Fingerprint - keystroke fingerprinting
what's this?
jquery version

What's this? - Authentication keystroke fingerprinting

Traditionally, authentication is done with a subset of four different identifiers. They're usually said to be

  • - Something you know (username, password)
  • - Something you have (key, passport)
  • - Something you are (finger print, retina scan)
  • - Something you do (signature, speech recognition) [wikipedia]

On the web, we're very familiar with the "things we know" - practically all web logins depends on usernames and passwords. For a higher level, e.g. for online banking, there are often certificates involved. Unfortunately we don't have the technology to do biological identification online (at least not for the common user).

"Something you do"

However, "something you do" only requires some sort of specific interaction quantification. In today's web browser, we have that. Thus the password fingerprinting - a way to identify you by the pattern with which you type your password. Give it a try by typing in your password and login. Your password is not sent anywhere, just used to measure your key strokes.

Fingerprint - how does it work?

By monitoring your key strokes, jquery.fingerprint.js records time stamps of every time a key goes up and down. These values are then automatically injected into the login form, and sent to the server along with the username and password.

How do I use it?

Super easy:


This automatically injects hidden fields with names 'timestamp-down' and 'timestamp-up' for the respective timestamps. On submit, these values get sent to the server, separated by commas.

If you want the value arrays instead, you can just pass in a function to receive the timestamps - this function automatically gets called when the form is submitted.

		// .. process the timespamps here

To get started, you could just copy the source of this page into your web.

However, if you start using it, make sure to download your own copy of the source and don't hotlink mine. I might very well change the url with time.


Obviously, we still have to develop algorithms to identify users by their typing patterns. That's server side though, and I leave it up to you for now. Please contact me if you know a good algorithm or implementation of this.


This is a proof of concept, and it wouldn't surprise me if there are a few bugs lurking in there. Help me chase 'em down!


User name