Securing Account Recovery Mechanism on Desktop Computers and Mobile Phones with Keystroke Dynamics

Account recovery has become a prevalent feature across mobile and web applications that circumvents the regular username/password-based user authentication process, and thus is known to be less secure and fraught with attacks. For example, to trigger the account recovery process, an email or one-time password (OTP) is sent to the user’s registration email and/or phone. This assumes that only the genuine user has access to the email/phone which is not always the case. To further improve the security of the account recovery mechanism, beyond validating the information and other credentials typed by the user, we propose a recovery method with the use of keystrokes dynamics. We evaluated performances using two new keystroke datasets—the first contains over 500,000 keystrokes collected on a desktop computer from 44 participants, while the second 327,000 keystrokes on a touchscreen mobile phone from 39 participants. Both datasets require the participants to fill out an account recovery form of multiple fields. For each dataset, we evaluated the performance of five scoring algorithms on individual fields, feature-level fusion and weighted-score fusion. We also applied one-class classification, a machine learning approach and compared results. For the desktop dataset, we achieved the best equal error rate (EER) of 5.47% for individual fields, 0% for feature-level fusion of five fields, and 0% for weighted-score fusion of seven fields. For the touch-mobile dataset, we achieved the best EER of 10.25% for individual fields, 4.97% for feature-level fusion of four fields and 2.26% for weighted-score fusion of seven fields. Our results show that the application of keystroke dynamics is highly promising to further secure the account recovery mechanism on both desktop and mobile platforms.