A User Study of Keystroke Dynamics as Second Factor in Web MFA

As account compromises and malicious online attacks are on the rise, multi-factor authentication (MFA) has been adopted to defend against these attacks. OTP and mobile push notification are just two examples of the popularly adopted MFA factors. Although MFA improve security, they also add additional steps or hardware to the authentication process, thus increasing the authentication time and introducing friction. On the other hand, keystroke dynamics-based authentication is believed to be a promising MFA for increasing security while reducing friction. While there have been several studies on the usability of other MFA factors, the usability of keystroke dynamics has not been studied. To this end, we have built a web authentication system with the standard features of signup, login and account recovery, and integrated keystroke dynamics as an additional factor. We then conducted a user study on the system where 20 participants completed tasks related to signup, login and account recovery. We have also evaluated a new approach for completing the user enrollment process, which reduces friction by naturally employing other alternative MFA factors (OTP in our study) when keystroke dynamics is not ready for use. Our study shows that while maintaining strong security (0% FPR), adding keystroke dynamics reduces authentication friction by avoiding 66.3% of OTP at login and 85.8% of OTP at account recovery, which in turn reduces the authentication time by 63.3% and 78.9% for login and account recovery respectively. Through an exit survey, all participants have rated the integration of keystroke dynamics with OTP to be more preferable to the conventional OTP-only authentication.