{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T07:56:44Z","timestamp":1767859004654,"version":"3.49.0"},"reference-count":51,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2020,2,5]],"date-time":"2020-02-05T00:00:00Z","timestamp":1580860800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100002790","name":"Natural Sciences and Engineering Research Council of Canada","doi-asserted-by":"publisher","award":["RGPIN-2019-05120, RGPIN-2014-05499, and RGPIN-2018-05187"],"award-info":[{"award-number":["RGPIN-2019-05120, RGPIN-2014-05499, and RGPIN-2018-05187"]}],"id":[{"id":"10.13039\/501100002790","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2020,2,29]]},"abstract":"Keystroke behaviour-based authentication employs the unique typing behaviour of users to authenticate them. Recent such proposals for virtual keyboards on smartphones employ diverse temporal, contact, and spatial features to achieve over 95% accuracy. Consequently, they have been suggested as a second line of defense with text-based password authentication. We show that a state-of-the-art keystroke behaviour-based authentication scheme is highly vulnerable against mimicry attacks. While previous research used training interfaces to attack physical keyboards, we show that this approach has limited effectiveness against virtual keyboards. This is mainly due to the large number of diverse features that the attacker needs to mimic for virtual keyboards. We address this challenge by developing an augmented reality-based app that resides on the attacker\u2019s smartphone and leverages computer vision and keystroke data to provide real-time guidance during password entry on the victim\u2019s phone. In addition, we propose an audiovisual attack in which the attacker overlays transparent film printed with spatial pointers on the victim\u2019s device and uses audio cues to match the temporal behaviour of the victim. Both attacks require neither tampering or installing software on the victim\u2019s device nor specialized hardware. We conduct experiments with 30 users to mount over 400 mimicry attacks. We show that our methods enable an attacker to mimic keystroke behaviour on virtual keyboards with little effort. We also demonstrate the extensibility of our augmented reality-based technique by successfully mounting mimicry attacks on a swiping behaviour-based continuous authentication system.<\/jats:p>","DOI":"10.1145\/3372420","type":"journal-article","created":{"date-parts":[[2020,4,4]],"date-time":"2020-04-04T07:59:17Z","timestamp":1585987157000},"page":"1-34","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":20,"title":["Mimicry Attacks on Smartphone Keystroke Authentication"],"prefix":"10.1145","volume":"23","author":[{"given":"Hassan","family":"Khan","sequence":"first","affiliation":[{"name":"School of Computer Science, University of Guelph, Ontario, Canada"}]},{"given":"Urs","family":"Hengartner","sequence":"additional","affiliation":[{"name":"Cheriton School of Computer Science, University of Waterloo, Ontario, Canada"}]},{"given":"Daniel","family":"Vogel","sequence":"additional","affiliation":[{"name":"Cheriton School of Computer Science, University of Waterloo, Ontario, Canada"}]}],"member":"320","published-online":{"date-parts":[[2020,2,5]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2011.24"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/2501988.2502045"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.13176\/11.427"},{"key":"e_1_2_1_4_1","volume-title":"Proceedings of the International Conference on Image Analysis and Signal Processing. IEEE, 233--236","author":"Bao Wei","year":"2009","unstructured":"Wei Bao , Hong Li , Nan Li , and Wei Jiang . 2009 . A liveness detection method for face recognition based on optical flow field . In Proceedings of the International Conference on Image Analysis and Signal Processing. IEEE, 233--236 . Wei Bao, Hong Li, Nan Li, and Wei Jiang. 2009. A liveness detection method for face recognition based on optical flow field. In Proceedings of the International Conference on Image Analysis and Signal Processing. IEEE, 233--236."},{"key":"e_1_2_1_5_1","unstructured":"BehavioSec. 2017. A supplement to Authentication in an Internet Banking Environment. Retrieved rom https:\/\/www.behaviosec.com\/financial-services\/. BehavioSec. 2017. A supplement to Authentication in an Internet Banking Environment. Retrieved rom https:\/\/www.behaviosec.com\/financial-services\/."},{"key":"e_1_2_1_6_1","unstructured":"Karissa Bell. 2017. New ARKit iPhone app will help your learn to be a better dancer. Retrieved from https:\/\/mashable.com\/2017\/07\/09\/dance-reality-arkit-app. Karissa Bell. 2017. New ARKit iPhone app will help your learn to be a better dancer. Retrieved from https:\/\/mashable.com\/2017\/07\/09\/dance-reality-arkit-app."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.62"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2500423.2504572"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.44"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/1999995.2000053"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2556288.2557346"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2702123.2702252"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/2207676.2208639"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1961189.1961199"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-006-0006-6"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/128749.128750"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.3138\/FM57-6770-U75U-7727"},{"key":"e_1_2_1_18_1","volume-title":"Mobile Computing, Applications, and Services","author":"Draffin Benjamin","unstructured":"Benjamin Draffin , Jiang Zhu , and Joy Zhang . 2014. KeySens: Passive user authentication through micro-behavior modeling of soft keyboard interaction . In Mobile Computing, Applications, and Services . Springer , 184--201. Benjamin Draffin, Jiang Zhu, and Joy Zhang. 2014. KeySens: Passive user authentication through micro-behavior modeling of soft keyboard interaction. In Mobile Computing, Applications, and Services. Springer, 184--201."},{"key":"e_1_2_1_19_1","volume-title":"Stork","author":"Duda Richard O.","year":"2012","unstructured":"Richard O. Duda , Peter E. Hart , and David G . Stork . 2012 . Pattern Classification. John Wiley 8 Sons. Richard O. Duda, Peter E. Hart, and David G. Stork. 2012. Pattern Classification. John Wiley 8 Sons."},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660273"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/3025453.3025636"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/2565585.2565592"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom.2013.272"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2012.2225048"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2007.902030"},{"key":"e_1_2_1_26_1","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"Giuffrida Cristiano","unstructured":"Cristiano Giuffrida , Kamil Majdanik , Mauro Conti , and Herbert Bos . 2014. I sensed it was you: Authenticating mobile users with sensor-enhanced keystroke dynamics . In Detection of Intrusions and Malware, and Vulnerability Assessment . Springer , 92--111. Cristiano Giuffrida, Kamil Majdanik, Mauro Conti, and Herbert Bos. 2014. I sensed it was you: Authenticating mobile users with sensor-enhanced keystroke dynamics. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 92--111."},{"key":"e_1_2_1_27_1","first-page":"65","article-title":"A simple sequentially rejective multiple test procedure","volume":"6","author":"Holm Sture","year":"1979","unstructured":"Sture Holm . 1979 . A simple sequentially rejective multiple test procedure . Scand. J. Stat. 6 , 2 (1979), 65 -- 70 . Sture Holm. 1979. A simple sequentially rejective multiple test procedure. Scand. J. Stat. 6, 2 (1979), 65--70.","journal-title":"Scand. J. Stat."},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/2702613.2725444"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2008.10.002"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2565585.2565590"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/2906388.2906404"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3210240.3210317"},{"key":"e_1_2_1_33_1","volume-title":"Proceedings of the 4th IEEE International Conference on Biometrics: Theory Applications and Systems. IEEE, 1--7.","author":"Kwapisz Jennifer R.","unstructured":"Jennifer R. Kwapisz , Gary M. Weiss , and Samuel A. Moore . 2010. Cell phone-based biometric identification . In Proceedings of the 4th IEEE International Conference on Biometrics: Theory Applications and Systems. IEEE, 1--7. Jennifer R. Kwapisz, Gary M. Weiss, and Samuel A. Moore. 2010. Cell phone-based biometric identification. In Proceedings of the 4th IEEE International Conference on Biometrics: Theory Applications and Systems. IEEE, 1--7."},{"key":"e_1_2_1_34_1","volume-title":"Proceedings of the 20th Network and Distributed System Security Symposium","volume":"13","author":"Li Lingjun","year":"2013","unstructured":"Lingjun Li , Xinxin Zhao , and Guoliang Xue . 2013 . Unobservable reauthentication for smart phones . In Proceedings of the 20th Network and Distributed System Security Symposium , Vol. 13 . Lingjun Li, Xinxin Zhao, and Guoliang Xue. 2013. Unobservable reauthentication for smart phones. In Proceedings of the 20th Network and Distributed System Security Symposium, Vol. 13."},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/1982185.1982190"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/2307636.2307666"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1007\/s102070100006"},{"key":"e_1_2_1_38_1","unstructured":"Mozilla. 2019. MDB Browser compatibility data. https:\/\/github.com\/mdn\/browser-compat-data. Last accessed: 07\/2019. Mozilla. 2019. MDB Browser compatibility data. https:\/\/github.com\/mdn\/browser-compat-data. Last accessed: 07\/2019."},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23303"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSMC.1979.4310076"},{"key":"e_1_2_1_41_1","volume-title":"Proceedings of the Symposium on Usable Privacy and Security (SOUPS\u201914)","author":"Panjwani Saurabh","year":"2014","unstructured":"Saurabh Panjwani and Achintya Prakash . 2014 . Crowdsourcing attacks on biometric systems . In Proceedings of the Symposium on Usable Privacy and Security (SOUPS\u201914) . USENIX Association. Saurabh Panjwani and Achintya Prakash. 2014. Crowdsourcing attacks on biometric systems. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS\u201914). USENIX Association."},{"key":"e_1_2_1_42_1","unstructured":"Bruce Schneier. 2009. Schneier on Security: Biometrics. Retrieved from https:\/\/www.schneier.com\/blog\/archives\/2009\/01\/biometrics.html. Bruce Schneier. 2009. Schneier on Security: Biometrics. Retrieved from https:\/\/www.schneier.com\/blog\/archives\/2009\/01\/biometrics.html."},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/2516960"},{"key":"e_1_2_1_44_1","volume-title":"Proceedings of the ACM SIGSAC Conference on Computer 8 Communications Security. ACM, 599--610","author":"Serwadda Abdul","unstructured":"Abdul Serwadda and Vir V. Phoha . 2013b. When kids\u2019 toys breach mobile phone security . In Proceedings of the ACM SIGSAC Conference on Computer 8 Communications Security. ACM, 599--610 . Abdul Serwadda and Vir V. Phoha. 2013b. When kids\u2019 toys breach mobile phone security. In Proceedings of the ACM SIGSAC Conference on Computer 8 Communications Security. ACM, 599--610."},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/2500423.2500434"},{"key":"e_1_2_1_46_1","volume-title":"Proceedings of the 20th Annual Network 8 Distributed System Security Symposium.","author":"Tey Chee Meng","year":"2013","unstructured":"Chee Meng Tey , Payas Gupta , and Debin Gao . 2013 . I can be you: Questioning the use of keystroke dynamics as biometrics . In Proceedings of the 20th Annual Network 8 Distributed System Security Symposium. Chee Meng Tey, Payas Gupta, and Debin Gao. 2013. I can be you: Questioning the use of keystroke dynamics as biometrics. In Proceedings of the 20th Annual Network 8 Distributed System Security Symposium."},{"key":"e_1_2_1_47_1","unstructured":"The Register. 2019. Not very Suprema: Biometric access biz bares 27 million records and plaintext admin creds. Retrieved from https:\/\/www.theregister.co.uk\/2019\/08\/14\/biostar_2_suprema_database_exposed_27m_records\/. The Register. 2019. Not very Suprema: Biometric access biz bares 27 million records and plaintext admin creds. Retrieved from https:\/\/www.theregister.co.uk\/2019\/08\/14\/biostar_2_suprema_database_exposed_27m_records\/."},{"key":"e_1_2_1_48_1","volume-title":"Touch Events: Draft Community Group Report.","author":"C.","year":"2019","unstructured":"W3 C. 2019 . Touch Events: Draft Community Group Report. Retrieved from https:\/\/w3c.github.io\/touch-events\/. W3C. 2019. Touch Events: Draft Community Group Report. Retrieved from https:\/\/w3c.github.io\/touch-events\/."},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/3098243.3098244"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/TMC.2014.2341633"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/TMC.2017.2651820"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3372420","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3372420","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:02:21Z","timestamp":1750197741000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3372420"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,2,5]]},"references-count":51,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2020,2,29]]}},"alternative-id":["10.1145\/3372420"],"URL":"https:\/\/doi.org\/10.1145\/3372420","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,2,5]]},"assertion":[{"value":"2019-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-11-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-02-05","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}