For example, an application that needs to check a user's identity more frequently can use a longer text of 170-180 characters for initial enrollment and then use shorter texts when performing verification. Meanwhile, for applications that rarely need to verify the user's identity -- for example for password reset attempts -- the enrollment can be shorter and the verification text much longer.
Since different applications have different requirements, the error threshold can also be adjusted to suit the application owners' needs, helping them find the right balance between usability and accuracy. For example, an e-learning platform that uses typing biometrics to ensure that the people taking online exams are the actual account holders might have an acceptable error rate that's higher than a bank that wants to use typing biometrics for transaction authorization.
Tricking one or several typing recognition algorithms is technically possible using various techniques, Popa said. That's why TypingDNA uses 10 different algorithms in parallel so that the system is more resilient against potential fraud attempts, he said.
Ultimately though, typing patterns are as vulnerable to cloning as other types of biometrics. Just as attackers can copy someone's fingerprint, record their voice or obtain a high-resolution picture of their face, it is theoretically possible to record how someone types over a long period of time and then replicate that to defeat typing-based verification.
One common question that often comes up when discussing typing biometric technologies is how they handle various incidents that can affect the user's style of typing. For example, when users are inebriated or experience dizziness, they'll probably type slower and make more errors, which changes their typing profiles. Accidents can also temporarily leave users unable to type normally with one of their hands.
According to Popa, TypingDNA's system is smart enough to figure out when a user continues to type normally on one half of the keyboard and differently on the other half, which suggests that they have a problem with one of their hands. A lower score on one half of the keyboard can be compensated by asking the user to type a longer text so that more data from the unaffected half is collected.
In cases where the overall typing style changes too much, authentication success or failure depends on the configured accuracy threshold.
To account for smaller changes in a person's typing over time, the system can also perform so-called continuous enrollment, where the user's typing profile is enriched with new typing information collected over time. For example, new data collected from every typed verification text can be used to refresh the user's stored typing pattern.
TypingDNA provides access to its typing-based authentication service through an API (application programming interface) and developers can add the functionality into their web apps through a software development kit.