Paul Moore

Paul Moore

Security consultant, researcher & CISO at Icebook.



Behavioral Profiling: The password you can't change.

Paul MoorePaul Moore

We're all familiar with the 3 basic categories of authentication.

  1. Knowledge factors (passwords, PINs)
  2. Possession factors (a software/hardware token - Yubikey/Google Authenticator/SecureID)
  3. Inherence factors (fingerprint, heartbeat, iris/retina scanning)

While the vast majority of sites use knowledge factors, a growing number are turning to multi-factor solutions in an effort to bolster security; to the detriment of the user experience.

Cue continuous authentication / behavioral biometrics... the process of identifying a user based on the subtle nuances in their voice, typing patterns, facial features and location.

How does it work?

As opposed to traditional authentication which is only interested in what you type, behavioral biometric systems collect & profile how you type too. By actively monitoring how you type, the system is able to build a profile on you.

In order to achieve this, the system monitors how long each key is depressed (dwell time), how long between each key press (gap time), how long to type a known string and hundreds of other metrics.


With enough supporting data, it's entirely possible to identify you based purely on how you type.

Think about that for a moment.

How accurate is it?

Back in 2011, professor Christophe Rosenberger at ENSICAEN announced it was possible to determine the user's gender after just a few keystrokes.

Over the last 4 years, many companies have researched & invested heavily in leveraging this technology.

Meet BehavioSec, a swedish company which shot to fame after recent publications on BBC News, the Wall Street Journal, CNBC, Wired, Forbes to name a few.

After a brief training period, their technology is able to identify a user with astonishing accuracy.

Here's the demo login page.

Looks remarkably similar to every other login page, doesn't it?

After entering your username & password, you're asked to simulate a bank transfer. After just 44 characters, look at the result.

A session score of 99% with a confidence rating of 80%! Remember, we've typed 44 characters so far.

Balancing security with privacy

In terms of security, this is a huge leap forwards... but does it tip the security/privacy scale too far?

You can forget Tor, a VPN and your favorite proxy site... if you have javascript enabled and you've been profiled, there's a very good chance they'll identify you.

The problem is... do you know when you're being profiled?

It's been rumored that UK banks are actively trialing this technology in an effort to detect & minimize the risk of fraud. How many other sites use it? Would they tell you if they were?

Shared secrets

Although we all love to hate passwords, they're shared secrets which can be changed with just a few clicks.

If your biometric behavioral profile is shared/stolen, the consequences are far-reaching and considerably more difficult to mitigate. You can't change the way you type and even if you did, they'll simply profile you again until the confidence level reaches acceptable limits.

How do I protect my privacy?

On Wednesday, 22nd July 2015, Per Thorsheim (Founder of PasswordsCon, CISA, CISM, CISSP ISSAP) Skype'd me with an interesting challenge.

Defeat the underlying technology and protect the user's privacy.

Challenge accepted.

Over the next few days, I researched the underlying technology and explored ways to nullify such profiling. You can read Per's analysis of this technology here.

Although many implementations claim to use hundreds of metrics, it became clear that only a few were weighted heavily enough to really matter.

  1. Dwell time - How long each key is depressed.
  2. Gap time - How long between each key press.

If we can skew these statistics enough, it'd be almost impossible to profile and/or identify a user.

Meet KeyboardPrivacy, a proof-of-concept Google Chrome extension which interferes with the periodicity of everything you enter into a website.

Once installed, you can continue to use the web exactly as you do now. When you enter anything on your keyboard, KeyboardPrivacy will artificially alter the rate at which your entry reaches the document object model (DOM).

As you can see, we have a 50 millisecond dwell & gap time (the default configuration) here. It's enabled everywhere by default, but you can disable it on a per-site basis if you wish.

Let's see what happens when we try to login now.

That's better!

Our session score has plummeted to just 0.07%! Crucially, they're 78% confident in the assumption that the person in front of the keyboard is not me, despite having my username & password.

What about MousePrivacy?

Most (if not all) behavioral profiling systems check your mouse movements too. However in my experience, mouse movements do not provide sufficient metadata to accurately identify a user.

As such, the plugin makes no attempt to mask/obfuscate your mouse movements.

Doesn't that reduce security?

Absolutely, but that's not necessarily a bad thing.

As I mentioned earlier, it's more important to strike a good balance between security & privacy; it's rarely possible to increase one without measurably degrading the other (password managers being an exception). If you're happy to leak this information to every site, or if you're forced to do so by a financial institution, you can disable the plugin on a per-site basis.

Even if your behavioral profile is leaked to a 3rd-party, it's of no use unless you happen to disable it on their site too.

The single biggest problem with passwords is not length or strength, but re-use. Your behavioral biometrics (knowingly or not) are essentially secrets which you unwittingly share with every site.

Granularity is key

Although the technology is often described as "continuous authentication", it rarely is. With 400+ unique metrics for every field, the amount of metadata would be astronomical.

However, that's not to say it's not possible.

If you're a large corporation or a certain 3-letter government agency, behavioral biometric data is priceless. If the site happens to profile every single word (ignoring the fact they'll be swamped with data), imagine this scenario...

The user types and the site profiles the word "behavioral". OK, no big deal... but look deeper.

What happens when the user types "behave" or "oral"? We already have partial data for those terms, even though they haven't type the word exactly. Although the system works on loose tolerances, it's granular and smart enough to make an educated guess.

Delivering the proof of concept...

Since laying down the gauntlet, I've been in daily contact with Per Thorsheim to test each version of KeyboardPrivacy.

The current version appears to be working quite nicely; even protecting a profile created through Tor.

Defeating the technology, not the implementation

As you've seen, Per and I have conducted our tests against BehavioSec... but defeating individual implementations is not the goal here.

Let's try KeyTrac; a similar product intended to add biometric profiling to current knowledge-based authentication.

First, we'll try with the plugin disabled (note the red dot on the plugin icon)

82% is a reasonable score to allow a session to continue. Let's enable the plugin and try again...

Ah, the sweet smell of success.


This was an interesting challenge and ultimately, it wasn't as difficult as I expected. If you strip away the fundamentals required to make a chrome extension, the code is just 13 lines long and has proven to be quite robust so far.

The Chrome extension is now available here. Sit tight for a Firefox version too.

Paul Moore

Paul Moore