Using multi-factor authentication (MFA) is more secure than relying on passwords alone – but could it be made even better?
There is no shortage of ideas, one of which is keyboard dynamics (or biometrics), based on the long-understood observation that each person’s typing style is unique to them.
Recently, a Romanian startup called TypingDNA has turned the concept into a free Chrome extension that can be used to add an extra layer of authentication to a wide range of websites by utilising this principle.
According to the company, typing patterns allow their machine-learning algorithm to generate a 320-feature vector based on noticing the time it takes someone to move between 44 commonly-used characters, combined with the length of time each key is depressed.
So, it’s not what you type that counts but how you type it.
Once enrolled, the way a person types their username and password when logging in to a site is compared to previous recordings made by the user.
If the patterns match, TypingDNA’s servers return an encryption key that is used to unlock local keys held for each service the extension is being used with, allowing the user to proceed to conventional multi-factor authentication.
This stage generates a standard one-time authentication code inside the browser, taking over that task from smartphone apps such as Google Authenticator.
It’s like enhanced multi-factor authentication – all the advantages of two-factor authentication (2FA) with the added benefit that the way the user types is forms and extra identity check. The cherry on top is that the 2FA bit is done in-browser.
Impressively, the extension works with lots of websites, including Google/Gmail, Amazon AWS, Azure, Dropbox, Evernote, Reddit and Facebook.
Downsides? Apart from only supporting Chrome, each user account is only for that computer because encryption keys for services are stored locally. Adding a second computer means adding a second account.
In theory, false positives (where a legitimate user is asked to re-type credentials) are another problem, although, TypingDNA claims this drops quickly to as low 0.1%, comparable to any biometrics system.
The bigger question is where authentication supplemented or based on user behaviour might be going.
One possibility is “continuous authentication” where user behaviour is constantly monitored to verify someone’s identity.
Examples include the US DARPA project investigating “cognitive fingerprints”, as well as commercial systems from companies including BehavioSec and BioCatch which also incorporate keyboard and mouse fingerprinting.
Ironically, some worry that this technology could eventually be used to profile people in ways that no obfuscation system (Tor, VPNs) could defeat.
Researchers Per Thorsheim and Paul Moore even came up with a Chrome extension to counter this possibility by randomising typing patterns.
For users bothered about privacy, the problem with keyboard biometrics might not be that it doesn’t work but, on the contrary, that it works too well.
Naked Security
The Chrome extension that knows it’s you by the way you type
Using multi-factor authentication is more secure than relying on passwords alone - but could your typing make it even better?
Andy
How long until someone makes a keyboard that collects your input and types the data in randomized keystroke intervals?
phr3dly
One of my ring fingers is in a splint for 6 weeks. This has noticeably disrupted my typing patterns; far more typing errors, and probably a 20% decrease in overall typing speed. I’ve found that I even start to avoid words that use ‘wsxd’ because those tend to cause problems right now.
So I hope there is a robust backup system!
chanceumwp
I’d rather have the ability to use my password manager.
Laurence Marks
> It’s like enhanced multi-factor authentication – all the advantages of two-factor authentication (2FA) with the added benefit that the way the user types is forms and extra identity check. The cherry on top is that the 2FA bit is done in-browser.
This is really 3FA. Using the classic Bruce Schneier definitions:
–What you know: password
–What you have: cellphone for one-time code
–What you are: typing characteristics
Spryte
Is that also not a method for tracking?