1

Paul Moore argues that one legitimate reason to disable paste in the password field (despite the downsides) is so that the server can use keystroke dynamics (behavioral biometrics) as a second form of authentication.

  1. Are there any websites using behavioral biometrics (on the password field specifically) as 2FA in the wild?
  2. If so, how successful has it been?
  3. Is there any particular reason to run the keystroke dynamics analysis on the password field specifically, instead of some other text field?
browly
  • 2,100
  • 2
  • 12
  • 21
  • 4
    I'm skeptical of this method. Note that if you disable pasting (or autotyping), then to be able to write the password the user has to 1) actually know the password (which should be impossible if all passwords are different and complex) or 2) read it somewhere and type it. This can result in users starting to think about reusing passwords or use weaker ones to be able to type them more easily, or users being required to read passwords in plaintext (on paper or in the monitor) and increasing the risk of shouldersurfing (just a pic of your monitor with the cleartext password and you are screwed) – reed Nov 29 '18 at 19:21
  • Agreed with reed...This encourages bad password hygiene. – DarkMatter Nov 29 '18 at 19:24
  • Couldn't you still analyze behavior without disabling pasting? (e.g. the user normally uses a password manager) – kemp Nov 29 '18 at 21:03
  • 2
    What an awful idea - behavior based authentication, until your behavior is forced to change or the environment that affects your behavior changes. – McMatty Nov 29 '18 at 22:43
  • 1
    @McMatty Exactly. One day someone will be sick and type slower than normal, or might have a broken wrist and only use one hand. Or maybe they're just really tired. You don't want that to lock them out. – forest Nov 30 '18 at 05:04

0 Answers0