Latent Typing Biometrics in Online Collaboration Services

The use of typing biometrics has been extensively studied in the context of enhancing multi-factor authentication services. The key starting point for such work has been the collection of high-fidelity local timing data, and the key (implicit) security assumption has been that such biometrics could not be obtained by other means.

We show that the latter is false, and that it is entirely feasible to obtain useful typing biometric signatures from the timing logs produced by real-time collaboration services during their normal operation. We construct successful biometric attacks using \emph{only} the log-based structure (complete editing history) of a shared Google Docs, or Zoho Writer, document which is readily available to all collaborating parties. Using the largest available public data set, we are able to create successful forgeries 100\% of the time against a commercial biometric service.

Our results suggest that typing biometrics are not robust against practical forgeries, and should not be given the same weight as other authentication factors. Another important implication is that the routine collection of detailed timing logs by various online services also inherently (and implicitly) contains biometrics. This not only raises obvious privacy concerns, but may also undermine the effectiveness of network anonymization solutions, such as ToR, when used with existing services.