Long a theoretical threat, the observation of typing patterns has been refined into a "a highly practical attack" aimed at user anonymity over the internet.
Ars Technica's Dan Goodin reports on a devilish profiling technique entering maturity.
The gathering of unique keystroke characteristics is an example of what's known as behavioral biometrics, or the measurement of something a person does, such as speaking, walking, or typing. So far, Thorsheim and Moore say, several banking websites appear to be using keystroke profiling to perform an additional layer of authentication on site users. In theory, such an approach could allow the sites to detect account hijackings, even when the attacker enters the correct username and password. … To be fair, behavioral biometrics is by no means a new field of study. As evidenced by this Slashdot thread from 2007, people have long recognized the potential of using it to identify people behind a keyboard. There's also a huge library of research papers showing how to profile and de-anonymize browsers connecting over Tor. Still, if banks and other sites can use the technique to create reliable and accurate profiles of customers, it stands to reason that governments around the world can and do profile people of interest.
Keyboard Privacy is a Chrome plugin that subtly randomizes the rate your keyboard actions are injected into the browser environment.
Security consultant Paul Moore writes about Behavioral Profiling: The password you can't change.
