Keyboard input as authentication – idea takes on reliable form!

M.Sc. Chris Wojzechowski

Keyboard input as authentication – idea takes on reliable form!

It is a great idea if the keyboard input can be used as authentication. It is convenient, inconspicuous and at best calibrated so that only the rightful person has access.

But this project is by no means as simple as it sounds at first glance. TypingDNA, an approximately four-year-old startup, is taking on exactly that. Only recently, the company moved its headquarters to Brooklyn, New York. Now, a financial support of about 7 million USD will benefit the young company.

It’s about an AI controlled technology that recognizes people by their typing behavior

In the end it’s all about keyboard input. This activity is, even if it doesn’t look like it at first glance, a rather individual matter. If everyone had the same way of typing, it would be a very bad feature for authentication.

However, the idea of using people’s typing behavior for authentication is not new. The first approaches go back up to twenty years. But it was precisely then that the problem of inaccuracy prevailed. TypingDNA has now enabled the technology to achieve a 99% accuracy rate.

The keyboard input as authentication is difficult to imitate

Passwords have to be guessed, fingerprints secured, faces have to be reproduced in a complex way. Breaking the characteristic of an authentication involves quite different efforts. As soon as it moves away from the password – towards biometrics – security often depends on the quality of the scanner.

Imitating the keystrokes of the target does not pose an insurmountable hurdle for attackers – but the effort to acquire a different typing behavior falls into the category of advanced attacks. From an attacker’s point of view, it would probably be possible to work with recorded typing patterns or unencrypted signals, which can be intercepted in plain text. It is quite conceivable that Session Replay could form a database for this.

Use multiple factors for authentication – never just the password!

Knowledge, possession or characteristic – the basic possibilities to map an authentication feature. In the best case, the authentication process involves more than one point. The so-called multi-factor authentication is the optimal protection of the account.

Photo of author

M.Sc. Chris Wojzechowski

My name is Chris Wojzechowski and I studied my Master in Internet Security in Gelsenkirchen a few years ago. I am one of two managing directors of AWARE7 GmbH and a trained IT Risk Manager, IT-Grundschutz practitioner (TÜV) and possess the test procedure competence for § 8a BSIG. Our bread and butter business is performing penetration testing. We are also committed to promoting a broad understanding of IT security in Europe, which is why we offer the majority of our products free of charge.