On 10/06/2015 02:55 PM, Travis Biehn wrote:
It's sort of like voice biometrics - two people can share the same 'feature set' but you and your attacker (the person who has your banking password) are 'unlikely' to.
It's not useful for positive identification by itself, out of that large database there would be many collisions.
True. But that's only one scenario in which such biometrics profiling could be used. I don't know of any bank that uses that, though. Anywhoo… Another worrying scenario is using keypress timings to profile netizens in addition to other ways of recognizing them (be it User-agent string, Adobe Flash player + system font list, HTML5 <canvas> element). I thing we should try to think of ways to mitigate this attack. Thoughts? -- czesiek