[ChicagoBoy11]

Has anyone who has used this sort of tech before comment as to its validity and accuracy, especially over time?

The first time I saw something like this was in a MOOC platform that used this sort of typing biometric to try to make sure that students were not cheating. That seemed to make sense to me, because I get that you could collect a relatively large sample of writing from the course and then match it to whatever final project the student submitted, both occurring in a short time from one another. Also, with a project like this you can certainly have a bias towards generating false negatives, and really just accuse an issue when the differences are really, really far apart.

However, this is claiming to authenticate me as an individual. But what if my writing improves? What if I have a mechanical keyboard at work but a rinky-dink iPad case soft keyboard at home? Typing with one hand, etc? I'm not familiar with all the statistical markers that they can collect with a user's typing, but and I see the claim of 99.9% accuracy, but I was just curious what people's experience was in the wild using this sort of thing.

[raresp]

Thanks for your questions.

Regarding: "However, this is claiming to authenticate me as an individual. But what if my writing improves? What if I have a mechanical keyboard at work but a rinky-dink iPad case soft keyboard at home?"

You will have to create separate typing signatures in order to cover both desktop and mobile apps, because mobile typing is totally different than the computer's keybord typing. Typing AI is able to identify your device and is able to learn from previous detections.

One of our advantages against the competition is that we're using a machine learning algorithm and the platform learns from previous detections. Thus it will be able to identify you even if you're using a smartphone, a tablet or a desktop computer.

Regarding the 99.9% detection accuracy score, I can confirm that in 2021, Typing AI Biometrics made over 300 000 user identity checks from over 30 000 unique users. When mentioning this score we used our yearly analytics, where 1 in 1000 identity checks was a false positive keystrokes detection.

[xaedes]

Do I read that right? 1 in 1000 are false positives? Does that mean 1 in 1000 users can log in as another by chance?

That is no authentication scheme then.

[raresp]

Very good question.

Simple answer - No, you won't be able to login as another by chance. You understood it wrong. If 1000 users try to login as you, the results of our statistics show that one of them may be able to do it.

But if you combine typing biometrics with other authentication factors, using it as a two factor authentication (2FA) or as a multi factor authentication (MFA) solution, this scenario won't exist at all.

So yes, typing biometrics is a very strong and efficient authentication method.

[xaedes]

> If 1000 users try to login as you, the results of our statistics show that one of them may be able to do it.

So each user effectively gets assigned one of ~1000 ids, which is not that different to a three digit decimal PIN, that they then can use as password?

It seems to use it as an authentication scheme a username and 2FA/MFA is _mandatory_. I guess one could then also say: a username is a very strong and efficient authentication method.

[raresp]

I like the fact that you are playing with my words.

I didn't said that we have 1000 id's or that we are limited when creating the typing signatures. I said that we have a 99.9% detection accuracy score.

Each signature translates into a unique and encrypted hash with a length of over 300 characters. Compare that with an 8 characters unencrypted password, or with a 64 characters encrypted password and you'll be able to decide for yourself which security is better and more efficient.

Thanks for your interest in Typing AI.

[mcaravey]

My bank tried to add typing heuristics on the password box years ago. It wouldn’t lock you out, but you had to go through extra verification steps if you failed. I failed the test pretty much every time I logged in, and I’m sure it happened a lot because 6 months later it was gone. In that use case it was an extra attempt at locking down bank access, which I can appreciate, but I hated that it was wrong most of the time.

[raresp]

Our API returns a signature detection percentage. We recommend our users to accept users with a signature accuracy score of over 80%.

What does this means? When you type in the morning or late at night you have a different typing pattern. When you are tired or drunk, you have a different keystroke pattern, but still, our algorithm is able to identify you. You won't have a 90% matching score, but you will still have over 80% signature matching score.

This is why Typing AI's algorithm is better than our competitors.