Conf42 Machine Learning 2021 - Online

Security at your fingertips: from Theory to Practice!

Video size:


Did you know that you can recognize people by the way they type, powered by machine learning? Attend this session if you want to find out about typing biometrics and how they balance Security and User Experience, as well as to learn how to easily test the technology with the TypingDNA API and Postman.

The session will have a theoretical part, covering some basics of Multi-Factor Authentication and deep-diving into Typing Biometrics. The second part will be practical, seeing a live demo of how any user could easily leverage one of the most advanced keystroke dynamics recognition algorithms, through the TypingDNA API and Postman.


  • The way that you type is unique, and it can be used for various purposes. We believe typing biometrics to be the winner in terms of adding two factor authentication. By the end of this presentation, you'll find out how you can win some limited edition swag from typing dna.
  • The typingdna. com website. All of our accounts are for free so you don't need to pay for any of the solutions. I'll show you how you can test out basically with the authentication API that we have available. Next we're going to use the auto endpoint that does everything for you.
  • Every time you're trying to perform authentication, so create the typing profile of the user and verify it like authenticate based on it. Same text works better with short but identical text every time. Any text is more flexible, but it requires the user to write more.
  • There are various startups and companies around the globe which are investigating and researching into how you can apply type in biometrics for e health purposes. Focus is an app for improving your productivity. I'm looking forward to see where this will go in the future.
  • Typingdna. com conf 42. Here we're going to find demos, contests, challenges. With every contest that you're participating in, you are closer to winning some limited edition cool flag. We are always available for questions, so don't hesitate to write to us.


This transcript was autogenerated. To make changes, submit a PR.
Hi there, and welcome to the typing biometrics journey. Together, we'll go through some theory and practice of that, and by the end of it, you're going to find out how you can win some limited edition swag from typing dna. So, without further ado, let's get it started. First of all, what exactly is typing biometrics? So, this is something also known as keystroke dynamics, and it is embedded in people's behavior when they type on a keyboard. So, yes, you heard that right. The way that you type is unique, and it can be used for various purposes that we're going to explore further in this presentation. Now, this might sound futuristic, but it dates back to World War II, when the military used to communicate through the Morse code. So, using a methodology called the fist of the sender, military intelligence were able to detect the rhythm of the operator's point, recording the dots and the dashes, and they could identify ally from enemy in this context. Now, since then, the preference for written communication grew, and with it, the field of typing biometrics evolved. So one area which is the most explored and developed at the moment is authentication. So, using the way that you type in order to authenticate you. Now, at this point, I think we can all agree that passwords alone are not enough to secure your account. So I want to make a short detour to the authentication space before going into more details on typing biometrics. So, when we talk authentication, we can basically split the different factors into three categories, knowledge, possession, and biometrics. Knowledge is something that you know, such as a pin or a password, or the security question, such as what is your mother's maiden name? The possession factors are something that you own, like a phone number, an email address, a token, something that you could further leverage, that could receive kind of a one time password or code on it. And the third category is biometrics. And here we can further split the factors into physiological, something that you are. And here you can have the fingertips, the face recognition or behavioral, something that is related to the way that you behave, such as the way that you walk, the way that you talk, or the way that you type. Now, if we were to compare the security aspects of them, the security and ux point of view, the knowledge factors are the most user friendly because people are already used to them. However, they tend to be not so secure, because once somebody hacks your information or finds out what it is, then it's very easy to break. And let's not forget that people usually reuse, share the passwords or the information to make it easier. Now, possession is a bit more secure, but it tends to be not so user friendly because the devices could be lost or stolen. So then imagine you are stranded somewhere, your phone got stolen, you're trying to contact, let's say, your bank, or you're trying to send an email, and then it sends you the SMS and you cannot basically log in, authenticate because your device was initially lost or stolen. So it can generate some user experience problems here. Now the third category, the biometrics, are supposed to be the most secure ones. However, this could also pose some user experience issues because they might require kind of a heavy interaction from the user side. It can also have some problems in detecting it because nothing is black or white here. This is not a one or zero response to authentication as it is in the case of the knowledge or the possessions ones. And you're basically basing your authentication assumption on a certain certainty threshold. But among all of this, we believe typing biometrics to be the winner in terms of adding two factor authentication. And this is because, first of all, it's very secure because it's hard to break, it's hard to mimic. Even though somebody is next to you and sees what your password is, they cannot replicate how you type it. It's also compliant with the latest regulations. So according to PSD, two rules, typing by matrix is accepted as a second factor. And it's very user friendly because you don't need to do anything additional than what you're already doing, basically typing. And you can use your own device, you don't need another keyboard or other hardware. And it also evolves as the user's typing behavior changes over time. So it's constantly adapted to the behavior and it's kept as updated as possible. The more that you type then the better your typing profile gets. Now, this is currently being heavily used into elearning, especially since COVID hit and more and more universities and courses moved online. Also, the need to secure the courses and certifications grew and we have various clients that reached out and they implemented typing dna authentication in various steps of the journey being it while taking the exam. Also at the end, to ensure that the person who started the exam was also the same one that was continually doing the exam and finished it, and is the same person as the one that took the course initially, we also have clients from the banking area financial services because I was mentioning the PSD. Two regulations now require online transactions to have a second factor in place and many of them turned to typing biometrics in order to secure the transaction and the identity access management providers could also not stay away from this opportunity. So you can now have typing biometrics at the click of a button, literally drag and drop in your favorite IAM widgets such as forestrock or Azure, ADB to c. All right, now that it's been a lot of talk, so let's see how this would actually work in practice. So the first step, as with any other biometric, is recording the behavior. And we do this through an open source recorder through which we capture the times needed to press and release keys. Also the way that you move between the keys, the way that you hold your phone if you're on a mobile device, and how you basically interact with your device, including the mouse movements. So all sorts of data points are collected through the open source recorder and then the output of this is taken through data engineering so as to extract only the signals which are the most relevant and used for creating your typing profile. We do this initially two or three times to create the user's typing profile. This is very similar to what you do when you have a new phone and you need to configure your fingerprint scanner. So you do it in the beginning a couple of more times until the system literally creates your profile. And after that, every time you come back, we compare the typing profile to what we have stored as your typing profile. And if the matching is above a certain threshold, then we say okay, yes, we allow the authentication so it's a success. If it's not, then we say okay, probably this is not the person who he or she claims to be. Right, so enough theory, let's see how this would work in practice. I'll just switch now to the typing DNA website and show you a bit of an already done widget that you can super easily implement. And this is for demo purposes so you also see how it would work. And then I'll show you how you could alternatively use the authentication API so you make your own custom implementation. So, right, we are on the website. What you need to do firstly is create an account so you sign up. All of our accounts are for free so you don't need to pay for any of the solutions. And after you sign up you're going to be redirected to the dashboard where you can find your information also from the verify product which is the already made widget. I'm going to show you in a moment, but as well for the authentication API. But let's start with the demo. Let's see how this could actually work from here. You can do the verified demo here. I already opened it. So to begin with we need to create, as I was mentioning, the user's typing profile and we also need a route of trust to see if basically to have a data point that would associate a typing profile with the person. And we need to make sure that this person is indeed the one that provided the phone number or the email address if they have it. So I'll just go for email and I'll write here a dummy email address. I'm going to do this for the first time so you can see the flow end to end. So I input my email to have a data point that this is basically the only contact Pii information that we have over you. And it can also be used as a fallback method in case something goes terribly wrong. And let's say you temporarily break your arm or something happens, then you can opt for the fallback method and you're still able to access your two fa, right? So I'll just start a demo now and I need to write these words. As you can see, the number of words or characters is not so high. So the user experience is good. And here on the right side, this thing shows that the typing pattern has been recording while it typed. Now, because this is the first time I do it, I need to create my typing profile. So this time only I need to type two more times and one more it. All right, now I will receive again one time only, a security code, just copy paste it, right? So my typing profile has been created and it was the same as the one that I inputted the first time. So how can I say that the second and third type profile like behavior typing behaviors were similar to the first one that I did first. But let's start this over. So now I have my typing profile created and I'll try to authenticate. I'll start again. I'll use the same email address so it knows which Devin profile to access and I'll start it right? And that's it. The verification has been successful and I was allowed into my account. So see, as easy as typing four small words and you already have your two fa in place. So if this made you curious enough to want to give it a more of a deep dive, try. I'll show you now how you can implement it with how you can test out basically with the authentication API that we have available. So I'm going to use postman for that. The first step here is basically is to go to the typing DNA page. Go here and access like download the Postman library collection. It's very easy to get it from here and import it into your postman account. I already have it imported here. Now after it's imported, you need to add your credentials. So you go back to the dashboard, you switch to the authentication API tab and you take your key and your secret. From here you go into the configurations basic auth and put your username and password. This is for us to know that it was you accessing the API. Now. Next we're going to use the auto endpoint. This is basically a magical endpoint that does everything for you. So it will firstly, the first three times enroll the typing pattern. So an enrollment means adding to the typing profile of the person to create the profile itself. Also every time we have a qualitative typing pattern, we add it to the typing profile so it's kept up to date. This is also part of the enrollment. And the auto endpoint also does all the verifications. So here you can see multiple endpoints. But basically auto is the one that you can use for almost all the use cases that you have, unless you want to make it a very custom implementation case which you can use these other two. Right, so we have, let's say the back end configured now with postmo. Now you might be wondering, all right, but where can I get a typing profile so I can start testing? And we have that figured out as well. So if you go on the website under authentication API, we have created this typing pattern viewer which is basically a tool that outputs the typing patterns after you write in the text box here. So I'm going to use this type to output tool to generate the typing patterns and then verify them through postman through the typing dna collection. Ready? So we already have a phrase for this. I'll type it now. Make yourself necessary to somebody. We ran multiple tests and apparently this phrase is very effective into the, how can I say, improving the accuracy of the verification with lowering the number of characters needed. So this is a perfect combination of short text but good accuracy in detection and it generated the typing patterns. Here you can see three types, same text, any text and extended the difference between them. So with the same text, this means that every time you're trying to perform authentication, so create the typing profile of the user and verify it like authenticate based on it. You must use the same text, identical same text every time. Now with any text we allow you to write or the users to write anything that they might think of. However, we require higher number of characters here. So same text works better with short but identical text every time, whereas any text is more flexible, but it requires the user to write more. Then it's up to you how you decide to do the implementation. But for the sake of the exercise, we'll go for the same text. So we're going to use this phrase to create the typing profile and then authenticate based on it, right? So now I'm just going to copy this copy, go into my auto, I'm going to create a new user here. So this is sending basically the user Id. Please make sure this is an id that you're sending if you're going to implement it, not some type of Pii. We don't want that. And we just copy paste here the typing pattern that we were generated before. I'll hit send and the message came back, right? It seems I used this user before and if I were to check for it, let's see, how many typing patterns did I have on it? So the thing is, I used the same user id before. We already have a typing pattern profile basically for it, and now we just did the authentication not from the beginning. So for just the sake of this, I'll just use let's do it like this for sure. This one I didn't do. I'll go back and do it again. It, as you can see, many mistakes but nowhere is there. I copy this, I go back and the reason why I didn't hit send with can user Id is because no typing pattern, no two typing patterns are identical, not even for the same user. So if I could have tried to send the same typing pattern as before, then I would have gotten an error back saying this might be a fraud attempt or like an attack. So that's why I prefer to generate a new one that I'm going to send now under this new user did and it says the pattern was enrolled, but they're not enough for verification. So I just enrolled it. The action done was enrolled. I need to do this two more times in order to create the profile, right? So going back here, reset, writing the exact same text, get this copy paste and send again, not enough for verification. I just enrolled it now I should have two and one last time I get this, I copy back here, I send it over right the third time I enroll it. Now if I go into the check user, I'll just copy the user id from here. Check user is going to show me how many typing patterns I have for this user. And it says I have account of three, which is good, means my profile is complete and I can proceed with authentication and verification. But all of them are on desktop. So desktop and mobile are different because the physical keyboards behave differently than the mobile ones. So this is why if you want to verify from the mobile device, make sure the mobile profile was created previously or you ask the user to create it then. Right? So with discount of three, I'm going back to auto and now my profile is created. I'll try to do the verification. Going back. I reset it, try to examine same text. I get it. And the message came back, it's done. And what it said is, first of all we did the verification and it was successful because the result was one. And then because we believe this typing pattern to have a high quality, then we also added to the typing profile of the person. So enroll. So we did those verification with the result of one, which meant authentication successful and enrollment with the result of one. Meaning we also added to the profile. Now, I asked a colleague of mine to generate a typing profile before this talk on the exact same text that we used, just to show you what would happen if somebody would try to break in into your account by the typing behavior. So I already have a typing profile previously generated. I will just copy paste it from here and see what happens. All right. So the action done of it was verification and the result was zero, meaning the authentication was not successful. We don't believe this person to be who they claim to be. And because of this, we also didn't do any enrollment because obviously the typing pattern does not belong to the person, so we don't want to add it to the typing profile. Pretty interesting, right? I really encourage you after the talk to go and play a bit around with it and try to test out with different friends or families and see how it works with your own eyes. Now, going back to the presentation, I know this talk was on security and on the security stage, but there's also one field which is worth mentioning in the typing biometrics space, which is the e health. So there are currently various startups and companies around the globe which are investigating and researching into how you can apply type in biometrics for e health purposes to detect various diseases associated mostly with your brain and how you can detect it and also help you throughout, let's say, improving your state. So constantly monitoring and taking action on the findings there is also quite promising and I'm looking forward to see where this will go in the future. Imagine you would have an e health app that based on the way that you constantly type on your phone, on your computer could say you might be at risk of having this disease, maybe you should get yourself checked, or if you have the disease, all right, your threshold now or your behavior indicated a progress, or maybe that your state just went worse over the past one month or so on. So a lot of potential here. I'm looking forward to see these companies evolve over the time. But we at typing genetic could also not stay away from the e health area because it has so much potential and room for growth and for helping people. So we very recently launched Focus, which is an app for improving your productivity. So basically we track how you type and then we can predict your mood based on that and give you some recommendation on when you should take a break or when you're the most focused. And all of this with the purpose of improving your personal productivity. So this app is also available for free. Now just go on slash focus, check it out and let us know what you think and if it helped you. Well, at TypingDna, we are on a constant mission of improving people's lives through typing biometrics. We believe this field to have great potential and we keep on exploring over it. And I hope to have made you curious enough to want to explore it further and test it out. And if this presentation was not enough, we also created this special landing page for the event. conf 42. Here we're going to find demos, contests, challenges, more information about what we discussed today. And with every contest that you're participating in, you are closer to winning some limited edition cool flag. So get on this landing page, have fun, and get a chance of winning some cool stuff. We are always available for questions, so don't hesitate to write to us and end. I want to thank you for your attention and leave you with a final thought. So, as Picard rightfully said, things are only impossible until they're not. And typing biometrics is the perfect example for that.

Madalina Burci

Developer Ambassador @ TypingDNA

Madalina Burci's LinkedIn account Madalina Burci's twitter account

Awesome tech events for

Priority access to all content

Video hallway track

Community chat

Exclusive promotions and giveaways