Some tech companies can identify you based on your face, others the way you walk and some can even look at your heartbeat or ear shape. Now one startup is finding a fresh way to confirm identity based on the way users physically type on keyboards and touch screens.
TypingDNA, founded in Romania in 2016, is part of a new wave of companies looking at passive and frictionless cybersecurity solutions — i.e. those that don’t require chips, card readers or inputting codes received via text message. This could be particularly useful for the financial services industry but could also provide solutions for other sectors.
In January TypingDNA raised €1.3m in seed funding, which it says it will use to continue to improve the technology and expand its presence in the banking and enterprise sectors.
“We're not looking at what you type. That's really an important distinction,” says Raul Popa, the company’s cofounder and chief executive. “We’re looking at timing within the keys and on mobile phones we're looking at stuff like how you tilt your phone between typing different characters, how you type certain words.”
He says that the whole online security business has moved on in recent years and new solutions like TypingDNA are needed. “10 years ago passwords were like 123456. Very simple passwords. Two-factor authentication started to pick up around 2012,” says Popa. Now, he says, the drive is to find frictionless solutions.
Among the more intriguing options being explored is behavioural biometrics, which use patterns in human activity to identify individual behaviour. This, however, has its own limitations.
Popa says that while it’s highly unlikely someone else will be mistaken for you, there are challenges to being identified by how we type. “False positives we can minimise to almost theoretical zero – you being identified as somebody else or somebody, an attacker, being identified as you,” he says.
But he admits that the technology will mean that sometimes there are false negatives.
“Our technology is not as accurate as other biometrics, because we're behavioural biometrics, so sometimes you may not type exactly like you normally type,” he adds. “This is the minus, but it’s frictionless and most institutions understand that there is a tradeoff and that there’s not just one method of cybersecurity that will solve everything.”
Instead many of TypingDNA’s clients, which include financial institutions, use typing biometrics as a first layer and if it's not enough they send the client through another application. “Maybe that’s more intrusive but it solves the problem, instead of forcing everyone to receive an SMS etc.,” says Popa.
In June the company launched a multi-factor authentication solution, where they bundled together typing biometrics with SMS authentication and one-time email passwords. It also launched a free Chrome extension that works with applications like Amazon Web Services and Gmail.
While financial institutions are an obvious target for the technology because of the demand for strong cybersecurity tools to protect clients' money, TypingDNA has found considerable success with universities because of the changes in the way they administer examinations.
“In the United States, a lot of exams are done online,” says Cristian Tamas, TypingDNA’s other cofounder and its chief marketing officer. “They’ve replaced the physical testing centres with online proctoring, so we work with these kinds of companies and also with universities directly to make sure that students don't cheat, that they actually take their own exams.”
TypingDNA now works with some of the biggest proctoring companies in the world, such as ProctorU, which administers exams for thousands of universities.
Still, there’s plenty more to do and plenty of obstacles to overcome.
In 2018 TypingDNA moved its headquarters to New York to be closer to its main client base. “Most of our customers are from the States because in Europe companies are more reluctant to integrate this very early technology,” says Popa. “The US was more open to integrate our technology so it made sense for us to say ‘Okay, let's be closer to our customers’.”
For the time being, however, both founders and most of the team are based in Oradea, in northwestern Romania, though Popa expects to move to the US by the end of the year. The company currently has around 15 employees.
Going forward Popa sees behavioural biometrics as a technology that could spread widely, pushed by companies like his, as well as more expansive behavioural biometric companies such as BehavioSec and BioCatch. He also believes that they will ultimately be able to improve the technology enough to work with short combinations of typed letters and numbers like a standard PIN.
“We're looking at a lot of sensors for some of the clients that we have on mobile phones, to the point where we're able to look at when you type in PINs or very short words and based on that we can already say with a certain accuracy whether it is the same person or not who's typing,” he says.
In June the European Banking Authority (EBA) approved typing biometrics as compliant for multi-factor authentication, which could aid its adoption among financial institutions.
“Probably in the first case they're going to look at security factors that are more mainstream, other types of identification tokens and so forth,” says Popa. “But I think, because of the friction, there will be a second wave, we already see this happening. Banks that already integrated something to be compliant, they're already looking at other things because they realise there is going to be a lot of churn and people will move to banks or services that are easier to use, less friction.
“So the second wave, I think they will start looking at technologies that run behind the scenes, like TypingDNA,” he says.