In an early 80s programming article, Michael Crichton published a discussion and example of a keystroke intervalometer to verify identity. (He referenced the idea again in his recent book Prey.)
His BASIC implementation was sufficiently accurate that when a full pass phrase was used, loose matching could still distinguish the original typist from others who knew the phrase.
The breathless http://www.physorg.com/news67710818.html raves about the "inventors" behind a patent granted 16 years ago for the concept, well after Crichton's idea and working example was published.
More recently, http://jdadesign.net/safelock/ was named SMU's 2009 "best implementation", perhaps for also including pressure and hold time.
This reminds me of Morse operators, who are recognisable by their "fist", or transmission style. I guess it's like recognising anything if you do it enough.
I love how this appears next to an article about "DRM from Hell" and here's what amounts to a free advertisment for a DRM enforcement company that is generating dubious piracy statistics and offering a service that will reset your password in an attempt to "irritate them into submission" every time you type one handed while eating a sandwich, get a sticky key on your keyboard, or use a phone or tablet device to access it.
The actual technology is cool, but these guys didn't invent it, they just found a really annoying use for it.
That's true, especially if users keep their shared passwords in a password safe.
And if the copy-pasting raises some red flags, the account owner could also record keystrokes and replay them, with a bit of randomness added to the timing, with software or a hardware attachment (http://www.practicalarduino.com/projects/virtual-usb-keyboar...).
This is the sort of countermeasure that attempts to cut down on casual account sharing, not a determined cheapskate.
I thought from the headline that this software was recording all keystroke timing, not just the password, and would detect intruders, not account sharers. That might be another application, or privacy invasion, depending on one's perspective.
Typically, if behavioral biometrics are used for authentication they mitigate replay attacks by asking users to answer a challenge chosen at random.
So, if authenticated via keystroke dynamics a users would be asked to type a given challenge string.
In a similar vein, with speaker verification scheme the user would be asked to speak out the challenge.
When the same biometrics are used for identification purposes they should not assume the collaboration of the user.
I don't have idea about what Scout Analytics' solution does.
His BASIC implementation was sufficiently accurate that when a full pass phrase was used, loose matching could still distinguish the original typist from others who knew the phrase.
The breathless http://www.physorg.com/news67710818.html raves about the "inventors" behind a patent granted 16 years ago for the concept, well after Crichton's idea and working example was published.
More recently, http://jdadesign.net/safelock/ was named SMU's 2009 "best implementation", perhaps for also including pressure and hold time.