Something You Are: Typing Cadence

What would it be like if you could identify yourself and authenticate your account by the way you type?  A Romanian company, TypingDNA, has created a Chrome extension that does just that.

I am a big advocate of two-factor authentication, but there are some problems.  One of the three types of authentication is biometrics, which is “something you are.”  NIST, in SP 800-63B states that the problem with biometrics are that they are neither a secret, nor are they replaceable in case of a breach.  For example, you leave fingerprints everywhere, and you can’t run to the Thumbs’R’Us to get a new thumb if your enrolled thumbprint is spoofed.

Typing cadence, or how you type, is something that has been shown to be unique from user to user, and has been used as one of the newer biometric factors used in authentication.  In the days of the telegraph and Morse code, a telegrapher’s “hand” or key cadence was seen to be unique, and a way to know that the sender was truly the person that was authorized to send the message.  This concept was demonstrated in the beginning of the Bond movie “Dr.No.”  So this concept has been around a while.

This Chrome extension already works with several on-line service providers, including Google and Gmail, of course, and Facebook, Dropbox, Evernote, Reddit, Microsoft Azure, and Amazon AWS.

There is the obvious problem with false negatives, where a legitimate user is unrecognized and asked to re-type credentials, but TypingDNA claims to have reduced this to 0.1% after the initial training period.

There are concerns that typing cadence systems could eventually be used to identify people using anonymizer and privacy services such as TOR or a VPN.  But there is already a typing pattern randomizer extension for Chrome that would counteract this issue. (Surprise!)

In any event, typing cadence is another arrow in your authentication quivver.  For those of you who are looking past two-factor authentication to multi-factor authentication, this could be one of the answers.

More information


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.