFA
Recommendations
Keystroke dynamics-based user authentication service for cloud computing
User authentication is a crucial requirement for cloud service providers to prove that the outsourced data and services are safe from imposters. Keystroke dynamics is a promising behavioral biometrics for strengthening user authentication, however, ...
User authentication method based on keystroke dynamics and mouse dynamics using HDA
AbstractBiometric authentication has advantages over traditional authentication based on passwords or pin number (PIN) in that it is based on the user's inherent characteristics which is not easily stolen or lost. Keystroke dynamics and mouse dynamics are ...
Multifactor authentication based on keystroke dynamics
CompSysTech '09: Proceedings of the International Conference on Computer Systems and Technologies and Workshop for PhD Students in ComputingIn this article we describe the solution of multifactor identification and authentication in infomation systems strengthened through the monitoring of biometric authentication features. Multifactor authentication can be standard procedure for ...
Comments