Keystroke profiling

September 16, 2015

Also known as keystroke or typing dynamics, keystroke profiling translates into associating an individual with his/hers way of interacting with an interface via a keyboard or another device of input.

This identification method can serve for authentication (it belongs to the inherence factors category), or can serve in , and thus risks to be misused in privacy intrusions, or in mimicking the user for fraudulent purposes.

Keystroke authentication is a subcategory of . To be more specific, it belongs to behavioral authentication. The user can be identified using specialized technology. The delicate balance of and privacy stirs controversies over keystroke profiling – an intrinsic behavior enables user tracking and, once reproduced, it leads to theft.

How does keystroke profiling work

The pattern of dwell & gap time in keyboard using determines a unique profile for each person.
Products that monitor behaviors and turn them into biometric profiles associate users with their patterns – and use this in commercial or intelligence purposes.
Concept plus technology equals another privacy challenge. Per Thorsheim from PasswordsCon asked security consultant Paul Moore to find a working solution to keyboard profiling and from this ensued the Chrome extension entitled Keyboard Privacy. The browser plugin partially defeats the threat, but the concept remains.

Security researcher on keystroke profiling

Another independent security researcher and former Tor developer, Runa Sandvik, shows how the privacy risks are considerable when multiplied with the number of major websites that might be using this technique.
In Thorsheim and Moore’s opinion, a number of banking websites already make use of this technique for supplementary authentication.
Collecting the necessary data for patterns might be the purpose of numerous spoofed or apparently innocent web pages – nevertheless how this data is to be used is another question. Profiling an user can take up to 10 minutes and the degree of certitude in what concerns the user’s identity is very high. Being able to track the user over various web pages with this method considerably lowers the need of IP identification.

Keystroke profiling risks

Per Thorsheim, who brought this issue into public light, explains the risks and their importance from the perspective of a biometrics connoisseur.
The historical background consists of Morse code users’ profiling during World War II.
The modern applications are advertiser profiling, intelligence profiling and security risks – the sites that require manual typing of the passwords may avoid the risk of vulnerable managers, but may be stimulating unsafe/shorter/easier to remember (and to guess) password choices. Plus, they just might conduct user keystroke profiling in the background.

On the other hand, biometrics enthusiasts still support the efficiency of authentication via keystroke dynamics, as is the case with Christophe Rosenberg, for BBC World, a biometrics researcher that exemplifies the use of this technology with controlling the monitors of submarine missiles. (source in Spanish)
The keystroke dynamics-based authentication (KDA) system utility for touch screen devices has been analyzed in different articles, in general or for specifically determined Operating Systems.

Keystroke dynamics spoofing

You may read here an exhaustive article on key-press latencies spoofing. The article also proposes a Linguistic Buffer and Motor Control (LBMC) model that can be used to replicate typing behavior. The scope of this material is to “motivate the development of jamming devices to prevent information leakage through key-press timings”, as the authors state at the end of their study.
Identity manipulating represents a real threat and keystroke spoofing is just another mean to do it. The biometric system has its general vulnerability points and this particular traceable behavior is a perfect example of how a biometric feature can be replicated by using specialized extracting software.

Is keystroke profiling good or bad?

The keystroke and mouse dynamics-based verification systems are vulnerable because human behavior may be easily monitored by automated extraction software. As promising as it sounds, biometric authentication comes with its own risks. The “passwords” may be personal and intrinsic, but their suitability for replication is highly dangerous.
Of course, this is not the case for all biometric authentication methods, but behavior can and will be mimicked if needed.

Until the cyber-security community comes with higher impact solutions to issues like keyboard profiling, you might want to stick with traditional passwords or other well-known authentication methods so far – or not. You might find out new information about authentication from our next articles. The choice won’t be easier, but it will be a more informed one.