How You Type May Be Your Greatest Security Weakness
Behavior biometric scanning can track clicks and taps, building a profile based on time between and duration of key activations. Image: Vimeo/BehavioSec
Passwords can be cracked and fingerprints can be stolen, but a new kind of technology called behavioral biometrics can turn how you type into a strong means of verifying your identity.
The technique is so strong, one privacy advocate says, that even users of a Web browser dedicated to the Tor anonymizing service can be detected and recognized. The problem is that it might not always be you that creates your typing fingerprint — any website could as well. The dangers of such surreptitious profiling, two researchers say, are so great that they've devised a browser plugin to foil such attempts.
Key-clicking habits — the delays between clicks and how long keys are activated for — may look indistinguishable to the naked eye, but computers can easily keep track of differences in milliseconds, which can be aggregated to create a digital fingerprint.
You can even try it out on the website of the Swedish security company BehavioSec (registration required), which demonstrates how easy it is to record your key-clicking habits. The demo not only tracks strokes on a traditional keyboard, but taps on touch-screen devices as well.
Even the Tor browser can't protect users from biometric scanning, said Norwegian privacy advocate and security researcher Runa Sandvik, herself a former Tor developer, who tried out the BehavioSec demonstration using a fully updated Tor browser.
Sandvik told Ars Technica that Behaviosec's online demo, which asks you to go through the motions of a simple banking or e-commerce transaction, was able to cut through her browser's privacy protections and construct her profile based on her unique way of typing.
The potential for background click scanning is such a clear and present possibility that British security researcher Paul Moore has built KeyboardPrivacy, a Chrome browser plugin designed to disrupt keylogging websites. The plugin slightly delays the sending of keystrokes to the website, disrupting character-entry patterns.
- 10 Worst Data Breaches of All Time
- Best Antivirus Protection for PC, Mac and Android
- What to Do If Your Social Security Number Is Stolen
Henry T. Casey is a staff writer at Tom’s Guide. In his personal time, you can find him at local concerts or tinkering with his cold-brew coffee process. Follow him at @henrytcasey.