How you use a computer says a lot about you. If your fingers fly around the keyboard taking advantage of every possible shortcut you’re clearly something of a tech whizz.
Conversely, if you jab your finger at each key in a slow, deliberate manner and use the caps lock key to input a capital letter, perhaps not.
In fact this information is so unique that it could soon start to be used in security defences to spot unusual account activity.
SecureAuth has just unveiled version 9.0 of an identity monitoring platform that contains this capability, using technology developed by a Swedish firm called BehavioSec.
The system can spot unusually slow or fast keystrokes, or using and holding a phone in an unusual way. Even the way a mouse cursor is moved around can be monitored and used to decide whether the user is legitimate or not.
If the system is suspicious it can be configured to require another level of authentication such as answering a security question or entering an SMS passcode.
V3 spoke to SecureAuth CTO Keith Graham (pictured) to find out more about how the tool works, and had a go at breaking into his bank account to see whether we could spoof the system.
“It’s another layer in the security onion, and the beautiful thing is it’s passive and behind the scenes, so the user doesn't know and doesn't have to do anything,” he explained.
The service is currently offered only as an on-premise service as the firm’s traditional customer base does not use cloud systems.
“The nature of our business means we work a lot with healthcare, financial, insurance, banking, federal government and so on, and those verticals are still very security conscious, so they want to keep a lot of control over that,” he said.
Once installed, the system takes an average of seven successful username and password log-ins to begin recognising patterns and start spotting unusual activity.
Graham told V3 that, once this baseline has been achieved, the system has a 97 percent detection rate of false entries based on user name and password credentials.
“Some people point out that three percent will be successful, but if your passwords are compromised 97 percent are not protected. It’s not a silver bullet but an improvement on what we have today," he said.
"If I was a CSO I’d rather know that 97 percent of the entire password database of my customers were covered, rather than zero.”
It is always possible, of course, that legitimate users will set off alarm bells by accident with such a service. Graham admitted that this can happen, but that such instances are a minor irritation compared with the overall benefit.
“The worst case is that one time you have to provide one additional thing. But the system works so that every time you authenticate, it takes that and adds that to your profile and learns," he said.
"So if you have a broken wrist in a cast it may ask for more information the first few times but after a while it will recognise that, and then once the cast is off it will relearn your normal typing style again.”
The other problem that such a technology might create concerns privacy, as the idea of software that monitors your every movement, from how you type to the way you move your mouse, is perhaps a touch unnerving.
However, Graham explained that the tool does not collect any of the data being inputted, just the speed and way in which it is entered, and that all the analysis is done on the customer's servers, not on SecureAuth's systems.
“No information is collected on what is being typed in, just how it is being typed in. There is no need to collect it other than for the analysis of how you input it for security purposes," he said.
V3 was given the opportunity to test the system by logging-in to a dummy bank account owned by Graham, having been told his username and password. The idea was that the tool should reject us based on our keyboard input style.
However, perhaps because we had the chance to watch how Graham typed, we did manage to access the account. Additionally, it should be noted that the test system had not performed the full accuracy test for Graham's input style so was not fully qualified to spot different typing styles.
Another test, trying to force through a bank transfer from the account to another one, showed a score of 80 percent that we were Graham. However, when Graham himself did it the system gave a 100 percent score.
Our test was not fully accurate, but it did show that the system is not infallible, as Graham had noted. However, the benefits that behavioural biometrics could offer in augmenting security could well see the technology become commonplace.
It makes sense too. There are clearly benefits to basing security parameters on something innate and unique to an individual, such as how they type and use devices, and is part of the growing improvements to security beyond the password.
Apple’s Touch ID fingerprint scanner is now taken for granted and slowly being integrated into other major apps, such as PayPal and recently HSBC, while MasterCard is looking at letting customers use selfies to verify purchases and Windows 10 has its Hello face recognition feature.
To hear more about security challenges , the threats they pose and how to combat them, make sure you sign-up for the Computing Enterprise Security and Risk Management conference on 24 November.
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal