Posted by David Harley on July 28, 2015.
The Register’s John Leyden today posted an interesting article on biometric behavioural profiling. Interesting because it raises the question of whether (or to what extent) sites using static passwords for authentication bolster that authentication with biometrics, especially typing patterns.
The article centres on a Proof-of-Concept Chrome plug-in developed by Per Thorsheim and Paul Moore intended to scramble periodicity data, compromising the effectiveness of profiling based on typing patterns. While it may seem perverse to stop a site into which you’re logging from being extra sure that you’re the person you claim to be, the idea is that you can disable the extension when necessary. In other words, if you really want extra authentication security (for instance on a banking site), you can have it enabled, but if you’re accessing a site you feel is simply breaching your privacy by acquiring profiling data it doesn’t need, you can put a spoke in its wheel.
But I have another concern. How accurate is typing pattern profiling, really, especially when it’s based on a few characters? Keytrac, one of the vendors named in the article, claims that ‘KeyTrac works with any existing commercially available keyboard and special hardware is not required.’ While Moore states that ‘you can’t change the way you type.’ Well, that’s kind of true: as Thorsheim points out, typing behaviour has been used to identify individuals for a good while (at least as far back as the second World War). But only kind of.
As a fairly proficient, trained touch-typist, I’m sure I’m identifiable on a standard keyboard if I’m copy typing. But that hasn’t been part of my job description for decades. In general, I type in very short bursts because I’m composing as I type. Admittedly, a short sentence might still be enough to identify me from my ‘dwell time’ and ‘gap time’, but what if I switch to a mobile device using a virtual keyboard, or even the hardware keyboard on a mobile phone? (Some cellphones do have a QWERTY keyboard, of course, but I doubt if many people touch type on them: I certainly don’t.) What if I switch from touch-typing to hunt and peck? (In fact, I suspect that even proficient touch-typists are less likely to use that skill when entering their login credentials, for more than one reason.) Moore’s answer to that is ‘even if you did, they’ll simply profile you again until the confidence level reaches acceptable limits.’ That may well be (and probably is) but it worries me that we’re conditioned to assume algorithmic validity.
David HarleySubmitted in: David Harley |