Show HN: Typing.ai – Secure typing biometrics authentication API
typing.aiHello HN, I am Rares, the founder of Typing AI (https://typing.ai). Typing AI is a typing biometrics authentication API that identifies users by the way they type using Artificial Intelligence.
After seeing several hacked sites we came to the conclusion that any application, any database and any code can be hacked. We realized that most security breaches are due to poorly implemented authentication.
This project uses Artificial Intelligence in order to detect the typing pattern by checking the keystroke dynamics. A unique typing ID is generated for each user. There are lots of peoples who tested the API and the accuracy level is over 99.9%. Our typing biometrics API can be easily integrated in web, desktop and mobile apps using any programming language. We're targeting big companies such as banks and top 500 businesses, because the API allows us to offer enterprise grade security.
The biggest problem in the banking and fintech world right now is the security of the sensitive data. A data breach can lead to bankruptcy. Due to the Covid 19 pandemics, schools and colleges were forced to take exams online, some of our customers are educational organizations such as state and private schools, colleges, online courses and webinar platforms.
We are a remote team of 5 members split across Romania, Croatia, Bangladesh and India. Typing AI Biometrics j.d.o.o. is a company registered in the Republic of Croatia. The company is accelerated by Fil Rouge Capital, the leading Croatian VC.
By eliminating passwords, businesses can immediately reduce churn and cart abandonment and provide superior security for personal data. We have transformed authentication, making it faster, simpler and better! That's why we are helping more and more developers and businesses to secure web, mobile and desktop applications using typing biometrics authentication based on Artificial Intelligence and Machine Learning.
We have a Freemium Software as a Service (SaaS) business model and our monthly paid plans range from $21 to over $2000, depending on the number of user identity checks (monthly API calls). Our API can handle millions of API calls per hour (we paid for application load testing).
We have over 1000 nonpaying monthly active users. Our biggest customer has over 1 000 000 registered users and is based in the United States of America. This company is an online teaching platform that offers courses for driving, flying, snorkeling and scuba diving.
You can reach us on our official website: https://typing.ai
Please share your feedback and ask me anything, thanks! Has anyone who has used this sort of tech before comment as to its validity and accuracy, especially over time? The first time I saw something like this was in a MOOC platform that used this sort of typing biometric to try to make sure that students were not cheating. That seemed to make sense to me, because I get that you could collect a relatively large sample of writing from the course and then match it to whatever final project the student submitted, both occurring in a short time from one another. Also, with a project like this you can certainly have a bias towards generating false negatives, and really just accuse an issue when the differences are really, really far apart. However, this is claiming to authenticate me as an individual. But what if my writing improves? What if I have a mechanical keyboard at work but a rinky-dink iPad case soft keyboard at home? Typing with one hand, etc? I'm not familiar with all the statistical markers that they can collect with a user's typing, but and I see the claim of 99.9% accuracy, but I was just curious what people's experience was in the wild using this sort of thing. Thanks for your questions. Regarding: "However, this is claiming to authenticate me as an individual. But what if my writing improves? What if I have a mechanical keyboard at work but a rinky-dink iPad case soft keyboard at home?" You will have to create separate typing signatures in order to cover both desktop and mobile apps, because mobile typing is totally different than the computer's keybord typing. Typing AI is able to identify your device and is able to learn from previous detections. One of our advantages against the competition is that we're using a machine learning algorithm and the platform learns from previous detections. Thus it will be able to identify you even if you're using a smartphone, a tablet or a desktop computer. Regarding the 99.9% detection accuracy score, I can confirm that in 2021, Typing AI Biometrics made over 300 000 user identity checks from over 30 000 unique users. When mentioning this score we used our yearly analytics, where 1 in 1000 identity checks was a false positive keystrokes detection. Do I read that right?
1 in 1000 are false positives?
Does that mean 1 in 1000 users can log in as another by chance? That is no authentication scheme then. Very good question. Simple answer - No, you won't be able to login as another by chance. You understood it wrong. If 1000 users try to login as you, the results of our statistics show that one of them may be able to do it. But if you combine typing biometrics with other authentication factors, using it as a two factor authentication (2FA) or as a multi factor authentication (MFA) solution, this scenario won't exist at all. So yes, typing biometrics is a very strong and efficient authentication method. > If 1000 users try to login as you, the results of our statistics show that one of them may be able to do it. So each user effectively gets assigned one of ~1000 ids, which is not that different to a three digit decimal PIN, that they then can use as password? It seems to use it as an authentication scheme a username and 2FA/MFA is _mandatory_. I guess one could then also say: a username is a very strong and efficient authentication method. I like the fact that you are playing with my words. I didn't said that we have 1000 id's or that we are limited when creating the typing signatures. I said that we have a 99.9% detection accuracy score. Each signature translates into a unique and encrypted hash with a length of over 300 characters. Compare that with an 8 characters unencrypted password, or with a 64 characters encrypted password and you'll be able to decide for yourself which security is better and more efficient. Thanks for your interest in Typing AI. My bank tried to add typing heuristics on the password box years ago. It wouldn’t lock you out, but you had to go through extra verification steps if you failed. I failed the test pretty much every time I logged in, and I’m sure it happened a lot because 6 months later it was gone. In that use case it was an extra attempt at locking down bank access, which I can appreciate, but I hated that it was wrong most of the time. Our API returns a signature detection percentage. We recommend our users to accept users with a signature accuracy score of over 80%. What does this means? When you type in the morning or late at night you have a different typing pattern. When you are tired or drunk, you have a different keystroke pattern, but still, our algorithm is able to identify you. You won't have a 90% matching score, but you will still have over 80% signature matching score. This is why Typing AI's algorithm is better than our competitors. I'm thinking about the password replacement use case. If an attacker (somehow) was to profile my typing, presumably they'd be able to replay keystrokes matching my own. Is there a way to "change my password" in those scenarios, or are there some sort of liveness checks you can perform to defeat replay? I registered, but I was surprised to see the registration used username+password. I suppose different use cases require different tech, but that was unexpected. Interesting. Since I'm on my phone right know i wonder about mobile support. I suppose it's desktop only? Does it work as well if I'm in a hurry or type the phrase just with one hand? How long is the phrase and would it work with arbitrary text as well (I'm thinking of authenticating while typing a post/comment somewhere)? Thanks for your questions. We provide both desktop and mobile support. But you will have different typing signatures in this case, one for mobile and one for desktop usage. The mobile typing is totally different than the computer keyboard typing. In order to guarantee strong security, we recommend you to use at least 8 characters for the signature (our competitors ask for over 160 characters). You can use an email address, a word, multiple words, a password. The longer your signature text is, the stronger will be the typing ID. To allow the keystroke detection to work with arbitrary text you will have to submit multiple sentences in order to cover the entire alphabet. This case is also covered, but most of our users are defining the signature texts and they always use that text. Typing AI is using a machine learning algorithm and it learns from previous detections, this is one of our advantages against the competition, we can easily cover the case described by you: "I'm thinking of authenticating while typing a post/comment somewhere". Genuinely curious, who here would want this as an authentication method for a service you use and why? I've seen a couple companies doing this and I just don't get it. The one context where I've seen something like this that I thought was interesting was in an online MOOC. Presumably it would be trivial to give your account credentials to someone else in order to have them pass a quiz/test on the platform for you, or to write our essay. They used something similar to match the typing pattern compared to some other sample that had been taken when identity was verified off-band, so then in subsequent submissions of writing samples in the platform, they could have more confidence that it was submitted by the original student. In 14 September 2019, Europe adopted the PSD2 payment standard which require banks and fintech's to integrate two factor authentication solutions. The typing biometrics can be integrated with other 2FA methods, increasing it's use and importance. PSD2 is the second revision of the Payment Service Directive (PSD, 2007), which is aimed at developing the market for electronic payments in the EU. The different measures highlight the opening for other companies to use banks payment services (Open Banking) and two-factor authentication (2FA) to increase security in transactions and prevent online fraud. You can find more details about PSD2 here: https://ec.europa.eu/commission/presscorner/detail/en/MEMO_1...