Every day, I enter information using a Kinesis keyboard using Dvorak (at my desk), at a MacBook Pro's keyboard (taking notes at meetings), and using an Android on-screen keyboard.
I guess that this service would only allow me to log in using one of those three keyboards, because the typing would look extremely different between them.
In case this wasn't clear: they're not saying you won't generate a model from their Dvorak typing, but rather that the model you generate is likely to depend on the keyboard layout, and so will break if they try to log in from a different keyboard.
I'm in much the same boat: Planck with the Workman layout (laptop and desktop), laptop keyboard with both Workman (touch typing) and qwerty (very much not touch typing), and on-screen on my phone.
Even just swapping between the staggered and grid layouts, both Workman, changes how I type in a way that I'm reasonably confident would affect the accuracy of this service.
Sure, here: https://api.typingdna.com/index.html (includes usage samples in different languages). You can sign up and find out more... I thought you knew that. Thanks for asking!
Nice marketing. Another way to write that? 1 in 1000. That's really really high. If you're using a service that you feel like you need 2FA on, would you really want to use this? I'll stick with my hardware token for now.
We believe that it's safe to use a password + TypingDNA than just the password. Most people do not use ANY 2FA today, you are certainly an exception. So are we. We use Yubikeys and Authenticators internally, but this is the kind of solution that can make things more user friendly.
this sounds great until you get hit by a "phishing" attack that steals your typing profile. it's probably that hard to do, all you need is to convince your victim to type something. a signup form would work pretty well, plus you get a nice primary key (email/username) so you can even share your stolen typing profiles with your hacker buddies! then what are you going to do? change your typing profile?
I don't understand the security model here. This seems like an irrevocable universal login factor, aspects of which can be observed by hostile websites through Javascript. How is this not the worst of all possible MFA worlds? What don't I understand about how the modeling works?
Also: We are conducting ongoing experimental research based on typing biometrics. Some of the predictions(soft biometrics traits) we study by typing biometrics are gender, age, IQ, race, openness, and Jungian/4 letter type personality profile of a person. Potential use cases: Human Resources, Marketing, Health care is a pretty squicky thing to also be planning to build with this.
I guess it would be useful as a layer to signal if a user should be checked more carefully. Given it can be used passively, it could be used to flag that there is a mismatch between the user signed in and their historical typing and that whatever they were up to looked at in more detail.
This would be amazing for detecting people with multiple accounts.
However it's only limited by the amount of effort a malicious actor wants to take. I'm sure a machine learning model could be generated to fudge your typing to match any other profile, or to just make it look like any other person.
1) A friend of mine recently broke his arm. His typing profile is going to be quite different from normal until he's fully healed. What do you do in this case? Is there a "reset my typing profile" thing you can do?
2) This seems vulnerable to replay attacks in a way that hardware-based 2FA systems aren't. How does this system prevent that?
While my general 'rhythm' might stay the same, a) specific keys slow me down consistently depending on keyboard, and b) the length of press might be quite different between even the chicklet apple keyboards (different 'depths'), let alone different brands.
If you send your typing patterns for passwords, couldn't they be decrypted by using the other collected typing data? Or do they mean you just enter the TypingDNA password into TypingDNA?
I'd be more interested in a tool that prevents any typing data from ever leaving my computer (maybe by opening all web forms in a text editor).
It looks like this post was heavily ring-voted (i.e. friends or colleagues upvoting for promotional reasons) and we've gotten complaints about booster comments in the thread.
Please don't do those things! They're against the rules and we ban accounts and sites that do them, plus HN users have gotten really good at noticing them and then they get mad. So, not in your interests all around.
23 comments
[ 4.5 ms ] story [ 59.5 ms ] threadI guess that this service would only allow me to log in using one of those three keyboards, because the typing would look extremely different between them.
Even just swapping between the staggered and grid layouts, both Workman, changes how I type in a way that I'm reasonably confident would affect the accuracy of this service.
Nice marketing. Another way to write that? 1 in 1000. That's really really high. If you're using a service that you feel like you need 2FA on, would you really want to use this? I'll stick with my hardware token for now.
Also: We are conducting ongoing experimental research based on typing biometrics. Some of the predictions(soft biometrics traits) we study by typing biometrics are gender, age, IQ, race, openness, and Jungian/4 letter type personality profile of a person. Potential use cases: Human Resources, Marketing, Health care is a pretty squicky thing to also be planning to build with this.
However it's only limited by the amount of effort a malicious actor wants to take. I'm sure a machine learning model could be generated to fudge your typing to match any other profile, or to just make it look like any other person.
1) A friend of mine recently broke his arm. His typing profile is going to be quite different from normal until he's fully healed. What do you do in this case? Is there a "reset my typing profile" thing you can do?
2) This seems vulnerable to replay attacks in a way that hardware-based 2FA systems aren't. How does this system prevent that?
While my general 'rhythm' might stay the same, a) specific keys slow me down consistently depending on keyboard, and b) the length of press might be quite different between even the chicklet apple keyboards (different 'depths'), let alone different brands.
I'd be more interested in a tool that prevents any typing data from ever leaving my computer (maybe by opening all web forms in a text editor).
Please don't do those things! They're against the rules and we ban accounts and sites that do them, plus HN users have gotten really good at noticing them and then they get mad. So, not in your interests all around.