skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


This content will become publicly available on November 30, 2026

Title: Keystroke Dynamics: Concepts, Techniques, and Applications
Reliably identifying and verifying subjects remains integral to computer system security. Various novel authentication techniques, such as biometric authentication systems, have been developed in recent years. This article provides a detailed review of keystroke-based authentication systems and their applications. Keystroke dynamics is a behavioral biometric that is emerging as an important tool for cybersecurity as it promises to be nonintrusive and cost-effective. In addition, no additional hardware is required, making it convenient to deploy. This survey covers novel keystroke datasets, state-of-the-art keystroke authentication algorithms, keystroke authentication on touch screen and mobile devices, and various prominent applications of such techniques beyond authentication. The article covers all the significant aspects of keystroke dynamics and can be considered a reference for future researchers in this domain. The article includes a discussion of the latest keystroke datasets, providing researchers with an up-to-date resource for analysis and experimentation. In addition, this survey covers the state-of-the-art algorithms adopted within this domain, offering insights into the cutting-edge techniques utilized for keystroke analysis. Moreover, this article explains the diverse applications of keystroke dynamics, particularly focusing on security, verification, and identification uses. Beyond these crucial areas, we mention additional applications where keystroke dynamics can be applied, broadening the scope of understanding regarding its potential impact across various domains. Unlike previous survey articles, which typically concentrate on specific aspects of keystroke dynamics, our comprehensive analysis presents all relevant areas within this field. By introducing discussions on the latest advances, we provide readers with a thorough understanding of the current landscape and emerging trends in keystroke dynamics research. Furthermore, this article presents a summary of future research opportunities, highlighting potential areas for exploration and development within the realm of keystroke dynamics. This forward-looking perspective aims to inspire further inquiry and innovation, guiding the trajectory of future studies in this dynamic field.  more » « less
Award ID(s):
2526924
PAR ID:
10610430
Author(s) / Creator(s):
; ; ; ; ;
Publisher / Repository:
ACM
Date Published:
Journal Name:
ACM Computing Surveys
Volume:
57
Issue:
11
ISSN:
0360-0300
Page Range / eLocation ID:
1 to 35
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; ; (, 2019 IEEE 5th International Conference on Identity, Security, and Behavior Analysis)
    Research on keystroke dynamics has the good potential to offer continuous authentication that complements conventional authentication methods in combating insider threats and identity theft before more harm can be done to the genuine users. Unfortunately, the large amount of data required by free-text keystroke authentication often contain personally identifiable information, or PII, and personally sensitive information, such as a user's first name and last name, username and password for an account, bank card numbers, and social security numbers. As a result, there are privacy risks associated with keystroke data that must be mitigated before they are shared with other researchers. We conduct a systematic study to remove PII's from a recent large keystroke dataset. We find substantial amounts of PII's from the dataset, including names, usernames and passwords, social security numbers, and bank card numbers, which, if leaked, may lead to various harms to the user, including personal embarrassment, blackmails, financial loss, and identity theft. We thoroughly evaluate the effectiveness of our detection program for each kind of PII. We demonstrate that our PII detection program can achieve near perfect recall at the expense of losing some useful information (lower precision). Finally, we demonstrate that the removal of PII's from the original dataset has only negligible impact on the detection error tradeoff of the free-text authentication algorithm by Gunetti and Picardi. We hope that this experience report will be useful in informing the design of privacy removal in future keystroke dynamics based user authentication systems. 
    more » « less
  2. ; ; (, CODASPY '23: Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy)
    As account compromises and malicious online attacks are on the rise, multi-factor authentication (MFA) has been adopted to defend against these attacks. OTP and mobile push notification are just two examples of the popularly adopted MFA factors. Although MFA improve security, they also add additional steps or hardware to the authentication process, thus increasing the authentication time and introducing friction. On the other hand, keystroke dynamics-based authentication is believed to be a promising MFA for increasing security while reducing friction. While there have been several studies on the usability of other MFA factors, the usability of keystroke dynamics has not been studied. To this end, we have built a web authentication system with the standard features of signup, login and account recovery, and integrated keystroke dynamics as an additional factor. We then conducted a user study on the system where 20 participants completed tasks related to signup, login and account recovery. We have also evaluated a new approach for completing the user enrollment process, which reduces friction by naturally employing other alternative MFA factors (OTP in our study) when keystroke dynamics is not ready for use. Our study shows that while maintaining strong security (0% FPR), adding keystroke dynamics reduces authentication friction by avoiding 66.3% of OTP at login and 85.8% of OTP at account recovery, which in turn reduces the authentication time by 63.3% and 78.9% for login and account recovery respectively. Through an exit survey, all participants have rated the integration of keystroke dynamics with OTP to be more preferable to the conventional OTP-only authentication. 
    more » « less
  3. ; ; ; ; (, IEEE Conference on Computer Vision and Pattern Recognition (CVPR) Workshops)
    Keystroke dynamics are a powerful behavioral biometric capable of determining user identity and for continuous authentication. It is an unobtrusive method that can complement an existing security system such as a password scheme and provides continuous user authentication. Existing methods record all keystrokes and use n-graphs that measure the timing between consecutive keystrokes to distinguish between users. Current state-of-the-art algorithms report EER’s of 7.5% or higher with 1000 characters. With 1000 characters it takes a longer time to detect an imposter and significant damage could be done. In this paper, we investigate how quickly a user is authenticated or how many digraphs are required to accurately detect an imposter in an uncontrolled free-text environment. We present and evaluate the effectiveness of three distance metrics individually and fused with each other. We show that with just 100 digraphs, about the length of a single sentence, we achieve an EER of 35.3%. At 200 digraphs the EER drops to 15.3%. With more digraphs, the performance continues to steadily improve. With 1000 digraphs the EER drops to 3.6% which is an improvement over the state-of-the-art. 
    more » « less
  4. ; ; ; (, Future Internet)
    The unauthorized usage of various services and resources in cloud computing is something that must be protected against. Authentication and access control are the most significant concerns in cloud computing. Several researchers in this field suggest numerous approaches to enhance cloud authentication towards robustness. User names and associated passwords have been a common practice for long as Single Factor Authentication. However, advancements in the speed of computing and the usage of simple methods, starting from the Brute Force technique to the implementation of advanced and efficient crytographic algorithms, have posed several threats and vulnerabilities for authentication systems, leading to the degradation of their effectiveness. Multi-factor authentication has emerged as a robust means of securing the cloud using simultaneous and multiple means of authentication factors. This employs multiple levels of cascaded authentication checks. This paper covers an extensive and systematic survey of various factors towards their adoption and suitability for authentication for multi-factor authentication mechanisms. The inference drawn from the survey is in terms of arriving at a unique authentication factor that does not require any additional, specialized hardware or software for multi-factor authentication. Such authentication also uses the distinct biometric characteristics of the concerned user in the process. This arrangement augments the secured and robust user authentication process. The mechanism is also assessed as an effective means against impersonation attacks. 
    more » « less
  5. ; ; ; (, 7th International Conference on Information Systems Security and Privacy)
    Account recovery is ubiquitous across web applications but circumvents the username/password-based login step. Therefore, it deserves the same level of security as the user authentication process. A common simplistic procedure for account recovery requires that a user enters the same email used during registration, to which a password recovery link or a new username could be sent. Therefore, an impostor with access to a user’s registration email and other credentials can trigger an account recovery session to take over the user’s account. To prevent such attacks, beyond validating the email and other credentials entered by the user, our proposed recovery method utilizes keystroke dynamics to further secure the account recovery mechanism. Keystroke dynamics is a type of behavioral biometrics that uses the analysis of typing rhythm for user authentication. Using a new dataset with over 500,000 keystrokes collected from 44 students and university staff when they fill out an account recovery web form of multiple fields, we have evaluated the performance of five scoring algorithms on individual fields as well as feature-level fusion and weighted-score fusion. We achieve the best EER of 5.47% when keystroke dynamics from individual fields are used, 0% for a feature-level fusion of five fields, and 0% for a weighted-score fusion of seven fields. Our work represents a new kind of keystroke dynamics that we would like to call it ‘medium fixed-text’ as it sits between the conventional (short) fixed text and (long) free text research. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email