FB pixel

Security researchers develop browser plug-in to dupe biometric behavioural profiling


Security researchers have developed a Chrome browser extension that is designed to outwit websites which use keyboard behaviour biometrics to authorize the identities of users, in an effort to raise awareness about the behavioural biometric technology and its potential privacy risks, according to a report by Tripwire.

Using keyboard behaviour biometrics, one is able to distinguish among different typists by monitoring how they type, such as the length of time between each keypress, the length of time you take pressing each key, and how long it takes to type a particular string of characters.

However, fraudsters could potentially abuse this biometric information for identity theft purposes.

Recognizing this, PasswordsCon founder Per Thorsheim and independent IT security consultant Paul Moore recently developed and tested a solution that can take an individual’s regular keyboard interaction with a website, and alter the characteristics that are undetectable to humans to ultimately dupe any website attempting to identify the user.

KeyboardPrivacy is a proof-of-concept Chrome extension which enables users to disguise their typing to make it appear as though it is someone else’s to protect their privacy.

In a YouTube video, Thorsheim first visits a website that successfully uses keyboard behaviour biometrics to identify users, then demonstrates how it can be tricked by the KeyboardPrivacy plugin.

In a blog post detailing KeyboardPrivacy, Moore explains that he and Thorsheim created the plugin not as means to prevent websites from using keyboard behaviour biometrics as an authentication method, but rather to as a way to raise awareness of the potential security risks of the emerging technology.

“As I mentioned earlier, it’s more important to strike a good balance between security & privacy; it’s rarely possible to increase one without measurably degrading the other (password managers being an exception),” Moore writes in the blog post. “If you’re happy to leak this information to every site, or if you’re forced to do so by a financial institution, you can disable the plugin on a per-site basis.

“Even if your behavioral profile is leaked to a 3rd-party, it’s of no use unless you happen to disable it on their site too. The single biggest problem with passwords is not length or strength, but re-use. Your behavioral biometrics (knowingly or not) are essentially secrets which you unwittingly share with every site.”

The researchers explain that it is unclear how many websites use keyboard behaviour biometrics, and if they do, whether or not they actually notify their users that they are using this technology.

Websites that use biometric behavioural profiling could have greater consequences for users than simply changing their passwords if their biometric behavioural profile is stolen, Moore said.

“The single biggest problem with passwords is not length or strength, but re-use,” Moore concluded. “Your behavioural biometrics (knowingly or not) are essentially secrets which you unwittingly share with every site.”

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News


HHS removes Login.gov from grantee payment system after cyberattack

The U.S. Department of Health and Human Services has removed Login.gov from its grantee payment platform after a security breach…


City of Clemson pilots Intellicheck ID verification to prevent underage drinking

Identity verification provider Intellicheck and the city of Clemson have launched a 12 month pilot program that uses identity verification…


Rumors of liveness detection’s defeat have been greatly exaggerated

Photo and video face filters are perhaps the most mainstream use case for augmented reality –  and an illustrative test…


Companies House takes new measures to fraud fight, but not biometric IDV

Companies House, the UK’s business registry, has begun rolling out new tools to fight fraud and help cleanse the register…


Mitek: quarterlies, annuals, SEC actions

April 4, 2024 – Mitek is getting back on track with its financial reporting, which may be more reflective of the…


Jamaica parliament soon to receive draft digital ID regulation for scrutiny

Plans are being finalized to send the draft regulation on Jamaica’s digital ID program to the country’s parliament for examination…


15 Replies to “Security researchers develop browser plug-in to dupe biometric behavioural profiling”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read From This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events