How to protect your identity from Keystroke Biometrics?

Does someone know good protection from identity tracking through keystroke biometrics?

Keystroke dynamics: Keystroke dynamics, keystroke biometrics, typing dynamics and lately typing biometrics, refer to the detailed timing information which describes exactly when each key was pressed and when it was released as a person is typing at a computer keyboard.

There is a multitude of companies providing keystroke biometrics services, it’s a real risk for your privacy.
1 Like

Turn off the microphone and camera? Doesn’t apply when someone else is observing you.

Drink beforehand.


Did you mean maybe a web site that contains Javascript for tracking this?

Limiting the precision of time that is available to Javascript (in other words, mitigation in the browser)? That is useful for combating some attacks against Intel CPU speculation too.

1 Like

If it’s javascript on a website, just disable Javascript entirely. If the tracking is done with an off-site script, block that selectively (or just never allow it in the first place) with something like uMatrix.

If it’s baked into the website itself, type out what you need to do first in a text editor, then copy and paste it into the text entry fields of the website.


Somewhere I’ve read that typing characteristics are also used to distinguish humans from bots, to protect a service. So this would be a kind of CAPTCHA. I never noticed an application of this. While I can see, that services need protection I am sceptic about it caring about users’ interest like privacy and functionality. Possibility such a system would handle a user like a bot, when he pastes data in or does some unusual typing.

you could have a look at > and >

it might be useful to set up some macros with often used words/sentences/phrases … also, i think that having libre-sw firmware AND a free-sw GUI-frontend-app works toward your goal … but like others here have said it is not everything …

1 Like

I think you would be OK because, while each field would look suspicious, the time between fields would be an eternity (in the world of a computer) and would look (and be) genuine. Anyway a good bot could easily simulate something far better than cut and paste of a whole field. Also, there are numerous situations in which the typing would be legitimate but would look like a bot e.g. autofill and other types of autocompletion.

Kloak is a solution that I have come across, although I don’t use it. My understanding is that it obfuscates typing patterns by adding random delays to each keystroke.

I think a program that batches keystrokes for release on regular time intervals would be better for protecting anonymity. Identification algorithms still work when using Kloak, although not quite as efficiently.

It also requires root authorization and access to all keystrokes, so that requires a great deal of trust. I think I would use a more well-known program along the same lines as Kloak if it batched keystrokes instead.

i don’t quite follow what you are trying to solve here. If someone/something can read you KB events - you are in a far bigger problem than biometrics of your typing pattern.

Something can always read keyboard events, whether it’s the operating system or whatever application window I have active. Accomplishing typing anonymization with an open source, audited, well-known application wouldn’t necessarily make things worse, from a security standpoint.

Kloak isn’t at that level of trust yet for me, since I don’t know much about who developed it or which security experts use it and recommend it, but I hope there will be an application that meets all those trustworthiness criteria sometime soon.

The source code is right there… what else do you need?

1 Like

That’s a good point. I could audit the code myself. However, I am not confident that I would notice a backdoor if there was one. Maybe I should do it anyway… it would be a good exercise and I would be halfway ready to make a fork that uses my keystroke-batching idea.


Thank you, will try

In the case of Javascript, that isn’t the whole story. The page can (read and) time events without compromising your entire computer - and that could be used to fingerprint you and hence to track you across multiple computers.

Well, I can only wish them good luck with that.

1 Like

The idea seems to be quiet old …

“All the same, technical difficulties abound in making the technology work as promised and a half-dozen efforts at commercial technology have failed. Differences in the physical characteristics of keyboards, even of the same brand, and communications protocol stmctures are thorny hurdles for developers.”

… and some quiet knowledgeable people seem to not consider it successful nowadays neither:

“Other systems
Many other biometric technologies have been proposed [1315]. Typing patterns,
were used in products in the 1980s but don’t appear to have been successful…”

Ross Anderson, “Security Engineering” v3 Sep7, Chapter 17.7, p540

If you really care in spite of this information you should get yourself something like:

Then you can tinker with the firmware and add some random delays to keystrokes:

Maybe likes the idea of doing something like that and will add that feature by themself :wink: .