Biometrics and behavioral tech: The good and the bad security implications

Behavior profiling will be a game changer in cybersecurity. If you don't want to be profiled, read how the Chrome extension KeyboardPrivacy works.

Image: iStock/Petrovich9

It may not be as dramatic as the profiling biometrics used in the latest Mission Impossible movie Rogue Nation, but companies such as BehavioSec have the technology to profile people -- by their typing, mousing, or swiping -- accurately enough to where the process can successfully identify individual users.


The Swedish company BehavioSec was started by Luleå University of Technology students in 2006 when they patented their behaviometrics (a blending of behavioral and biometrics) technology. "Behavioral refers to the way a human person behaves, and biometrics, in an information security context, refers to technologies and methods that measure and analyze biological characteristics of the human body for authentication purposes," from the company website. "In other words, behaviometrics is a measurable behavior used to recognize or verify the identity of a person."

Simply put, behaviometrics measures behavioral patterns rather than physical attributes. With regards to computer entry, BehavioSec's products analyze how the user interacts with the keyboard (i.e., typing rhythm), mouse (i.e., acceleration time or click frequencies), and graphical interface (using programs) to recognize and confirm the person's identity.

The upsides

This BehavioSec webpage offers two sample demonstrations -- eCommerce and Banking -- of how the technology works. The accuracy is surprising. After the prerequisite training period, several people pretended to be me at the keyboard and were unsuccessful.

In addition, if passwords and behaviometric tools are deployed together, security will increase due to multi-factor authentication.

The downsides

Security researchers Per Thorsheim and Paul Moore have raised warning flags about behaviometrics. Thorsheim had this to say, "As soon as somebody manages to build a biometric profile of your keystrokes at a network/website where you are otherwise completely anonymous, that same profile can be used to identify you at other sites you're using."

To put a finer point on it, advertisers want to create user profiles to serve targeted advertising. To many, that is okay; however, "Tracking technology isn't really connected to you, but to your digital representation (typically an IP address)," explains Thorsheim. "With keystroke dynamics (behaviometrics) applied, advertisers could identify you without using any of the current tracking technologies."

More disadvantages, or advantages if you're a profiler:

  • Profiling errors introduced by using different computers disappear, as do profiling errors from having different people use the same computer.
  • Parties that are profiling will be able to link user behaviometrics (how a user types, etc.) to sensitive user information (what the user types). Once that happens, all anonymity is lost.
  • There is no way of knowing when behaviometric profiling is taking place.
  • Using Tor networks, VPNs, or proxy servers are of no help.

How can a user avoid getting profiled?

Thorsheim and Moore decided to see if there are any options for those who do not want to be profiled. Moore writes, "Although many implementations claim to use hundreds of metrics, it became clear that only a few were weighted heavily enough to really matter.

  • Dwell time: How long each key is depressed.
  • Gap time: How long between each key press.

If we can skew these statistics enough, it'd be almost impossible to profile and/or identify a user."

Using that information, Thorsheim and Moore developed KeyboardPrivacy, a proof-of-concept Google Chrome extension that interferes with the periodicity of everything you enter into a website. "Once installed, you can continue to use the web exactly as you do now," explains Moore. "When you enter anything on your keyboard, KeyboardPrivacy will artificially alter the rate at which your entry reaches the document object model (DOM)."

Moore ran through several tests cycles of demos from BehavioSec and KeyTrac, another behaviometric technology. Without KeyboardPrivacy enabled, the profiling demos were 80% accurate in identifying the test subject. With KeyboardPrivacy enabled, that dropped to less than 5%.

There are a few more ways to avoid getting profiled. While visiting BehavioSec's FAQ webpage, I learned using copy and paste to enter information defeats behaviometrics, as does disabling JavaScript -- NoScript by Giorgio Maone can help with that.

Reusing authentication

We are told time and time again to not reuse passwords. We get it, but still reuse passwords. It's easier to keep using the same password, and there is a way to recover if the password is stolen -- change it.

"If your biometric behavioral profile is shared/stolen, the consequences are far-reaching and considerably more difficult to mitigate," said Moore. "You can't change the way you type and even if you did, they'd simply profile you again until the confidence level reaches acceptable limits."

Note: Thorsheim and Moore are hard at work on a Firefox version of KeyboardPrivacy.

Also see

Disclaimer: TechRepublic and ZDNet are CBS Interactive properties.