A Multi-Seed Analysis of Adversarial Vulnerability in BiLSTM Continuous Authentication

A single user-invariant tensor, kinematically impossible for any human finger to produce, bypasses bidirectional long short-term memory (BiLSTM) continuous-authentication defenders with numerically identical structure across four independently trained generators. We arrive at this finding by training generative adversarial networks against BiLSTM defenders on 51 users across three independent random seeds, with the data partition held fixed, to test the prevailing assumption that successful generative attacks must reproduce the victim’s kinematic behavior. Aggregate attack success rate varies from 31.4% to 45.1% across seeds, a 13.7 percentage-point spread arising purely from optimization stochasticity, demonstrating how unreliable single-seed reporting is as an estimator of the true attack surface. A four-group descriptive stratification shows that 8% of users are attacked across all three seeds, 31% are consistently safe, and 61% exhibit seed-dependent outcomes. Classifier accuracy on zero-effort impostors does not predict adversarial vulnerability (Spearman ρ=−0.058, permutation p=0.688), whereas intra-user behavioral variance does (ρ=+0.351, permutation p=0.012, Bonferroni-corrected). The mechanism is not behavioral emulation but convergence to an Adversarial Skeleton Key, a tensor located in an unregularized region of the BiLSTM’s decision surface that the network reliably maps to acceptance, despite lying many standard deviations outside any genuine human distribution. The mimicry-centric evaluation paradigm underestimates the real threat surface. Input-space plausibility must be treated as a defensive layer rather than a preprocessing concern.