Secure, Usable and Privacy-Friendly User Authentication from Keystroke Dynamics

  • Kimmo HalunenEmail author
  • Visa Vallivaara
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10014)


User authentication is a key technology in human machine interaction. The need to establish the legitimacy of transactions and possibly the actors behind them is crucial for trustworthy operation of services over the internet. A good authentication method offers security, usability and privacy protections for the users and the service providers. However, achieving all three properties with a single method is a difficult task and such methods are not in wide use today. We combine methods from biometrics, secure key exchange algorithms and privacy-protecting authentication to build an authentication system that achieves these three properties. Our system uses keystroke dynamics to authenticate the user and cryptographic methods to protect the privacy of the templates and samples and to extend the authentication to key exchange. The results show that the system can be used for user authentication, but more work is needed to protect against impersonation in some cases. Our work is extensible to many other biometrics that can be measured and compared in a similar manner as keystroke dynamics and with further research to larger classes of authentication methods.


Privacy Protection Average Absolute Deviation Homomorphic Encryption Threat Model Human Machine Interaction 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would like to thank Tekes – the Finnish Funding Agency for Innovation, DIMECC Oy, and the Cyber Trust research program for their support of this research. Furthermore, we thank all the volunteers that participated in the experimental study for their time and also the anonymous reviewers for their valuable comments and suggestions that helped in improving this paper.


  1. 1.
    Araújo, L.C., Sucupira, L.H., Lizarraga, M.G., Ling, L.L., Yabu-Uti, J.B.T.: User authentication through typing biometrics features. IEEE Trans. Sig. Process. 53(2), 851–855 (2005)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Arias-Cabarcos, P., Almenarez, F., Trapero, R., Diaz-Sanchez, D., Marin, A.: Blended identity: pervasive IdM for continuous authentication. IEEE Secur. Priv. 13(3), 32–39 (2015)CrossRefGoogle Scholar
  3. 3.
    Banerjee, S.P., Woodard, D.L.: Biometric authentication and identification using keystroke dynamics: a survey. J. Pattern Recognit. Res. 7(1), 116–139 (2012)CrossRefGoogle Scholar
  4. 4.
    Boldyreva, A., Chenette, N., Lee, Y., O’Neill, A.: Order-preserving symmetric encryption. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 224–241. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-01001-9_13 CrossRefGoogle Scholar
  5. 5.
    Boldyreva, A., Chenette, N., O’Neill, A.: Order-preserving encryption revisited: improved security analysis and alternative solutions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 578–595. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22792-9_33 CrossRefGoogle Scholar
  6. 6.
    Bonneau, J., Herley, C., van Oorschot, P., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 553–567, May 2012Google Scholar
  7. 7.
    Bonneau, J., Schechter, S.: Towards reliable storage of 56-bit secrets in human memory. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 607–623 (2014)Google Scholar
  8. 8.
    Braz, C., Robert, J.M.: Security and usability: the case of the user authentication methods. In: Proceedings of the 18th International Conferenceof the Association Francophone d’Interaction Homme-Machine, pp. 199–203. ACM (2006)Google Scholar
  9. 9.
    Brown, M., Rogers, S.J.: User identification via keystroke characteristics of typed names using neural networks. Int. J. Man Mach. Stud. 39(6), 999–1014 (1993)CrossRefGoogle Scholar
  10. 10.
    Clarke, N.L., Furnell, S.: Authenticating mobile phone users using keystroke analysis. Int. J. Inf. Secur. 6(1), 1–14 (2007)CrossRefGoogle Scholar
  11. 11.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Fleischhacker, N., Manulis, M., Sadr-Azodi, A.: Modular design and analysis framework for multi-factor authentication and key exchange. In: Cryptology ePrint Archive, Report 2012/181 (2012).
  14. 14.
    Gaines, R.S., Lisowski, W., Press, S.J., Shapiro, N.: Authentication by keystroke timing: some preliminary results. Technical report, DTIC Document (1980)Google Scholar
  15. 15.
    Gentry, C.: A fully homomorphic encryption scheme. Ph.D. thesis, Stanford University (2009)Google Scholar
  16. 16.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: Generic compilers for authenticated key exchange. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 232–249. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-17373-8_14 CrossRefGoogle Scholar
  17. 17.
    Jakobsson, M., Shi, E., Golle, P., Chow, R.: Implicit authentication for mobile devices. In: Proceedings of the 4th USENIX Conference on Hot Topics in Security, p. 9. USENIX Association (2009)Google Scholar
  18. 18.
    Juels, A., Sudan, M.: A fuzzy vault scheme. Des. Codes Crypt. 38(2), 237–257 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Mäntyjärvi, J., Lindholm, M., Vildjiounaite, E., Mäkelä, S.M., Ailisto, H.: Identifying users of portable devices from gait pattern with accelerometers. In: IEEE International Conference on Acoustics, Speech, and Signal Processing, 2005, Proceedings (ICASSP 2005), vol. 2, pp. ii/973–ii/976. IEEE (2005)Google Scholar
  20. 20.
    Monrose, F., Rubin, A.: Authentication via keystroke dynamics. In: Proceedings of the 4th ACM Conference on Computer and Communications Security, pp. 48–56. ACM (1997)Google Scholar
  21. 21.
    Monrose, F., Rubin, A.D.: Keystroke dynamics as a biometric for authentication. Future Gener. Comput. Syst. 16(4), 351–359 (2000)CrossRefGoogle Scholar
  22. 22.
    Nauman, M., Ali, T., Rauf, A.: Using trusted computing for privacy preserving keystroke-based authentication in smartphones. Telecommun. Syst. 52(4), 2149–2161 (2013)CrossRefGoogle Scholar
  23. 23.
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). doi: 10.1007/3-540-48910-X_16 CrossRefGoogle Scholar
  24. 24.
    Pandey, O., Rouselakis, Y.: Property preserving symmetric encryption. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 375–391. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-29011-4_23 CrossRefGoogle Scholar
  25. 25.
    Rathgeb, C., Uhl, A.: A survey on biometric cryptosystems and cancelable biometrics. EURASIP J. Inf. Secur. 2011(1), 1–25 (2011)CrossRefGoogle Scholar
  26. 26.
    Saevanee, H., Bhattarakosol, P.: Authenticating user using keystroke dynamics and finger pressure. In: 6th IEEE Consumer Communications and Networking Conference, CCNC 2009, pp. 1–2. IEEE (2009)Google Scholar
  27. 27.
    Safa, N.A., Safavi-Naini, R., Shahandashti, S.F.: Privacy-preserving implicit authentication. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 471–484. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-55415-5_40 CrossRefGoogle Scholar
  28. 28.
    Tulyakov, S., Farooq, F., Mansukhani, P., Govindaraju, V.: Symmetric hash functions for secure fingerprint biometric systems. Pattern Recogn. Lett. 28(16), 2427–2436 (2007)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.VTT Technical Research Centre of Finland Ltd.OuluFinland

Personalised recommendations