Alexandru Bara (University of Waterloo), Aswad Tariq (University of Waterloo), Urs Hengartner (University of Waterloo)
Behavioural biometrics have emerged as a transformative security mechanism for the web, leveraging user interaction patterns like keystrokes and mouse movements for authentication. Detecting scripts that perform behavioural biometrics at scale remains challenging due to code obfuscation, dynamic execution, and overlap with analytics scripts. We aim to get an understanding of how widely deployed such scripts are by crawling more than 20K websites, including the Tranco Top 20K list, 500 bank websites, and more than 1K e-commerce websites. Our crawlers can locate checkout and login webpages where sensitive information is entered, making these websites more likely to deploy behavioural biometrics. We develop the first opensource crawler to navigate an e-commerce website to its checkout page, achieving 78% accuracy on Shopify-based websites. Our crawlers rely on a dynamic taint analysis-aware web browser to find websites that use scripts to access keystroke or mouse information and that extract this information to backend servers. We also build a ground truth dataset of behavioural biometrics scripts and create a machine learning pipeline to automatically filter out scripts that show no behavioural biometrics characteristics. Our analysis reveals that behavioural biometrics scripts are deployed on at least 0.31% and potentially up to 0.50% of the Tranco Top 20K websites, with significantly higher adoption on bank login pages. We conclude with recommendations to balance security benefits with privacy risks, advocating for transparency, deobfuscation, and regulatory oversight.