How You Type May Be Your Greatest Security Weakness

Senior Writer

Behavior biometric scanning can track clicks and taps, building a profile based on time between and duration of key activations. Image: Vimeo/BehavioSecBehavior biometric scanning can track clicks and taps, building a profile based on time between and duration of key activations. Image: Vimeo/BehavioSec

Passwords can be cracked and fingerprints can be stolen, but a new kind of technology called behavioral biometrics can turn how you type into a strong means of verifying your identity.

The technique is so strong, one privacy advocate says, that even users of a Web browser dedicated to the Tor anonymizing service can be detected and recognized. The problem is that it might not always be you that creates your typing fingerprint — any website could as well. The dangers of such surreptitious profiling, two researchers say, are so great that they've devised a browser plugin to foil such attempts.

MORE: The Best (and Worst) Identity-Theft Protection

Key-clicking habits — the delays between clicks and how long keys are activated for — may look indistinguishable to the naked eye, but computers can easily keep track of differences in milliseconds, which can be aggregated to create a digital fingerprint.

You can even try it out on the website of the Swedish security company BehavioSec (registration required), which demonstrates how easy it is to record your key-clicking habits. The demo not only tracks strokes on a traditional keyboard, but taps on touch-screen devices as well.

BehavioSec Online Demo

Even the Tor browser can't protect users from biometric scanning, said Norwegian privacy advocate and security researcher Runa Sandvik, herself a former Tor developer, who tried out the BehavioSec demonstration using a fully updated Tor browser.

Sandvik told Ars Technica that Behaviosec's online demo, which asks you to go through the motions of a simple banking or e-commerce transaction, was able to cut through her browser's privacy protections and construct her profile based on her unique way of typing.

According to Sandvik, the BehavioSec demo wouldn't have worked if JavaScript had been disabled on her browser, but non-JavaScript means of tracking keystrokes in browser fields do exist.

The potential for background click scanning is such a clear and present possibility that British security researcher Paul Moore has built KeyboardPrivacy, a Chrome browser plugin designed to disrupt keylogging websites. The plugin slightly delays the sending of keystrokes to the website, disrupting character-entry patterns.

In a blog post, Moore said the plugin, which was inspired by a challenge from Norwegian password researcher Per Thorsheim, reduced key-tracking identification from 82 percent to 3 percent. 

Henry T. Casey is a staff writer at Tom’s Guide. In his personal time, you can find him at local concerts or tinkering with his cold-brew coffee process. Follow him at @henrytcasey.