Something You Are: Typing Cadence

What would it be like if you could identify yourself and authenticate your account by the way you type?  A Romanian company, TypingDNA, has created a Chrome extension that does just that.

I am a big advocate of two-factor authentication, but there are some problems.  One of the three types of authentication is biometrics, which is “something you are.”  NIST, in SP 800-63B states that the problem with biometrics are that they are neither a secret, nor are they replaceable in case of a breach.  For example, you leave fingerprints everywhere, and you can’t run to the Thumbs’R’Us to get a new thumb if your enrolled thumbprint is spoofed.

Typing cadence, or how you type, is something that has been shown to be unique from user to user, and has been used as one of the newer biometric factors used in authentication.  In the days of the telegraph and Morse code, a telegrapher’s “hand” or key cadence was seen to be unique, and a way to know that the sender was truly the person that was authorized to send the message.  This concept was demonstrated in the beginning of the Bond movie “Dr.No.”  So this concept has been around a while.

This Chrome extension already works with several on-line service providers, including Google and Gmail, of course, and Facebook, Dropbox, Evernote, Reddit, Microsoft Azure, and Amazon AWS.

There is the obvious problem with false negatives, where a legitimate user is unrecognized and asked to re-type credentials, but TypingDNA claims to have reduced this to 0.1% after the initial training period.

There are concerns that typing cadence systems could eventually be used to identify people using anonymizer and privacy services such as TOR or a VPN.  But there is already a typing pattern randomizer extension for Chrome that would counteract this issue. (Surprise!)

In any event, typing cadence is another arrow in your authentication quivver.  For those of you who are looking past two-factor authentication to multi-factor authentication, this could be one of the answers.

More information

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.