Password policy characteristics and keystroke biometric authentication

Simon Parkinson, Saad Khan, Andrew Crampton, Qing Xu, Weizhi Xie, Paloma Liu, Kyle Dakin

Research output: Contribution to journalArticlepeer-review

14 Citations (Scopus)


Behavioural biometrics have the potential to provide an additional or alternative authentication mechanism to those involving a shared secret (i.e., a password). Keystroke timings are the focus of this study, where key press and release timings are acquired whilst monitoring a user typing a known phrase. Many studies exist in keystroke biometrics, but there is an absence of literature aiming to understand the relationship between characteristics of password policies and the potential of keystroke biometrics. Furthermore, benchmark data sets used in keystroke biometric research do not enable useful insights into the relationship between their capability and password policy. In this work, we consider substitutions of uppercase, numeric, special characters, and their combination on passwords derived from English words. We acquire timings for 42 participants for the same 40 passwords. We implement a matching system using the Manhattan distance measure with seven different feature sets, culminating in an Equal Error Rate of between 6-11% and accuracy values between 89-94%, demonstrating comparable accuracy to other threshold-based systems. Further analysis suggests that the best feature sets are those containing all timings and trigraph press to press. Evidence also suggests that phrases containing fewer characters have greater accuracy, except for those with special character substitutions.
Original languageEnglish
Pages (from-to)163-178
Number of pages16
JournalIET Biometrics
Issue number2
Early online date25 Jan 2021
Publication statusPublished - 1 Mar 2021


Dive into the research topics of 'Password policy characteristics and keystroke biometric authentication'. Together they form a unique fingerprint.

Cite this