The problems with passwords have already been well documented, and the main problem with static biometrics (“something you are”: fingerprints, retina patterns, etc.) is that they can’t be changed.
But there is another type of biometrics that can be used to authenticate users – behavioral biometrics (“something you do”: speaking, typing, etc.).
The latter – information about how a user types on a keyboard – is particularly problematic if he or she wants to maintain their privacy online, as there are likely many websites that record these patterns and use (or might use them in the future) to identify users with a very high degree of certainty.
As regulation is yet to catch up with how this type of technology should be handled, Per Thorsheim, the founder of PasswordsCon, is worried about the fact that in this case, security is taking precedence over privacy.
“I created and trained a biometric profile of my keystroke dynamics using the Tor browser at a demo site. I then switched over to Google Chrome and not using the Tor network, and the demo site correctly identified me when logging in and completing a demo financial transaction,” he shared, and noted that “as soon as somebody manages to build a biometric profile of your keystrokes at a network/website where you are otherwise completely anonymous, that same profile can be used to identify you at other sites you’re using, were identifiable information is available about you.”
The technology can be used (and is apparently already been used) to prevent online banking fraud, but can also been misused by oppressive regimes, intelligence agencies, and advertisers.
“You see, in normal situations I wouldn’t mind if this was used to flag high or low probability of it actually being me logging in to my online bank, insurance company, online electronics store or the local library. Heck no, I’d support the implementation of such additional and “invisible” authentication security!” Thorsheim noted.
“But I’m a bit paranoid you see, and I can most certainly see situations were I don’t want to be profiled and identified like this. Doing forensics and investigations into the “dark web” is one. Intelligence gathering for my government – or any other government – one doesn’t want to leave fingerprints all over the place. Visiting the pages of your favorite attorney, leak submssion website for a news organisation, employer or government organisation are other situations. Basically there are LOTS of situations were you may not want to be easily identified. Ashley Madison, say no more.”
So, he challenged infosec consultant Paul Moore to come up with a working solution to thwart this type of behavioral profiling.
The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.
The plugin is still a proof-of-concept, but apparently works like a charm and defeats popular profiling solutions by BehavioSec and KeyTrac.
“Although we all love to hate passwords, they’re shared secrets which can be changed with just a few clicks,” Moore noted.
“If your biometric behavioral profile is shared/stolen, the consequences are far-reaching and considerably more difficult to mitigate. You can’t change the way you type and even if you did, they’ll simply profile you again until the confidence level reaches acceptable limits.”
Keyboard Privacy doesn’t interfere with how one uses the Web, and can be switched off for certain sites (e.g. online banking). Moore is currently working on a Firefox version of the plugin.