Keyboard Input Biometric Authentication Spoofing

Keyboard input biometric authentication systems are software systems which record keystroke information and use it to identify a typist. The primary statistics used to determine the accuracy of a keyboard biometric authentication system are the false acceptance rate (FAR) and false rejection rate (FRR), which are aimed to be as low as possible [1]. However, even if a system has a low FAR and FRR, there is nothing stopping an attacker from also monitoring an individual's typing habits in the same way a legitimate authentication system would, and using its knowledge of their habits to recreate virtual keyboard events for typing arbitrary text, with precise timing mimicking those habits, which would theoretically spoof a legitimate keyboard biometric authentication system into thinking it is the intended user doing the typing. A proof of concept of this very attack, called keyboard input biometric authentication spoofing, is the focus of this paper, with the purpose being to show that even if a biometric authentication system is reasonably accurate, with a low FAR and FRR, it can still potentially be very vulnerable to a well-crafted spoofing system. A rudimentary keyboard input biometric authentication system was written in C and C++ which drew influence from already existing methods and attempted new methods of authentication as well. A spoofing system was then built which exploited the authentication system's statistical representation of a user's typing habits to recreate keyboard events as described above. This proof of concept is aimed at raising doubts about the idea of relying too heavily upon keyboard input based biometric authentication systems since the user's typing input can demonstrably be spoofed in this way if an attacker has full access to the system, even if the system itself is accurate. The results are that the authentication system built for this study, when ran on a database of typing event logs recorded from 15 users in 4 sessions, had a 0% FAR and FRR (more detailed analysis of FAR and FRR is also presented), yet it was still very susceptible to being spoofed, with a 44% to 71% spoofing rate in some instances.