
TypingDNA verifies your identity based on typing behavior - raulpopa
https://techcrunch.com/2018/03/14/typingdna-authenticator-chrome/
======
tptacek
I don't understand the security model here. This seems like an irrevocable
universal login factor, aspects of which can be observed by hostile websites
through Javascript. How is this not the worst of all possible MFA worlds? What
don't I understand about how the modeling works?

Also: _We are conducting ongoing experimental research based on typing
biometrics. Some of the predictions(soft biometrics traits) we study by typing
biometrics are gender, age, IQ, race, openness, and Jungian /4 letter type
personality profile of a person. Potential use cases: Human Resources,
Marketing, Health care_ is a pretty squicky thing to also be planning to build
with this.

~~~
danieltillett
I guess it would be useful as a layer to signal if a user should be checked
more carefully. Given it can be used passively, it could be used to flag that
there is a mismatch between the user signed in and their historical typing and
that whatever they were up to looked at in more detail.

~~~
deegles
This would be amazing for detecting people with multiple accounts.

However it's only limited by the amount of effort a malicious actor wants to
take. I'm sure a machine learning model could be generated to fudge your
typing to match any other profile, or to just make it look like any other
person.

~~~
danieltillett
I agree. Would be interesting to try it out on HN :)

------
dang
It looks like this post was heavily ring-voted (i.e. friends or colleagues
upvoting for promotional reasons) and we've gotten complaints about booster
comments in the thread.

Please don't do those things! They're against the rules and we ban accounts
and sites that do them, plus HN users have gotten really good at noticing them
and then they get mad. So, not in your interests all around.

------
thedirt0115
2 questions:

1) A friend of mine recently broke his arm. His typing profile is going to be
quite different from normal until he's fully healed. What do you do in this
case? Is there a "reset my typing profile" thing you can do?

2) This seems vulnerable to replay attacks in a way that hardware-based 2FA
systems aren't. How does this system prevent that?

~~~
mercer
3) what happens when I get a new keyboard.

While my general 'rhythm' might stay the same, a) specific keys slow me down
consistently depending on keyboard, and b) the length of press might be quite
different between even the chicklet apple keyboards (different 'depths'), let
alone different brands.

------
chomp
>false positives as low as 0.1 percent

Nice marketing. Another way to write that? 1 in 1000. That's really really
high. If you're using a service that you feel like you need 2FA on, would you
really want to use this? I'll stick with my hardware token for now.

~~~
raulpopa
We believe that it's safe to use a password + TypingDNA than just the
password. Most people do not use ANY 2FA today, you are certainly an
exception. So are we. We use Yubikeys and Authenticators internally, but this
is the kind of solution that can make things more user friendly.

------
chipuni
Every day, I enter information using a Kinesis keyboard using Dvorak (at my
desk), at a MacBook Pro's keyboard (taking notes at meetings), and using an
Android on-screen keyboard.

I guess that this service would only allow me to log in using one of those
three keyboards, because the typing would look extremely different between
them.

~~~
raulpopa
That's an interesting use case, you should try it out with the Dvorak
keyboard...

~~~
tptacek
In case this wasn't clear: they're not saying you won't generate a model from
their Dvorak typing, but rather that the model you generate is likely to
depend on the keyboard layout, and so will break if they try to log in from a
different keyboard.

------
driverdan
This will not work for anyone who actually cares about security and uses a
password manager that autofills.

------
gruez
this sounds great until you get hit by a "phishing" attack that steals your
typing profile. it's probably that hard to do, all you need is to convince
your victim to type something. a signup form would work pretty well, plus you
get a nice primary key (email/username) so you can even share your stolen
typing profiles with your hacker buddies! then what are you going to do?
change your typing profile?

------
JoshMnem
If you send your typing patterns for passwords, couldn't they be decrypted by
using the other collected typing data? Or do they mean you just enter the
TypingDNA password into TypingDNA?

I'd be more interested in a tool that prevents any typing data from ever
leaving my computer (maybe by opening all web forms in a text editor).

------
paulryanrogers
Alright so how do privacy minded individuals prevent being identified this
way? Browser add-on to randomize inter-keystroke delays?

------
eoinmurray92
Is there docs on how I can integrate this into my app, do you have a
javascript library?

~~~
raulpopa
Sure, here:
[https://api.typingdna.com/index.html](https://api.typingdna.com/index.html)
(includes usage samples in different languages). You can sign up and find out
more... I thought you knew that. Thanks for asking!

------
eoinmurray92
How does it work? Machine-learning I assume, but what kind?

~~~
raulpopa
It's ML ofc, pattern recognition algorithms in a nutshell.

------
sonamor
bye bye 2FA texts! good riddance

