Publication Type

PhD Dissertation

Publication Date



The majority of authentication systems used today involves passwords, where a user is required to remember and key in the correct password to login. Keystroke biometrics is an alternative approach whereby users are identified by one or more features such as (a) the timing between keystrokes, (b) how long users hold each key and (c) how hard users press each key. It is being assumed in prior research that the way one user types a password/word is different from the way another user types the same password and this characteristic remains stable over time. Existing literature however left open three questions that are material to the security and usability of keystroke biometrics. The first concerns the uniqueness property. Keystroke biometrics is a form of behaviour biometrics. Behaviour can be conditioned by training. An important question is whether one person’s typing pattern can be changed, through appropriate training to resemble that of another if the typing pattern of the latter is known. If the answer is positive, the false acceptance rate of keystroke biometrics would increase to unacceptable levels. A natural second question which follows from the first, questions the extent to which typing patterns can be kept secret. Attackers who are able to log the keystrokes can create a model of the victim’s typing pattern. We ask whether there exists more convenient and less intrusive ways to collect typing patterns. The availability of typing pattern raise both security and privacy concerns because it is a prerequisite for (a) achieving the best outcome in timing side channel attacks and (b) imitation attacks on keystroke biometrics. It can also be used to identify users. The last question concerns the stability of typing patterns. Given that the environment, as well as the physical and mental conditions of users changes throughout the day, we ask whether collected typing patterns remain stable under different conditions. For example, to what extent do the typing patterns change with the mood, muscle strain such as after exercise, posture, type of keyboard and even lighting? If typing patterns are not resistant to these conditions, it may result in a higher false rejection rate (FRR). High FRR leads to usability problems. Usability issues are an important aspect of security, because poor usability motivates users to find shortcuts that bypass the system. It also creates a pressure to tune the system in ways that lower security. In this thesis, we answer all three questions. We found that by providing a novel feedback and training interface, it is possible for one person to imitate another through incremental adjustment of typing pattern. We show that even for targets whose typing patterns are only partially known, imitation training allows attackers to defeat one of the best anomaly detection engines using keystroke biometrics. For a group of 84 participants playing the role of attackers and 2 eight-character passwords of different difficulty, the false acceptance rate (FAR) of the easy and difficult password increases from 0.24 and 0.20 respectively before training, to 0.63 and 0.42 respectively after training. With full information, the FAR increases to 0.99 for both passwords for the 14 best attackers. To explore the feasibility of collecting typing patterns, we focus on interactivity rich JavaScript applications. The Google Suggestions service used in Google Search is one example of an interactivity rich JavaScript application. We analysed the timing side channel of Google Suggestions by reverse engineering the communication model from obfuscated JavaScript code. The goal is to determine the extent to which an attacker can infer the typing pattern of a victim. From our experiments involving 11 participants, we found that for each keypair with at least 20 samples, the mean of the inter-keystroke timing can be determined with an error of less than 20%. For the usability problem, we show that the FRR of keystroke biometrics changes for the worse under a range of common conditions such as background music, exercise and even game playing. In a user study involving 111 participants, the average penalties (increases) in FRR are 0.0360 and 0.0498, respectively, for two different classifiers. We also show that not everyone is suitable for keystroke biometrics deployment, which is exacerbated by the susceptibility to external influences. For example, using a Monte Carlo simulation, we found that 30% of users would encounter an account lockout before their 50th authentication session (for a lockout policy of 3 attempts) if they are affected by external influences 50% of the time when authenticating.


imitation, collection, usability, keystroke, biometrics, dynamics

Degree Awarded

PhD in Information Systems


Information Security


GAO, Debin