Supporting unknown number of users in keystroke dynamics models

Abstract

In recent years, keystroke dynamics has gained popularity as a reliable means of verifying user identity in remote systems. Due to its high performance in verification and the fact that it does not require additional effort from the user, keystroke dynamics has become one of the most preferred second factor of authentication. Despite its prominence, it has one major limitation: keystroke dynamics algorithms are good at fitting a model to one user and one user only. When such algorithms try to fit a model to more than one user, the verification accuracy decreases dramatically. However, in real-world applications it is common practice for two or more users to use the same credentials, such as in shared bank accounts, shared social media profiles, and shared streaming licenses which allow multiple users in one account. In these cases, keystroke dynamics solutions become unreliable. To address this limitation, we propose a method that can leverage existing keystroke dynamics algorithms to automatically determine the number of users sharing the account and accurately support accounts that are shared with multiple users. We evaluate our method using eight state-of-the-art keystroke dynamics algorithms and three public datasets, with up to five different users in one model, achieving an average improvement in verification of 9.2% for the AUC and 8.6% for the EER in the multi-user cases, with just a negligible reduction of 0.2% for the AUC and 0.3% for the EER in the one-user cases.