Abstract: In this paper, we show that keystroke latencies used in continuous user authentication systems disclose application context, i.e., in which application user is entering text. Using keystroke data collected from 62 subjects, we show that an adversary can infer application context from keystroke latencies with 95.15% accuracy. To prevent leakage from keystroke latencies, and prevent exposure of application context, we develop privacy-preserving authentication protocols in the outsourced authentication model. Our protocols implement two popular matching algorithms designed for keystroke authentication, called Absolute (“A”) and Relative (“R”). With our protocols, the client reveals no information to the server during authentication, besides the authentication result. Our experiments show that these protocols are fast in practice: with 100 keystroke features, authentication was completed in about one second with the “A” protocol, and in 595 ms with the “R” protocol. Further, because the asymptotic cost of our protocols is linear, they can scale to a large number of features. On the other hand, by leveraging application context we were able to reduce HTER from 14.7% with application-agnostic templates, to as low as 5.8% with application-specific templates.
