Is the keyboard hitting recognition technology reliable?

Is the keyboard hitting recognition technology reliable?

Everyone knows that the password is unreliable. So now there is an interesting behavior biometric recognition technology called "How did you type.

Biological recognition is widely used

Most network users choose the same password in different places or always set weak passwords that are easy to crack. If you turn a blind eye to such errors, their computers will always be infected with spyware that can monitor your keyboard hitting and steal logon creden.

It can prove more fully that the publisher is himself, and obviously it will greatly improve the "Happiness Index" of many websites (especially online banking ". One of the ways for online services to solve this problem is to adopt dual authentication, which may require users to enter a random password. Attackers may obtain your password, and they may also obtain the device that displays the random PIN value physically.

However, identity authentication can do much more than this. It not only checks whether you know your password, but also what your password is, you Need To Know Who You Are (for example, TouchID in the iPhone is an application for biological recognition ).

There is now an interesting behavior biometrics technology called "How do you type.

Key Recognition Technology

The real situation is that there are different ways of typing. However, this difference is largely invisible to the visual, but the computer can distinguish between different writers through observation. For example, the time interval when you press different buttons, the time when you press each character button at your fingertips, the time when you press a special character string, and so on.

These measurements are subtle and imperceptible to the brain, but the computer can measure events that are accurate to milliseconds.


If you are looking at this issue from a security perspective, it is really cool. Several online companies are already engaged in biometric identification technology for a while. It sounds cool as part of their fight against fraud.

However, what should we do if the keyboard behavior biometrics is used to leak privacy?

If a website detects your code, it can easily abuse this information.

Even if you use a server such as Tor to hide your whereabouts on the Internet and conceal your identity, a special website records the way you press the keyboard, your identity is likely to be sold to the person you want to know.

Anti-keyboard recognition: KeyboardPrivacy

Now the question is: is the keyboard percussion recognition technology really reliable?

Security researcher Paul Moore and Per Thorshein jointly developed and tested a tool that converts user-to-website interactions into regular patterns, and intervened in imperceptible human differences, in the end, you can bypass any website that tries to identify or collect users' typing behaviors.

The two researchers released an extended KeyboardPrivacy in Chrome, which makes typing look completely different from you, but like a completely different person.

Per Thorsheim demonstrates how the KeyboardPrivacy plug-in successfully identifies the biological information of keyboard behavior.
In their blog, developers said they are not trying to prevent all websites from using keyboard behavior biometrics for identity verification:

As I mentioned earlier, it is important to maintain a good balance between security and privacy. There is very little improvement in performance but there is no other decline (the Password Manager may be an exception ). Maybe you don't mind disclosing personal information when visiting every website. Maybe your online banking requires you to do so. You can set whether to disable this plug-in based on different website requirements.

Even if your biological information is leaked to a third-party organization, this plug-in is not harmful unless you happen to have disabled it when you log on to these websites. The password is not too long or too simple, but used repeatedly. Your (intentional or unintentional) behavior is unconsciously shared by biometric identification technology between sites.