Biometric behavioural profiling: Fighting that password you simply can't change

A testing time when trying to touch-type

Security researchers have developed a browser extension that supposedly defeats biometrics based on typing patterns, with the exercise designed, in part, to promote greater awareness about the emerging technology and the privacy risk it might pose.

Biometric behavioural profiling allows a site to collect metadata about how a person types, rather than just what they type.

When you type your username and password, the site can see how long it takes to type it, including how long each key is depressed (dwell time) and how long it takes to move from one key to another (gap time).

Some sites are moving beyond simple password/ID logins towards multi-factor solutions in an effort to bolster security.

This can happen to the detriment of the user experience, particular when it comes to continuous authentication/behavioural biometrics, according to Per Thorsheim, founder of PasswordsCon and independent IT security consultant Paul Moore.

Profiling technologies from firms such as BehavioSec and KeyTrac can improve security when added to a banking site, where they offer the potential to minimise fraud.

But use of the technologies elsewhere comes at the expense of privacy, according to the two security researchers. It's unclear how many sites use biometrics based on typing patterns or, if they did, whether or not they inform users about their practices in this area.

"You can forget Tor, a VPN and your favourite proxy site," Moore explained. "If you have JavaScript enabled and you've been profiled, there's a very good chance they'll identify you. The problem is ... do you know when you're being profiled?"

If a site is using biometric behavioural profiling, then this has deeper consequences than simply obliging users to change their passwords, Moore added.

"If your biometric behavioural profile is shared/stolen, the consequences are far-reaching and considerably more difficult to mitigate," he said. "You can't change the way you type and even if you did, they'll simply profile you again until the confidence level reaches acceptable limits."

Shielding web connections behind a proxy (VPN or Tor) isn't effective against this type of technology, which can identify users with accuracy approaching 90 per cent.

Thorsheim's blog post explaining the privacy pratfalls of behavioural profiling can be found here.

Defeating technology, not implementation

Moore and Thorsheim have developed a proof-of-concept Chrome plug-in to defeat this technology and safeguard privacy. KeyboardPrivacy, a proof-of-concept Google Chrome extension, is designed to defeat the underlying technology and protect a user's privacy.

The plug-ins work by interfering with the periodicity of everything you enter into a website, confusing attempts by behavioural biometrics technology to build a profile.

The extension can be disabled on a per-site basis, if users wish, so that they are able (for example) to log into their banking sites.

The plug-in makes no attempt to mask/obfuscate your mouse movements.

"Most (if not all) behavioural profiling systems check your mouse movements too. However, in my experience, mouse movements do not provide sufficient metadata to accurately identify a user," Moore explained.

Moore, who has blogged about this form of profiling, is uncomfortable with the whole concept of behavioural biometrics for much the same reason he dislikes password re-use.

"The single biggest problem with passwords is not length or strength, but re-use," Moore concluded. "Your behavioural biometrics (knowingly or not) are essentially secrets which you unwittingly share with every site." ®


Biting the hand that feeds IT © 1998–2017