Skip to main content
SpringerLink
Log in

Securing Account Recovery Mechanism on Desktop Computers and Mobile Phones with Keystroke Dynamics

  • Original Research
  • Published:
SN Computer Science Aims and scope Submit manuscript

Abstract

Account recovery has become a prevalent feature across mobile and web applications that circumvents the regular username/password-based user authentication process, and thus is known to be less secure and fraught with attacks. For example, to trigger the account recovery process, an email or one-time password (OTP) is sent to the user’s registration email and/or phone. This assumes that only the genuine user has access to the email/phone which is not always the case. To further improve the security of the account recovery mechanism, beyond validating the information and other credentials typed by the user, we propose a recovery method with the use of keystrokes dynamics. We evaluated performances using two new keystroke datasets—the first contains over 500,000 keystrokes collected on a desktop computer from 44 participants, while the second 327,000 keystrokes on a touchscreen mobile phone from 39 participants. Both datasets require the participants to fill out an account recovery form of multiple fields. For each dataset, we evaluated the performance of five scoring algorithms on individual fields, feature-level fusion and weighted-score fusion. We also applied one-class classification, a machine learning approach and compared results. For the desktop dataset, we achieved the best equal error rate (EER) of 5.47% for individual fields, 0% for feature-level fusion of five fields, and 0% for weighted-score fusion of seven fields. For the touch-mobile dataset, we achieved the best EER of 10.25% for individual fields, 4.97% for feature-level fusion of four fields and 2.26% for weighted-score fusion of seven fields. Our results show that the application of keystroke dynamics is highly promising to further secure the account recovery mechanism on both desktop and mobile platforms.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Availability of Data and Materials

Not applicable.

References

  1. Bonneau J, Herley C, Van Oorschot PC, Stajano F. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy, 2012; 553–567. IEEE

  2. Gemalto Inc: Analysis: Data breaches compromised 4.5bn records in half year 2018. https://thecitizenng.com/analysis-data-breaches-compromised-4-5bn-records-in-half-year-2018-gemalto/. Accessed: 2019-09-20, 2018;

  3. Song V. Mother of All Breaches Exposes 773 Million Emails, 21 Million Passwords. https://gizmodo.com/mother-of-all-breaches-exposes-773-million-emails-21-m-1831833456. Accessed: 2019-09-20

  4. Wahab AA, Hou D, Schuckers S, Barbir A. Utilizing keystroke dynamics as additional security measure to protect account recovery mechanism. In: ICISSP, 2021;33–42

  5. owasp.org: Credential stuffing. https://owasp.org/ www-community/ attacks/Credential_stuffing. Accessed: 2020-04-03, 2020

  6. Rybnik M, Panasiuk P, Saeed K. User authentication with keystroke dynamics using fixed text. In: 2009 International Conference on Biometrics and Kansei Engineering, 2009; 70–75. IEEE

  7. Choraś M, Mroczkowski P. Keystroke dynamics for biometrics identification. In: International Conference on Adaptive and Natural Computing Algorithms, 2007;424–431. Springer

  8. Revett K, De Magalhães ST, Santos HM. Enhancing login security through the use of keystroke input dynamics. In: International Conference on Biometrics, 2006;661–667. Springer

  9. Killourhy KS, Maxion RA. Comparing anomaly-detection algorithms for keystroke dynamics. In: 2009 IEEE/IFIP International Conference on Dependable Systems & Networks, 2009;125–134. IEEE

  10. Loy CC, Lai WK, Lim CP. Keystroke patterns classification using the artmap-fd neural network. In: Third International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP 2007), 2007;1:pp. 61–64. IEEE

  11. Michael OB, Missah YM. Utilizing keystroke dynamics as an additional security measure to password security in computer web-based applications-a case study of uew. Int J Comput Appl. 2016;149(5):35–44.

    Google Scholar 

  12. Gunetti D, Picardi C. Keystroke analysis of free text. ACM Trans Inform Syst Secur (TISSEC). 2005;8(3):312–47.

    Article  Google Scholar 

  13. Huang J, Hou D, Schuckers S, Hou Z. Effect of data size on performance of free-text keystroke authentication. In: IEEE International Conference on Identity, Security and Behavior Analysis (ISBA 2015), 2015;1–7. IEEE

  14. Acien A, Morales A, Monaco JV, Vera-Rodriguez R, Fierrez J. Typenet: Deep learning keystroke biometrics. arXiv preprint arXiv:2101.05570,2021;

  15. Gaines RS, Lisowski W, Press SJ, Shapiro N. Authentication by keystroke timing: some preliminary results. Rand Corp Santa Monica CA: Technical report; 1980.

    Google Scholar 

  16. Banerjee SP, Woodard DL. Biometric authentication and identification using keystroke dynamics: A survey. J Pattern Recognit Res. 2012;7(1):116–39.

    Article  Google Scholar 

  17. Teh PS, Teoh ABJ, Yue S. A survey of keystroke dynamics biometrics. The Scientific World Journal; 2013.

  18. Alsultan A, Warwick K. Keystroke dynamics authentication: a survey of free-text methods. Int J Comput Sci Issues (IJCSI). 2013;10(4):1.

    Google Scholar 

  19. Pisani PH, Lorena AC. A systematic review on keystroke dynamics. J Brazilian Comput Soc. 2013;19(4):573–87.

    Article  Google Scholar 

  20. Monrose F, Reiter MK, Wetzel S. Password hardening based on keystroke dynamics. Int J Inform Secur. 2002;1(2):69–83.

    Article  Google Scholar 

  21. Bartlow N, Cukic B. Evaluating the reliability of credential hardening through keystroke dynamics. In: 2006 17th International Symposium on Software Reliability Engineering, 2006;117–126. IEEE

  22. de Magalhaes ST, Revett K, Santos HM. Password secured sites-stepping forward with keystroke dynamics. In: International Conference on Next Generation Web Services Practices (NWeSP’05), 2005; 6. IEEE

  23. Huang J, Hou D, Schuckers S, Law T, Sherwin A. Benchmarking keystroke authentication algorithms. In: 2017 IEEE Workshop on Information Forensics and Security (WIFS), 2017;1–6. IEEE

  24. Giot R, El-Abed M, Rosenberger C. Web-based benchmark for keystroke dynamics biometric systems: A statistical analysis. In: 2012 Eighth International Conference on Intelligent Information Hiding and Multimedia Signal Processing, 2012;11–15. IEEE

  25. Karim N.A, Shukur Z, AL-banna A.M. Uipa: User authentication method based on user interface preferences for account recovery process. J Inform Secur Appl. 2020;52:102466.

    Google Scholar 

  26. Montalva J, Almeida CAS, Freire EO. Equalization of keystroke timing histograms for improved identification performance. In: 2006 International Telecommunications Symposium, 2006; 560–565. IEEE

  27. Allen JD. An analysis of pressure-based keystroke dynamics algorithms. PhD thesis, Southern Methodist University, 2010;

  28. Idrus SZS, Cherrier E, Rosenberger C, Bours P. Soft biometrics database: A benchmark for keystroke dynamics biometric systems. In: 2013 International Conference of the BIOSIG Special Interest Group (BIOSIG), 2013;1–8. IEEE

  29. Killourhy K, Maxion R. Why did my detector do that?! In: International Workshop on Recent Advances in Intrusion Detection, 2010; 256–276. Springer

  30. Black PE. Manhattan distance. Available online at: https://www.nist.gov/dads/HTML/manhattanDistance.html. Last Accessed: 2019-06-15, 2019

  31. Mahalanobis PC. On the generalized distance in statistics. National Institute of Science of India, 1936;

  32. Sitová Z, Šeděnka J, Yang Q, Peng G, Zhou G, Gasti P, Balagani KS. HMOG: New behavioral biometric features for continuous authentication of smartphone users. IEEE Trans Informat Forensics Secur. 2015;11(5):877–92.

    Article  Google Scholar 

  33. Bours P, Ellingsen J. Cross keyboard keystroke dynamics. In: 2018 1st International Conference on Computer Applications & Information Security (ICCAIS), 2018; 1–6. IEEE

  34. Wahab AA, Hou D, Banavar M, Schuckers S, Eaton K, Baldwin J, Wright R. Shared multi-keyboard and bilingual datasets to support keystroke dynamics research. In: Proceedings of the Twelveth ACM Conference on Data and Application Security and Privacy, 2022; pp. 236–241

Download references

Acknowledgements

This material is based upon work supported by the Center for Identification Technology Research (CITeR) and the National Science Foundation under NSF Grant No. 1650503, NSF Grant No. 1314792, and a grant from the NYSTAR Technology Transfer program (Contract #C180035). Dr. Jiaju Huang designed and collected the original desktop data and performed a preliminary performance investigation in 2018. Aratrika Ray collected the mobile dataset.

Funding

Not applicable.

Author information

Authors and Affiliations

  1. Electrical and Computer Engineering, Clarkson University, Clarkson Avenue, Potsdam, 13699, NY, USA

    Ahmed Anu Wahab, Daqing Hou & Stephanie Schuckers

  2. Mobile Security Group, CVS Health, Aetna, Woonsocket, USA

    Abbie Barbir

Authors
  1. Ahmed Anu Wahab
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daqing Hou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stephanie Schuckers
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Abbie Barbir
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

Not applicable.

Corresponding author

Correspondence to Ahmed Anu Wahab.

Ethics declarations

Conflict of Interest

The authors declare that they have no conflict of interest.

Ethics Approval

Not applicable.

Consent to Participate

Not applicable.

Consent for Publication

Not applicable.

Code Availability

Not applicable.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is part of the topical collection “Information Systems Security and Privacy” guest edited by Steven Furnell and Paolo Mori.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wahab, A.A., Hou, D., Schuckers, S. et al. Securing Account Recovery Mechanism on Desktop Computers and Mobile Phones with Keystroke Dynamics. SN COMPUT. SCI. 3, 360 (2022). https://doi.org/10.1007/s42979-022-01245-3

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s42979-022-01245-3

Keywords

Search

Navigation