Based in Norway, Per Thorsheim is an independent security adviser for governments as well as organizations worldwide. He is also the founder of PasswordsCon.org , an annual conference that’s all about passwords, PIN codes, and authentication. Launched in 2010, the conference invites security professionals & academic researchersto better understand and improve security.
Inpart one of our discussion with Per, we examined two well-known forms of authentication passwords and hardware. In this segment, he talks about a lesser known form biometrics and the use of keystroke dynamics to identify individuals.
Per explains, “Keystroke dynamics, researchers have been looking at this for many, many years. It’s still an evolving piece of science. But it’s being used in real life scenarios with banks. I know at least there’s one online training company in the US that’s already using keystroke dynamics to verify if the correct person is doing the online exam. What they do is measure how you type on a keyboard. And they measure the time between every single keystroke, when you are writing in password or a given sentence. And they also look for how long you keep a button pressed and a few other parameters.”
What’s even more surprising is that it is possible to identify one’s gender using keystroke dynamics. Per says, “With 7, 8, 9 keystrokes, they would have a certainty in the area of 70% or more…and the more you type, if you go up to 10, 11, 12, 15 characters, they would have even more data to figure out if you were male or female.”
Those who don’t want to be profiled by their typing gait can try Per Thorsheim’s and another infosec expert Paul Moore’s Keyboard Privacy extension.