Effects of User Habituation in Keystroke Dynamics on Password Security Policy

Access control systems rely on a variety of methods for authenticating legitimate users and preventing malicious ones from accessing the system. The most commonly used system is a simple username and password approach. This technology has been the de-facto standard for remote authentication applications. A username-password based system assumes that only the genuine users know their own credentials. However, breaching this type of system has become a common occurrence in today´s age of social networks and modern computational devices. Once broken, the system will accept every authentication trial using compromised credentials until the breach is detected. In this paper, we explore certain aspects of utilizing keystroke dynamics in username-password based systems. We show that as users get habituated to typing their credentials, there is a significant reduction in the variance of the keystroke patterns. This trend is more pronounced for long and complex passwords as opposed to short dictionary based passwords. We also study the time window necessary to perceive habituation in user typing patterns. Furthermore, we show that habituation plays a key role in classification of genuine login attempts by reducing the equal error rate (EER) over time. Finally, we explore an authentication scheme that employs the security of complex passwords and keystroke dynamics.