Using multi-factor authentication (MFA) is more secure than relying on passwords alone – but could it be made even better?
There is no shortage of ideas, one of which is keyboard dynamics (or biometrics), based on the long-understood observation that each person’s typing style is unique to them.
Recently, a Romanian startup called TypingDNA has turned the concept into a free Chrome extension that can be used to add an extra layer of authentication to a wide range of websites by utilising this principle.
According to the company, typing patterns allow their machine-learning algorithm to generate a 320-feature vector based on noticing the time it takes someone to move between 44 commonly-used characters, combined with the length of time each key is depressed.
So, it’s not what you type that counts but how you type it.
Once enrolled, the way a person types their username and password when logging in to a site is compared to previous recordings made by the user.
If the patterns match, TypingDNA’s servers return an encryption key that is used to unlock local keys held for each service the extension is being used with, allowing the user to proceed to conventional multi-factor authentication.
This stage generates a standard one-time authentication code inside the browser, taking over that task from smartphone apps such as Google Authenticator.
It’s like enhanced multi-factor authentication – all the advantages of two-factor authentication (2FA) with the added benefit that the way the user types is forms and extra identity check. The cherry on top is that the 2FA bit is done in-browser.
Impressively, the extension works with lots of websites, including Google/Gmail, Amazon AWS, Azure, Dropbox, Evernote, Reddit and Facebook.
Downsides? Apart from only supporting Chrome, each user account is only for that computer because encryption keys for services are stored locally. Adding a second computer means adding a second account.
In theory, false positives (where a legitimate user is asked to re-type credentials) are another problem, although, TypingDNA claims this drops quickly to as low 0.1%, comparable to any biometrics system.
The bigger question is where authentication supplemented or based on user behaviour might be going.
One possibility is “continuous authentication” where user behaviour is constantly monitored to verify someone’s identity.
Examples include the US DARPA project investigating “cognitive fingerprints”, as well as commercial systems from companies including BehavioSec and BioCatch which also incorporate keyboard and mouse fingerprinting.
Ironically, some worry that this technology could eventually be used to profile people in ways that no obfuscation system (Tor, VPNs) could defeat.
Researchers Per Thorsheim and Paul Moore even came up with a Chrome extension to counter this possibility by randomising typing patterns.
For users bothered about privacy, the problem with keyboard biometrics might not be that it doesn’t work but, on the contrary, that it works too well.