Behavioural Biometrics: Keystroke, Gait and Mouse Dynamics

Keystroke dynamics, sometimes called typing rhythm analysis, quantifies the temporal and pressure characteristics of keyboard input. The core measurements are: dwell time (how long a key is held down, measured in milliseconds), flight time or inter-key interval (the time between the key-up event of one key and the key-down event of the next), and press order (which fingers activate which keys and in what sequence). On pressure-sensitive surfaces such as modern laptop trackpads and some keyboards, grip force and key-depression depth add further dimensions.

The biometric rationale is that motor programmes governing typing are learned over years and become habitual. The motor cortex issues the same command sequences for common digraphs and trigraphs ("th", "ing", "the") with millisecond-level consistency for a given individual. Across individuals, even those who have learned the same touch-typing method from the same textbook, the exact timing distributions differ due to differences in hand anatomy, neural conduction velocity, habitual word patterns, and dominant-hand dominance effects.

Early empirical validation came from Gaines, Lisowski, Press and Shapiro's 1980 study at Bell Laboratories, which showed that typing rhythm patterns could discriminate among a small user population. Modern validation uses datasets several orders of magnitude larger. The CMU Keystroke Dynamics Benchmark Dataset (Joyce and Gupta, extended by Killourhy and Maxion, Carnegie Mellon University, 2009) tested 51 subjects typing a fixed password string 400 times each across multiple sessions spanning fifty days. The best classical machine learning classifiers achieved equal error rates of approximately 9 per cent on fixed-text verification; modern deep learning approaches on the same benchmark reach below 4 per cent EER.

For forensic applications, a critical distinction exists between fixed-text and free-text keystroke dynamics. Fixed-text systems verify that a person typing a known password is the enrolled user. Free-text systems profile the statistical properties of typing across arbitrary content, which is the forensically relevant scenario: did this person type this threatening message, or this insider-threat email, or these database commands? Free-text accuracy is substantially lower than fixed-text, with EERs in the 10 to 20 per cent range for individual classifiers, improving with ensemble methods and longer text samples.

In insider-threat investigations, keystroke logs from endpoint detection and response (EDR) platforms such as CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne are often already present in the corporate environment. Examiners can extract inter-key timing distributions from those logs and compare them against a reference profile built from the suspect's known benign activity on the same machine. In the United States, this approach has been used in federal computer-fraud prosecutions under 18 U.S.C. 1030 (the Computer Fraud and Abuse Act). In Germany, the Bundeskriminalamt has developed internal guidelines for the evidentiary use of keystroke logs under the Strafprozessordnung.

Gait is the locomotion pattern produced by the coordinated action of the musculoskeletal and nervous systems. Each person's gait reflects their skeletal proportions, joint range of motion, muscle mass distribution, habitual posture, and years of learned motor patterns. The forensic proposition is that CCTV footage of an unknown person's gait can be compared against reference footage of a known individual to assess whether they are the same person.

The University of Southampton Gait Recognition Group, led by Professor Mark Nixon and colleagues, has conducted the most influential academic programme in this area. Their work on model-based and appearance-based gait recognition algorithms produced the Southampton Human ID at a Distance (HumanID) dataset, which remains a standard benchmark. The associated commercial product, CCTV-based gait identification, was validated in the ENFSI ENGAGE (European Network of Forensic Science Institutes Gait Analysis across Europe) project, which ran from 2013 to 2015 and produced a best-practice manual for forensic gait examiners.

The United Kingdom's Metropolitan Police Service Gait Analysis Unit employed forensic podiatry and gait analysis expertise that contributed to a landmark case: the 2011 prosecution of Maarouf Akhoudach for the 2010 murder of Mark Sherwood near Tottenham Court Road, London. CCTV footage showed the offender walking away from the scene with a distinctive gait pattern. A forensic gait analyst compared this footage against reference footage of the defendant and concluded that the gait features (stride length, pelvic tilt, arm swing asymmetry, and foot-strike pattern) were consistent with the defendant and inconsistent with the population at large. The jury convicted. The case remains one of the most-cited examples of forensic gait evidence in a UK court.

In the Netherlands, the Netherlands Forensic Institute (NFI) has a formal forensic gait casework unit. Australian courts have considered CCTV gait evidence in multiple cases, with the Victorian Court of Appeal addressing admissibility criteria in R v. Nguyen [2014]. In the United States, gait analysis has been offered in federal and state courts, though its admissibility under Daubert v. Merrell Dow Pharmaceuticals (1993) has been contested in several jurisdictions, with expert testimony admitted where the examiner could demonstrate validated methodology, error rates, and peer review.

Mouse dynamics describes the statistical characteristics of cursor movement: velocity profiles, acceleration curves, click timing, path curvature, pause duration before a click, and the jitter pattern caused by hand tremor at rest. Touch dynamics extends these measurements to mobile touchscreens: swipe velocity, tap pressure distribution, finger-contact area, and the characteristic deceleration as a finger lifts from the surface. Both modalities are collected entirely passively from standard input device drivers with no specialist hardware.

The commercial deployment of mouse and touch dynamics for continuous authentication is substantially ahead of the forensic research literature. BioCatch, founded in Israel in 2011 and operating in over 35 countries by 2024, is the most widely deployed behavioural biometrics platform for banking fraud detection. Its system analyses several hundred behavioural features per session, including mouse dynamics, touch dynamics, device orientation patterns, and micro-tremor frequency, to produce a continuous risk score for each banking session. Banks including Barclays (UK), Lloyds Banking Group (UK), HSBC, and several large Indian private-sector banks have deployed BioCatch or comparable platforms. The Reserve Bank of India's cybersecurity framework for scheduled commercial banks, updated in 2021, explicitly acknowledges behavioural analytics as an approved additional authentication layer.

For forensic purposes, mouse and touch dynamics logs from banking or e-commerce platforms have been produced as evidence in civil fraud litigation and in account-takeover prosecution. In a 2019 civil case in the UK Commercial Court, session logs from a major UK retail bank were adduced to show that the behavioural profile of the session in which a disputed transfer was authorised differed significantly from the account holder's established baseline, supporting the claimant's case that the session was conducted by an unauthorised third party. In India, the Cyber Crime Cells of several state police forces have sought behavioural analytics logs as corroborating evidence in online banking fraud prosecutions under Section 66C of the Information Technology Act 2000 (identity theft) and the analogous provisions of the Bharatiya Nyaya Sanhita 2023.

In fraud investigation, behavioural biometrics typically serve as the first alert layer. A session in which the cursor movement profile, keystroke rhythm, or touch dynamics differ significantly from the account holder's established baseline triggers a step-up authentication challenge or flags the session for human review. When that alert is followed by investigation, the behavioural log becomes evidence: it documents that the session behaviour was anomalous, and it documents what the anomalous behaviour looked like, which may help identify the fraudster if they have an established profile in the financial institution's database.

In insider-threat attribution, keystroke and mouse dynamics serve a different function: they tie specific actions taken on a corporate network to a specific human operator. Enterprise networks log user activity at the operating system, application, and network levels, but most logs record which user account was active, not which person was physically at the keyboard. An attacker who steals credentials can act under another user's account identity. Keystroke dynamics from the session can provide evidence that the physical operator was different from the credential owner, or evidence that the physical operator's typing profile matches the suspect.

In civil employment disputes, particularly wrongful-dismissal cases, employer-collected keystroke logs have been used in several UK Employment Tribunal proceedings to establish when an employee was or was not at their workstation, and to support or contradict claims about work done or not done during a particular period. These uses raise significant data-protection questions under the UK General Data Protection Regulation (UK GDPR), the EU GDPR, India's Digital Personal Data Protection Act 2023, and equivalent frameworks in the US (where the Electronic Communications Privacy Act and state-level employee-monitoring statutes apply). Admissibility of such evidence requires that the collection was lawful, proportionate, and disclosed to employees in advance.

Admissibility of behavioural biometric evidence varies considerably across jurisdictions. The United States applies the Daubert standard (Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579, 1993), which requires the trial judge to evaluate whether the expert's method has been tested, subjected to peer review, has a known error rate, and is generally accepted in the relevant scientific community. Forensic gait analysis and keystroke dynamics have both been admitted in US federal courts, but only where the expert could point to published validation studies and articulate error rate estimates. The Federal Rules of Evidence Rule 702, as amended in 2023, further tightened the requirement that the expert "reliably applies" the method to the facts of the case.

In England and Wales, the test derives from R v. Turner [1975] QB 834, and expert evidence is admissible where it is within a recognised body of expertise governed by recognised standards. The ENFSI best-practice manual for gait analysis has been cited to establish that gait comparison constitutes such a recognised body. The UK Forensic Science Regulator's Codes of Practice and Conduct require forensic providers to hold UKAS accreditation or demonstrate compliance with equivalent quality standards; the codes explicitly cover forensic gait analysis.

In India, expert evidence admissibility is governed by Section 45 of the Indian Evidence Act 1872 (now Section 39 of the Bharatiya Sakshya Adhiniyam 2023), which admits opinions of persons specially skilled in a relevant science or art. Behavioural biometric evidence has not yet been the subject of a reported Supreme Court or High Court ruling, but the statutory framework is broad enough to admit it where the expert's credentials and methodology can withstand cross-examination. The NABL forensic accreditation framework does not yet include specific provisions for behavioural biometrics, leaving the admissibility assessment to the court on a case-by-case basis.

Australia's uniform evidence law (Evidence Act 1995 Cth and state equivalents) applies a relevance and reliability test under sections 79 and 135. Gait evidence has been considered by the Victorian Court of Appeal and admitted in multiple state courts. New Zealand courts have similarly admitted gait comparison evidence in CCTV-heavy prosecutions.

Contemporary research has moved beyond single-modality classifiers toward multimodal fusion: combining keystroke dynamics with mouse dynamics, with touch dynamics, with typing error patterns, with device sensor data (accelerometer, gyroscope on mobile), and with micro-expression analysis from front-facing cameras. The forensic attraction of multimodal fusion is additive discrimination: an adversary who can replicate one behavioural channel (for example by learning from observed keystrokes) is unlikely to simultaneously replicate all channels.

Deep learning approaches, particularly recurrent neural networks (RNNs) and transformers applied to time-series keystroke data, have substantially improved free-text verification accuracy. Work from the Rochester Institute of Technology (Acien et al., 2022) on the Aalto University Keyboard Dataset, which contains 136 million keystrokes from 168,000 participants in 200 countries, showed that a transformer-based model could verify individual identity from typing samples as short as 160 keystrokes with an EER of approximately 4 per cent for fixed-text and 11 per cent for free-text. This scale of dataset represents a qualitative change in the validation evidence available to forensic examiners.

For gait, computer-vision models trained on large-scale gait datasets (CASIA-B with 124 subjects; OU-MVLP with 10,307 subjects) now achieve rank-1 recognition rates above 90 per cent in controlled lab conditions. The challenge for forensic application remains the covariate problem: CCTV footage is captured at different viewpoints, under different lighting, with subjects wearing different clothing, at different walking speeds. Forensic-grade gait algorithms must be evaluated on out-of-distribution data (footage conditions significantly different from training data), not just benchmark datasets. The NIST Gait Challenge series, following the model of the NIST Fingerprint Vendor Technology Evaluation, is one proposed path to independent, auditable performance benchmarking.

Liveness detection is a related emerging concern. As behavioural biometric authentication systems become more widely deployed for financial services, adversarial attacks that attempt to replay a recorded behavioural session (replaying a captured keystroke sequence or mouse-movement recording) become a threat. Research groups at UCL, MIT, and Radboud University have demonstrated that modern behavioural biometric systems can be made substantially more robust by incorporating micro-timing noise at sub-millisecond resolution that is present in live human typing but absent in replay attacks.