Masterkey attacks against free-text keystroke dynamics and security implications of demographic factors

This paper presents and systematically evaluates the first masterkey attack against free-text keystroke dynamics. A masterkey is a typing sequence that matches, hence successfully impersonates, a large part of the population. Therefore, masterkeys are effective tools for an adversary who aims to impersonate someone without knowledge of their typing behavior. On top of the attack itself, we present a new unifying evaluation framework for masterkey attacks that allow for the comparison with knowledge-based authentication factors. In other words, we unify the evaluation of password security with that of masterkey attacks and demonstrate that typing biometrics is approximately 20 times less secure than passwords and approximately two times less secure than a 4-digit pin. Lastly, we study the effect of demographics on typing biometrics, which, among others, provides novel insights into the effect of being a well-versed typist on security.