Websites that ID you by how you type: Great when someone's swiped your password, but...

'We have defeated it'

"There can be no doubt, BehavioSec's product works exactly as it was designed to do," Moore told The Register.

"On reflection, the term 'defeated' probably isn't appropriate... but it depends on the context. In my view, the intended and primary purpose of behavioral profiling is to identify the user. In that sense, we have defeated it. However, Neil has a better understanding of what it's intended to do and looking at it from another angle, that of logging into a site, we certainly haven't defeated it; quite the opposite actually. If a site uses this technology, the KeyboardPrivacy plugin makes it considerably harder (if not impossible, depending on configuration) to log in without the added metadata of behavioral profiling," he added.

Moore agreed that behavioral biometrics offers a more seamless login experience for users. His main concern was that users are frequently unaware if it's been used, so there's a lack of informed consent.

"Current alternatives such as TOTP 2FA & 2SV SMS/email messages are, by comparison, highly inefficient and ruin the established username/password 1FA user experience," Moore told El Reg.

"I understand and appreciate the need for a technology which allows for higher levels of assurance during authentication, but as I mentioned in the article, not at the expense of privacy. With a clear and concise explanation along with greater transparency over its use, this may well be the future of continuous authentication. It's simple, unobtrusive, and affords users much greater security, if they're willing to sacrifice privacy."

"However, my main concern is not the lack of transparency, but how such invasive information will be handled by each site. The traditional password is, by comparison, very easy to revoke and reset... yet millions of sites adopt weak or insecure storage methods (plain text, MD5, SHA256, etc.) which, in the event of a breach, potentially leaks the password and associated metadata with it," he added.

Since behavioral biometric data isn't constant, it's "impossible to hash/key-stretch in a similar fashion to passwords... which only realistically leaves encryption; infinitely more difficult to implement safely and fraught with hidden dangers," which many sites wouldn't normally consider, according to Moore.

"In the UK at least, our data regulator (Information Commissioner's Office) really isn't equipped to understand the subtle nuances of behavioral profiling... and a lack of solid regulation and/or financial penalties, coupled with a relatively new technology, is a recipe for disaster," Moore concluded.

Christopher Bailey, CTO at fraud detection software firm NuData Security, argued that a balance needs to be reached between privacy and security in rolling out behavioral profiling technologies.

"There is always a fine balance between keeping users safe from fraud (security) and user privacy," Bailey said. "It is important to recognize that all companies are bound by strict PII and PCI laws that protect users' data privacy, and to strengthen that, sophisticated fraud prevention solutions do not require nor [do they] have knowledge of the end user's real-world identity such as their name or address."

"As with all technological advances, there are users who view anonymous passive behavioral analysis as a breach of privacy and seek to mask certain behaviors. For example, masking their typing patterns or device fingerprint by using browser plugins or specialized tools such as Keyboard Privacy or FraudFox. In the world of online security, this practice of altering inputs (spoofing) is not uncommon, but rarely detailed enough to circumvent fraud prevention technologies," he added. ®