paul.reviews: Behavioral Profiling, the password you can’t change

paul.reviews: Behavioral Profiling, The password you can’t change

We’re all familiar with the 3 basic categories of authentication.

1) Knowledge factors (passwords, PINs)
2) Possession factors (a software/hardware token – Yubikey/Google Authenticator/SecureID)
3) Inherence factors (fingerprint, heartbeat, iris/retina scanning)

While the vast majority of sites use knowledge factors, a growing number are turning to multi-factor solutions in an effort to bolster security; to the detriment of the user experience.

Cue continuous authentication / behavioral biometrics… the process of identifying a user based on the subtle nuances in their voice, typing patterns, facial features and location.

How does it work?

As opposed to traditional authentication which is only interested in what you type, behavioral biometric systems collect & profile how you type too. By actively monitoring how you type, the system is able to build a profile on you.

In order to achieve this, the system monitors how long each key is depressed (dwell time), how long between each key press (gap time), how long to type a known string and hundreds of other metrics.

With enough supporting data, it’s entirely possible to identify you based purely on how you type.

Back in 2011, professor Christophe Rosenberger at ENSICAEN announced it was possible to determine the user’s gender after just a few keystrokes.

Over the last 4 years, many companies have researched & invested heavily in leveraging this technology.

Meet BehavioSec, a swedish company which shot to fame after recent publications on BBC News, the Wall Street Journal, CNBC, Wired, Forbes to name a few.

After a brief training period, their technology is able to identify a user with astonishing accuracy.

Over the next few days, I researched the underlying technology and explored ways to nullify such profiling. You can read Per’s analysis of this technology here.

Although many implementations claim to use hundreds of metrics, it became clear that only a few were weighted heavily enough to really matter.

1) Dwell time – How long each key is depressed.
2) Gap time – How long between each key press.

If we can skew these statistics enough, it’d be almost impossible to profile and/or identify a user.

Meet KeyboardPrivacy, a proof-of-concept Google Chrome extension which interferes with the periodicity of everything you enter into a website.

Once installed, you can continue to use the web exactly as you do now. When you enter anything on your keyboard, KeyboardPrivacy will artificially alter the rate at which your entry reaches the document object model (DOM).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s