Forem: TypingDNA

How To Implement Biometric 2FA in a Cryptocurrency Wallet with Python, Flask and TypingDNA

LordGhostX — Fri, 16 Apr 2021 10:16:21 +0000

This article focuses on implementing biometric two-factor authentication (2FA) and risk-based authentication (RBA) in a cryptocurrency wallet built with Python and Flask using the TypingDNA Authentication API.

TypingDNA helps protect user accounts with robust typing biometrics analysis, accurately and passively. With TypingDNA, you can learn and match your users’ typing patterns and use that information for multi-factor authentication (MFA) on your web platforms.

This article includes a step-by-step guide to integrating TypingDNA Authentication API into a Python web application. We will add an extra layer of security to user authentication and authenticate users before doing risk-based actions like withdrawal. To learn more about TypingDNA, visit the official website.

Introduction to TypingDNA
Setting up our demo application
Enrolling new users into TypingDNA
Authenticating users with TypingDNA
Adding 2FA fallback for user authentication
Risk-based authentication with TypingDNA
Conclusion

A Brief Introduction to TypingDNA

Of course, we now know TypingDNA is a company that provides a biometrics authentication API. But how does it authenticate users?

At its core, TypingDNA listens and records users’ keystrokes as they type to analyze their patterns using its biometrics engine. TypingDNA is used in cases where you need to be sure the intended user is the one acting, such as resetting account passwords, multi-factor authentication, risk-based authentication, or as an alternative for OTPs.

TypingDNA is not constrained to specific use cases or authentication stacks and can be incorporated any place within your architecture where end users are typing.

We will be exploring most of this together momentarily. But if you’re eager to learn more, check out the TypingDNA documentation.

Getting Started with TypingDNA

To get started with TypingDNA, create an account on their platform.

Next, we will copy our API keys (apiKey and apiSecret) to be stored somewhere secure and easily retrievable. The API keys allow any application we will be building to easily communicate with our TypingDNA account via the REST API.

Setting Up Our Flask Application

In this tutorial, we will be starting with our frontend and backend resources (i.e., Python, Flask, and Bootstrap) for our online cryptocurrency wallet. After that, we will make our way to the two-factor authentication with TypingDNA.

For the sake of convenience, I have written a Flask application with a Bootstrap user interface that we will use in this article. To get started, you will need to clone my repository and initialize the application like so:

git clone https://github.com/LordGhostX/typingdna-trx-wallet
cd typingdna-trx-wallet

Next, we will be installing all the external libraries our project requires to run. In your terminal, type:

cd without-typingdna
pip install -r requirements.txt

At this point, we want to customize our application settings. Open your app.py file and make changes where necessary.

Finally, let’s run our application to make sure it’s working. In your terminal, type:

python app.py

Enrolling New Users into TypingDNA

Downloading TypingDNA JavaScript Files

Now we have gotten our Flask application running, let’s move on to implementing two-factor authentication (2FA) with TypingDNA.

We will import the typingdna.js file in the page that wants to record our users’ typing patterns. You can download the file from GitHub. You can also get it here and here.

Create a static folder in your project folder and place the typingdna.js file in it. We will also be downloading the TypingDNA Autocomplete Disabler and Typing Visualizer to clarify to our users that their typing pattern is recorded.

To do this, download autocomplete-disabler.js and typing-visualizer.js here and store them in the static folder. Our project structure should resemble the image below.

Building TypingDNA Enrollment Page

TypingDNA requires us to enroll users so their typing patterns can be matched in the future for authentication. Enrolling a user means we record and save their typing patterns, so the system is familiar with the way a particular user types.

First, we want to update our login route to redirect the users to our enrollment page if they have not secured their account with TypingDNA or the verification page if the user has set up TypingDNA authentication on their profile. We will create a variable in our session to store whether TypingDNA has verified TypingDNA has verified the current user session. Update your login route in your app.py file with the code below:

@app.route("/auth/login/", methods=["GET", "POST"])
def login():
    if "user" in session:
        return redirect(url_for("dashboard"))

    if request.method == "POST":
        username = request.form.get("username").strip().lower()
        password = request.form.get("password")

        user = User.query.filter_by(
            username=username, password=encrypt_password(password)).first()
        if user:
            session["user"] = {
                "email": user.email,
                "username": user.username,
                "address": user.address
            }
            session["typingdna_auth"] = False
            return redirect(url_for("dashboard"))
        else:
            flash("You have supplied invalid login credentials", "danger")
            return redirect(url_for("login"))
    return render_template("login.html")

Next, we will be building the route to enroll our users. Add the following code to your app.py file.

@app.route("/auth/typingdna/enroll/", methods=["GET", "POST"])
@login_required
def enroll_typingdna():
    return render_template("typingdna-enroll.html")

We will now create a file named typingdna-enroll.html stored in the templates folder. Paste the following code in the file:

{% extends "bootstrap/base.html" %}

{% block content %}
<div class="container">
  <div class="row justify-content-center">
    <div class="col-lg-12">
      <div class="jumbotron text-center p-4">
        <h2>Online TRON Cryptocurrency Wallet</h2>
        <p>Set TypingDNA 2FA on your online wallet</p>
      </div>
    </div>
    <div class="col-lg-6 text-center">
      <div class="alert alert-success" role="alert">
        <h4 class="alert-heading">TypingDNA 2FA Authentication</h4>
        <hr>
        <p class="mb-0">Enter the text below without quotes to complete the authentication process</p>
      </div>
      {% with messages = get_flashed_messages(with_categories=true) %}
      {% if messages %}
      {% for category, message in messages %}
      <div class="alert alert-{{ category }}" role="alert">
        {{ message }}
      </div>
      {% endfor %}
      {% endif %}
      {% endwith %}
      <div id="failed-auth" class="alert alert-danger" role="alert" style="display: none">
        <strong>You have not completed your authentication, please type the text above</strong>
      </div>
      <form method="POST">
        <div class="form-group">
          <label><strong>"I am authenticated by the way I type"</strong></label>
          <input type="text" class="form-control disable-autocomplete" id="auth-text">
        </div>
        <div class="text-center">
          <input type="hidden" id="tp" name="tp">
          <button type="button" class="btn btn-success" onclick="startAuthentication()">Start Authentication</button>
        </div>
      </form>
    </div>
  </div>
</div>
{% endblock %}

We will now be importing the typingdna.js, autocomplete-disabler.js and typing-visualizer.js files we downloaded earlier in our enrollment page. Add the following code right before the {% endblock %} section at the end of the typingdna-enroll.html file:

<script src="{{ url_for('static', filename='typingdna.js') }}">
</script>
<script src="{{ url_for('static', filename='autocomplete-disabler.js') }}">
</script>
<script src="{{ url_for('static', filename='typing-visualizer.js') }}">
</script>

Our project structure and enrollment HTML page should resemble the images below.

You should also note that the TypingDNA visualizer only captures input elements with the disable-autocomplete class attribute. Hence, why we added it to our input HTML tag like below.

<input type="text" class="form-control disable-autocomplete" id="auth-text">

Recording Typing Patterns with TypingDNA

Now that we have a page for capturing user typing patterns, we want to integrate the TypingDNA recorder and visualizer into the page to enroll our users.

First, we will create an instance of the TypingDNA and AutocompleteDisabler classes, so the user typing starts being recorded (as a history of keystroke events).

Add the code below right after the TypingDNA importation in the typingdna-enroll.html page.

<script>
  var tdna = new TypingDNA();
  var autocompleteDisabler = new AutocompleteDisabler({
    showTypingVisualizer: true,
    showTDNALogo: true
  });
  TypingDNA.addTarget("auth-text");
  TypingDNA.start();
</script>

Next, we will create a variable to store our users’ captured typing patterns and a function named startAuthentication that the users will trigger after entering the auth text.

<script>
  var tdna = new TypingDNA();
  var autocompleteDisabler = new AutocompleteDisabler({
    showTypingVisualizer: true,
    showTDNALogo: true
  });
  TypingDNA.addTarget("auth-text");
  TypingDNA.start();

  var typingPatterns = [];

  function compareTexts(t1, t2) {
    var dt1 = t1.split(' ');
    var dt2 = t2.split(' ');
    var total2 = 0;
    var total1 = 0;
    for (var i in dt2) {
      total2 += (dt1.indexOf(dt2[i]) > -1) ? 1 : 0;
    }
    for (var i in dt1) {
      total1 += (dt2.indexOf(dt1[i]) > -1) ? 1 : 0;
    }
    var total = (dt1.length > dt2.length) ? dt1.length : dt2.length;
    var length = (dt1.length > dt2.length) ? dt1.length : dt2.length;
    return total / length;
  }

  function startAuthentication() {
    let typedText = document.getElementById("auth-text").value;
    let textToType = "I am authenticated by the way I type";

    document.getElementById("failed-auth").style.display = "none";
    document.getElementById("auth-text").value = "";
    TypingDNA.stop();

    let typingPattern = tdna.getTypingPattern({
      type: 1,
      text: textToType
    });

    if (typingPattern == null || compareTexts(textToType, typedText) < 0.8) {
      document.getElementById("failed-auth").style.display = "block";
    } else {
      typingPatterns.push(typingPattern);

      if (typingPatterns.length == 3) {
        let tp = typingPatterns[0] + ";" + typingPatterns[1] + ";" + typingPatterns[2];
        document.getElementById("tp").value = tp;
        document.forms[0].submit();
      } else {
        alert("Successfully logged typing pattern, please type the text again to improve accuracy");
      }
    }

    TypingDNA.reset();
    TypingDNA.start();
  }
</script>

In the code above, when the startAuthentication function is called, we first told TypingDNA to stop recording user keystrokes using the TypingDNA.stop() method so we could analyze them.

Then, we captured the user typing pattern with the sametext TypingDNA capture method. You can find more ways in the official docs.

After capturing the typing pattern, we need to check to make sure the process was successful. If it wasn’t, we’ll display an error message for the user.If it was successful, we store it in the typingPatterns variable we created earlier.

To check if the typing pattern was captured successfully, we performed a few checks on the user input following the TypingDNA docs guidelines.

First, we checked if the pattern captured is null (this means the user did not type the correct text). Then we accounted for typos the user can make when typing by checking if they typed at least 80% of the text that should be typed using (typedText.length / textToType.length) < 0.8 and checking if at least 80% of the words were typed correctly using compareTexts(textToType, typedText) < 0.8.

For accurate recording and matching of user typing patterns, we require the users to type the authentication text three times. In our code above, we check if we have captured up to three patterns. If we have, we submit the form with document.forms[0].submit(); else, we store the pattern and ask the user to start all over.

Before submitting the typing patterns, we concatenate them into a single string separated by semicolons (;) as required by TypingDNA Authentication API.

After saving the typing pattern and telling the user to start all over, we use the TypingDNA.reset() method to reset everything that has been recorded and TypingDNA.start() to start the recorder again because we stopped it earlier.

Saving Typing Patterns with TypingDNA

Saving typing patterns with TypingDNA means storing the captured patterns in our account so TypingDNA can analyze and use them for future authentications. We will be using the ”auto” endpoint in the TypingDNA Authentication API to record and verify typing patterns captured from our users.

To interact with the TypingDNA Authentication API, we will be creating a helper library to make things easy for us. Create a file named typingdna.py in your project folder and save the following code in it:

import base64
import hashlib
import requests


class TypingDNA:
    def __init__(self, apiKey, apiSecret):
        self.apiKey = apiKey
        self.apiSecret = apiSecret
        self.base_url = "https://api.typingdna.com"

        authstring = f"{apiKey}:{apiSecret}"
        self.headers = {
            "Authorization": "Basic " + base64.encodebytes(authstring.encode()).decode().replace("\n", ""),
            "Content-Type": "application/x-www-form-urlencoded"
        }

    def auto(self, id, tp, custom_field=None):
        url = f"{self.base_url}/auto/{id}"
        data = {
            "tp": tp,
            "custom_field": custom_field
        }
        return requests.post(url, headers=self.headers, data=data)

    def check_user(self, id, pattern_type=None, text_id=None, custom_field=None):
        url = f"{self.base_url}/user/{id}"
        params = {
            "type": pattern_type,
            "text_id": text_id,
            "custom_field": custom_field
        }
        return requests.get(url, headers=self.headers, params=params)

    def hash_text(self, text):
        reversed_text = text[::-1]
        text_to_hash = text + reversed_text
        return hashlib.sha512(text_to_hash.encode()).hexdigest()

Our project structure should resemble the image below:

We also added a function to hash users’ IDs before submitting them to TypingDNA Authentication API as defined in the official docs.

Now that we have built our helper library, let’s move on to saving our users’ typing patterns in our accounts for future matching.

First, import the helper library class into our Flask app. We will be creating an instance of our helper class by supplying the apiKey and apiSecret we saved from our TypingDNA dashboard earlier.

from typingdna import TypingDNA
tdna = TypingDNA("apiKey", "apiSecret")

Our app.py file libraries importation should look like the image below:

Next, we want to update our enroll_typingdna route to save the typing patterns we received in our TypingDNA account. Update the route with the code below:

@app.route("/auth/typingdna/enroll/", methods=["GET", "POST"])
@login_required
def enroll_typingdna():
    if request.method == "POST":
        tp = request.form.get("tp")
        username = session["user"]["username"]
        r = tdna.auto(tdna.hash_text(username), tp)
        if r.status_code == 200:
            session["typingdna_auth"] = True
            flash("You have successfully registered TypingDNA 2FA", "success")
            return redirect(url_for("dashboard"))
        else:
            flash(r.json()["message"], "danger")
            return redirect(url_for("enroll_typingdna"))
    return render_template("typingdna-enroll.html")

In the code above, we retrieved the user’s typing pattern via the form then sent it to the TypingDNA Authentication API via the “auto” endpoint. If the status code of the request was successful (status code 200), we will update the user data in our database to indicate they have been enrolled, and mark the current logged-in session as authenticated with session["typingdna_auth"] = True.

After this, we redirect the user to their dashboard. If the authentication was unsuccessful (due to an error from TypingDNA), we will prompt the error message to the user and let them retry the enrollment process.

Authenticating Users with TypingDNA

Adding 2FA to Our Login

The whole point of two-factor authentication (2FA) requires users to pass two different authentication processes before granting them access to the system. We want to make sure the user passes our TypingDNA test right after they have logged in (for already enrolled users).

We will be making use of the "Check User" endpoint to verify the enrollment status of our users by checking the number of typing patterns we have collected from them and will be redirecting users who have not been enrolled to the enrollment page and after that, redirect users who have not verified their TypingDNA identity to the verification page. Add the code below to the top of the dashboard route we created earlier:

def check_typingdna(user, pattern_type):
    r = tdna.check_user(tdna.hash_text(user.username), pattern_type=pattern_type)
    if r.status_code == 200:
        data = r.json()
        if data["count"] >= 3:
            return True
        else:
            return False
    else:
        abort(500)


@app.route("/dashboard/", methods=["GET", "POST"])
@login_required
def dashboard():
    user = User.query.filter_by(username=session["user"]["username"]).first()
    pattern_type = 1
    if not check_typingdna(user, pattern_type):
        return redirect(url_for("enroll_typingdna"))
    if not session["typingdna_auth"]:
        return redirect(url_for("verify_typingdna"))


@app.errorhandler(500)
def internal_server_error_handler(e):
    return "<h1>An internal server error occured or our servers have exceeded TypingDNA API rate limits.</h1>"

Building TypingDNA Verification Page

First, we will create a verify_typingdna route that will capture user typing patterns and, afterward, use TypingDNA Authentication API to verify the claimed user’s identity. Add the following code to your app.py file.

@app.route("/auth/typingdna/verify/", methods=["GET", "POST"])
@login_required
def verify_typingdna():
    return render_template("typingdna-verify.html")

After that, we will create a file named typingdna-verify.html that will be stored in the templates folder. Paste the following code in the file:

{% extends "bootstrap/base.html" %}

{% block content %}
<div class="container">
  <div class="row justify-content-center">
    <div class="col-lg-12">
      <div class="jumbotron text-center p-4">
        <h2>Online TRON Cryptocurrency Wallet</h2>
        <p>Verify TypingDNA 2FA to access your online wallet</p>
      </div>
    </div>
    <div class="col-lg-6 text-center">
      <div class="alert alert-success" role="alert">
        <h4 class="alert-heading">TypingDNA 2FA Authentication</h4>
        <hr>
        <p class="mb-0">Enter the text above without quotes to complete the authentication process</p>
      </div>
      {% with messages = get_flashed_messages(with_categories=true) %}
      {% if messages %}
      {% for category, message in messages %}
      <div class="alert alert-{{ category }}" role="alert">
        {{ message }}
      </div>
      {% endfor %}
      {% endif %}
      {% endwith %}
      <div id="failed-auth" class="alert alert-danger" role="alert" style="display: none">
        <strong>You have not completed your authentication, please type the text above</strong>
      </div>
      <form method="POST">
        <div class="form-group">
          <label><strong>"I am authenticated by the way I type"</strong></label>
          <input type="text" class="form-control disable-autocomplete" id="auth-text">
        </div>
        <div class="text-center">
          <input type="hidden" id="tp" name="tp">
          <button type="button" class="btn btn-success" onclick="startAuthentication()">Start Authentication</button>
        </div>
      </form>
    </div>
  </div>
</div>
{% endblock %}

Next, we will be importing the typingdna.js, autocomplete-disabler.js and typing-visualizer.js files we downloaded earlier in our verification page. Add the following code right before the {% endblock %} section at the end of the typingdna-verify.html file:

<script src="{{ url_for('static', filename='typingdna.js') }}">
</script>
<script src="{{ url_for('static', filename='autocomplete-disabler.js') }}">
</script>
<script src="{{ url_for('static', filename='typing-visualizer.js') }}">
</script>

Verifying User Identities with TypingDNA

We now have a page for verifying our users’ identity; we want to integrate the TypingDNA recorder into the page, to capture, analyze, and match user typing patterns. First, we will create an instance of the TypingDNA and AutocompleteDisabler classes so the user typing starts being recorded (as a history of keystroke events).

Add the code below right after the TypingDNA importation in the typingdna-enroll.html page.

<script>
  var tdna = new TypingDNA();
  var autocompleteDisabler = new AutocompleteDisabler({
    showTypingVisualizer: true,
    showTDNALogo: true
  });
  TypingDNA.addTarget("auth-text");
  TypingDNA.start();

  function compareTexts(t1, t2) {
    var dt1 = t1.split(' ');
    var dt2 = t2.split(' ');
    var total2 = 0;
    var total1 = 0;
    for (var i in dt2) {
      total2 += (dt1.indexOf(dt2[i]) > -1) ? 1 : 0;
    }
    for (var i in dt1) {
      total1 += (dt2.indexOf(dt1[i]) > -1) ? 1 : 0;
    }
    var total = (dt1.length > dt2.length) ? dt1.length : dt2.length;
    var length = (dt1.length > dt2.length) ? dt1.length : dt2.length;
    return total / length;
  }

  function startAuthentication() {
    let typedText = document.getElementById("auth-text").value;
    let textToType = "I am authenticated by the way I type";

    document.getElementById("failed-auth").style.display = "none";
    document.getElementById("auth-text").value = "";
    TypingDNA.stop();

    let typingPattern = tdna.getTypingPattern({
      type: 1,
      text: textToType
    });

    if (typingPattern == null || compareTexts(textToType, typedText) < 0.8) {
      document.getElementById("failed-auth").style.display = "block";
      TypingDNA.reset();
      TypingDNA.start();
    } else {
      document.getElementById("tp").value = typingPattern;
      document.forms[0].submit();
    }
  }
</script>

In the code above, when the startAuthentication function is called, we first stopped TypingDNA from recording keystrokes, then we captured the user typing pattern with the sametext capture method. If the capturing is successful, we will submit the form with the recorded typing pattern for verification.

We will also update our verify_typingdna route to capture and verify the submitted user typing pattern with the auto endpoint in the TypingDNA Authentication API.

@app.route("/auth/typingdna/verify/", methods=["GET", "POST"])
@login_required
def verify_typingdna():
    if request.method == "POST":
        tp = request.form.get("tp")
        username = session["user"]["username"]
        r = tdna.auto(tdna.hash_text(username), tp)
        if r.status_code == 200:
            if r.json()["result"] == 1:
                session["typingdna_auth"] = True
                return redirect(url_for("dashboard"))
            else:
                flash(
                    "You failed the TypingDNA verification check, please try again", "danger")
                return redirect(url_for("verify_typingdna"))
        else:
            flash(r.json()["message"], "danger")
            return redirect(url_for("verify_typingdna"))
    return render_template("typingdna-verify.html")

If the request was successful (status code 200), we check if the typing pattern submitted is an accurate match for our user profile. If it is, we verify the current user session with session["typingdna_auth"] = True. If there was an error or not a match, we will prompt the user’s error message and retry the authentication process.

Implementing 2FA Fallback Option with Email OTP

Let’s build a fallback option used as user authentication for backing up TypingDNA Authentication API. The fallback option is vital when the user's typing pattern is severely damaged (e.g., the user breaks their hand) or conditions that prevent TypingDNA from accurately matching their typing pattern.

Update the verification form in our typingdna-verify.html file with the code below

<form method="POST">
  <div class="form-group">
    <label><strong>"I am authenticated by the way I type"</strong></label>
    <input type="text" class="form-control disable-autocomplete" id="auth-text">
  </div>
  <div class="text-center">
    <input type="hidden" id="tp" name="tp">
    <button type="button" class="btn btn-success" onclick="startAuthentication()">Start Authentication</button>
  </div>
  <div class="text-center">
    <a href="{{ url_for('otp_verification') }}">
      <p class="mt-2">Can't complete TypingDNA verification? Use email OTP instead</p>
    </a>
  </div>
</form>

Next, we need to install the required libraries required for sending emails with Flask. Run the following code in your terminal:

pip install Flask-Mail

After installing the Flask-Mail module, we need to integrate it into our application. Add the following code to your app.py file:

import random
from flask_mail import Mail, Message

app.config["MAIL_SUPPRESS_SEND"] = True
mail = Mail(app)

For our demo, we will be using the MAIL_SUPPRESS_SEND setting in Flask, so it simulates sending emails without the need for an SMTP server; you can read more on Flask-Mail here. Our Flask application imports should now resemble the image below:

We will also be adding a route in our Flask application responsible for generating and verifying OTPs sent to users’ emails.

@app.route("/auth/email/verify/", methods=["GET", "POST"])
@login_required
def otp_verification():
    if request.method == "POST":
        otp_code = request.form.get("otp_code").strip()
        if encrypt_password(otp_code) == session["otp_code"]:
            session["typingdna_auth"] = True
            session.pop("otp_code")
            return redirect(url_for("dashboard"))
        else:
            flash(
                "You failed the Email OTP verification check, please try again", "danger")
            return redirect(url_for("otp_verification"))

    otp_code = str(random.randint(100000, 999999))
    session["otp_code"] = encrypt_password(otp_code)
    msg = Message("Crypto Wallet OTP", sender="otp@flaskcryptowallet.com",
                  recipients=[session["user"]["email"]])
    msg.body = f"The generated OTP for your Flask Cryptocurrency Wallet is {otp_code}"
    print(msg)
    mail.send(msg)

    flash("Check your email address for the verification OTP", "success")
    return render_template("email-verify.html")

Next, we will be creating the email-verify.html file that this route will render. The page would have a form that the user will use to submit the received OTP.

Create a file named email-verify.html in our templates folder and save the following code in it:

{% extends "bootstrap/base.html" %}

{% block content %}
<div class="container">
  <div class="row justify-content-center">
    <div class="col-lg-12">
      <div class="jumbotron text-center p-4">
        <h2>Online TRON Cryptocurrency Wallet</h2>
        <p>Verify Email OTP to access your online wallet</p>
      </div>
    </div>

    <div class="col-lg-6 mt-2">
      {% with messages = get_flashed_messages(with_categories=true) %}
      {% if messages %}
      {% for category, message in messages %}
      <div class="alert alert-{{ category }}" role="alert">
        {{ message }}
      </div>
      {% endfor %}
      {% endif %}
      {% endwith %}
      <form method="POST">
        <div class="form-group">
          <label for="otp_code">Email OTP</label>
          <input type="number" class="form-control" id="otp_code" name="otp_code" placeholder="Enter the Email OTP Received" required>
        </div>
        <div class="text-center">
          <button type="submit" class="btn btn-success">Verify Email OTP</button>
        </div>
        <div class="text-center">
          <a href="{{ url_for('verify_typingdna') }}">
            <p class="mt-2">Can't complete email OTP? Use TypingDNA verification instead</p>
          </a>
        </div>
      </form>
    </div>
  </div>
</div>
{% endblock %}

We have now set up our email OTP verification functionality to serve as our 2FA fallback option. Accessing the route should give you a response similar to the image below:

Securing User Actions with TypingDNA

We also want to implement risk-based authentication (RBA) for our wallet withdrawal functionality with TypingDNA to serve as an extra layer of security for the action in our application. Update the withdrawal form in the dashboard.html file with the code below:

<div id="failed-auth" class="alert alert-danger" role="alert" style="display: none">
  <strong>You have not completed your authentication, please type the text above</strong>
</div>
<form class="col-lg-6 col-md-8 offset-lg-3 offset-md-2 text-center" method="POST">
  <div class="form-group">
    <label for="wallet-balance">Wallet Balance</label>
    <input type="text" id="wallet-balance" class="form-control" value="{{ '{:,.6f}'.format(balance) }} TRX" readonly>
  </div>
  <div class="form-group">
    <label for="amount">Withdrawal Amount</label>
    <input type="number" step="0.000001" name="amount" class="form-control" id="amount" placeholder="Enter withdrawal amount" required>
  </div>
  <div class="form-group">
    <label for="address">Withdrawal Address</label>
    <input type="text" class="form-control" id="address" name="address" placeholder="Enter withdrawal address" required>
  </div>
  <div class="form-group">
    <label for="password">Account Password</label>
    <input type="password" class="form-control" id="password" name="password" placeholder="Enter Password" required>
  </div>
  <div class="form-group">
    <label>Enter the text <strong>I am authenticated by the way I type</strong> to complete the authentication process</label>
    <input type="hidden" id="tp" name="tp">
    <input type="text" class="form-control disable-autocomplete" id="auth-text">
  </div>
  <button type="button" class="btn btn-success" onclick="startAuthentication()">Make Withdrawal</button>
</form>

Next, we want to add the TypingDNA recorder and visualizer to the dashboard.html file to capture user typing patterns and submit the withdrawal form.

<script src="{{ url_for('static', filename='typingdna.js') }}">
</script>
<script src="{{ url_for('static', filename='autocomplete-disabler.js') }}">
</script>
<script src="{{ url_for('static', filename='typing-visualizer.js') }}">
</script>
<script>
  var tdna = new TypingDNA();
  var autocompleteDisabler = new AutocompleteDisabler({
    showTypingVisualizer: true,
    showTDNALogo: true
  });
  TypingDNA.addTarget("auth-text");
  TypingDNA.start();

  function compareTexts(t1, t2) {
    var dt1 = t1.split(' ');
    var dt2 = t2.split(' ');
    var total2 = 0;
    var total1 = 0;
    for (var i in dt2) {
      total2 += (dt1.indexOf(dt2[i]) > -1) ? 1 : 0;
    }
    for (var i in dt1) {
      total1 += (dt2.indexOf(dt1[i]) > -1) ? 1 : 0;
    }
    var total = (dt1.length > dt2.length) ? dt1.length : dt2.length;
    var length = (dt1.length > dt2.length) ? dt1.length : dt2.length;
    return total / length;
  }

  function startAuthentication() {
    let typedText = document.getElementById("auth-text").value;
    let textToType = "I am authenticated by the way I type";

    document.getElementById("failed-auth").style.display = "none";
    document.getElementById("auth-text").value = "";
    TypingDNA.stop();

    let typingPattern = tdna.getTypingPattern({
      type: 1,
      text: textToType
    });

    if (typingPattern == null || compareTexts(textToType, typedText) < 0.8) {
      document.getElementById("failed-auth").style.display = "block";
      TypingDNA.reset();
      TypingDNA.start();
    } else {
      document.getElementById("tp").value = typingPattern;
      document.forms[1].submit();
    }
  }
</script>

Finally, we will verify the typing pattern in our withdrawal function before processing the request. Add the following code to the dashboard route in the app.py file:

tp = request.form.get("tp")
username = session["user"]["username"]
r = tdna.auto(tdna.hash_text(username), tp)
if r.status_code == 200:
    if r.json()["result"] == 0:
        flash(
            "You failed the TypingDNA verification check, please try again", "danger")
        return redirect(url_for("dashboard"))
else:
    flash(r.json()["message"], "danger")
    return redirect(url_for("dashboard"))

Conclusion

By integrating TypingDNA Authentication API with Python and Flask, we were able to implement two-factor authentication and risk-based authentication using biometrics in a cryptocurrency wallet with minimal effort. We also saw how easy it was to create and verify identities by analyzing user typing patterns with TypingDNA.

The source code of our application is available on GitHub. Trying out TypingDNA for biometric authentication was very interesting, and I can’t wait to see the amazing things you build with it!

If you have any questions, don't hesitate to contact me on Twitter: @LordGhostX

TypingDNA is launching a new typing biometrics 2FA solution to replace SMS OTP

Madalina Burci — Tue, 16 Mar 2021 09:52:02 +0000

Introducing TypingDNA Verify: A smarter, user-friendly authentication that replaces SMS 2FA codes, reducing costs by an order of magnitude. First companies to integrate Verify get our service free of charge for the first year.

Let us know what you think in the comments!

Adding two-factor authentication to your iOS app using TypingDNA

Tony Hung — Sun, 28 Feb 2021 00:07:56 +0000

By now, most people use a password as a way to login into an account. But we’ve all seen the problems with passwords. For example, they need to be memorable but not easy to guess.

Many people, including myself, have used passwords that are easy to remember. Unfortunately, this makes it very easy for other people to guess your password and hack your account.

Luckily, in recent years, there have been great strides made in security that allows users to generate very hard-to-guess passwords and store them securely. But passwords themselves have been around for a long time, and maybe there’s another way to have access to an account without having to remember a string of text.

What if you could use something unique to you that can not be hacked or stolen?

The team over at TypingDNA has thought about this problem in depth. Luckily for us, they came up with a great way to authenticate you as a user, using the way you type.

The following post will cover how the TypingDNA Authentication API works and how to integrate into an IOS application in four easy steps.

Create a TypingDNA Account
Integrate the TypingDNARecorderMobile framework
Integrate the TypingDNA Authentication API
Put it all Together

The source code for the IOS is available on GitHub. I’ve also created a demo of the application, which is available on YouTube.

TypingDNA overview

Here’s how TypingDNA’s technology works: Every person has a unique way of typing. This includes many factors, which are a key to verifying your identity.

The TypingDNA Authentication API has a way of recording your typing pattern. After a few attempts of training to the way you type, you can use that typing pattern to login into an application. Behind the scenes, TypingDNA uses a machine learning model to categorize how you type and saves this pattern as your biometric.

After three or so attempts of learning, the TypingDNA system can record that pattern for future use when you try to log in.

Create a TypingDNA account

Before we build out the iOS application, we’ll need to know how to interact and use the TypingDNA Authentication APIs.

To do that, you first need to create an account here. Once authenticated, navigate to the API dashboard here and copy the apiKey and apiSecret.

When we build out our application, we will need to add these keys into the app. For now, just save them for later.

iOS app

Learning about how TypingDNA works is great. But as a developer, I usually like to see things in action. So I’ve worked on an iOS demo application that shows how to use the TypingDNA API in a Signup/Login scenario.

If you want to go straight to the code, please have a look at this GitHub repo. You will need to have the latest version of Xcode installed and be on a Mac. (Sorry, Windows people.)

App overview

This demo app shows how to integrate the TypingDNA Authentication API into your application. For this app, I’ve created a SignupViewController that allows a user to enter an email address and a password.

The user will need to verify their pattern by entering in their username and a password at least three times. This allows the TypingDNA system to learn your typing pattern.

After the third time the username and password are entered, the user will be able to login with the same username and password and be directed to the Authenticated ViewController, which shows the status of the authentication as well as how many times the user tried to verify themselves.

Next, we’ll build out the interface in the main storyboard.

Our design looks like this:

We first have a NavigationController, which loads our second ViewController, which I called SignupViewController.swift. This view contains two text fields that allow the user to enter a username and a password. Once the user is authenticated, they will be brought to the rightmost screen, which is the AuthenticateViewContoller.swift. This simulates when a user is logged in to an application.

Integrating TypingDNARecorderMobile framework

Before we start calling the TypingDNA Authentication API, we need a way to record the typing pattern of the user. First, you will need to install the Typing DNA recorder framework. Download this repo, and inside the TypingDNARecorderMobile folder, copy theTypingDNARecorderMobile.swift file into your Xcode project.

This framework will allow you to enter a set of text and will return a typing pattern. This pattern, as a string, will be used in the TypingDNA Authentication API to learn your typing pattern.

When using the typing pattern recorder on a mobile device, the way you physically hold the device is taken into account when generating a pattern. For example, if you try to signup with a username and password and hold the device in portrait, you would not be able to login when using the same username and password while holding the device in landscape mode.

For more information about this, please see the Mobile Positions FAQ and the Mobile integration process tutorial.

Before we can use this framework, we first need to add two text fields to our storyboard and create an outlet. In the SignupViewController, inside ViewDidLoad, we need to tell the recorder what to listen to. We do that by adding the following:

@IBOutlet weak var typing_pattern: UITextField!
 override func viewDidLoad() {
        super.viewDidLoad()
    TypingDNARecorderMobile.addTarget(user_txt_field)
    TypingDNARecorderMobile.addTarget(password_txt_field
    }

The addTarget function is a listener that is attached to both the username and password text fields. When we add a target to both fields, this tells the TypingDNARecorderMobile framework to capture both text patterns, which will increase the number of characters used for generating a typing pattern. The recommended number of characters is around 30. Using both text fields will help us get closer to that number rather than using the password textfield alone.

As the user begins to type, the TypingDNARecorderMobile framework will record the typing pattern for both inputs. Once the text is entered and the Next button is tapped, we grab the pattern using the following function:

TypingDNARecorderMobile.getTypingPattern()

For our application, we will set type to 1 and set all the other parameters to their defaults.

When we set type to 1, we will use the getTypingPattern function to expect short, identical texts, which are the username and password.

We then call this function inside our IBAction:

@IBAction func signupButtonTapped(_ sender: Any) {
    guard let userId = user_id.text, userId.count > 6 else {
        return
    }
    let typingPattern = TypingDNARecorderMobile.getTypingPattern(1, 0, "", 0, nil);

}

Once the user enters their username and password, the getTypingPattern will return the user's typing pattern. Now, we can start integrating the TypingDNA Authentication API.

Integration of TypingDNA Authentication API

Auto API

Now, in Xcode, we’ll create a new class called NetworkManager.swift. This class will make the requests to the API. Once we have our pattern, we need to start the authentication process. We will be using the /auto endpoint to send our pattern.

For this demo, we’ll be making the API calls within our iOS application. However, making these requests server-side would be the better approach if you are using this in a production setting.

In NetworkManager.swift, we first need to add the TypingDNA API key and secret, which should have been created previously. On lines 13 and 14 in NetworkManager.swift, update the api_key and api_secret to your keys.

Next, we’ll need a way to send the pattern to the API. Inside NetworkManager.swift,
we’ll have a function called save_pattern, which accepts the username and typing pattern.

We need to send the username and the typing pattern to the endpoint. To send it, the TypingDNA Authentication API requires us to use a unique identifier for the user. In our case, we will use MD5 to hash the username. Finally, we can make a request to the /auto endpoint.

class NetworkManager {  
    private let base_url = "https://api.typingdna.com"
    var api_key = "xxx"
    var api_secret = "xxx"

    func save_pattern(user_id:String, typing_pattern:String, completionHandler:@escaping (_ result:[String: Any]) -> Void) {
            let hashed_user_id = MD5(string: user_id)
            let serviceUrl = URL(string: base_url+"/auto/"+hashed_user_id)
            let parameterDictionary = ["tp" : typing_pattern]
             var request = URLRequest(url: serviceUrl!)
             request.httpMethod = "POST"
             request.setValue("Application/json", forHTTPHeaderField: "Content-Type")
                let authString = encode_auth()
                request.setValue(authString, forHTTPHeaderField: "Authorization")
                guard let httpBody = try? JSONSerialization.data(withJSONObject: parameterDictionary, options: []) else {
                    return
                }
             request.httpBody = httpBody
             let session = URLSession.shared
             session.dataTask(with: request) { (data, response, error) in
                 if let data = data {
                     do {
                        let json = try JSONSerialization.jsonObject(with: data, options: [])
                        completionHandler(json as! [String : Any])
                     } catch {
                         print(error)
                     }
                 }
             }.resume()
        }

}

In the code above, we make a POST request to /auto endpoint, passing in the MD5 version of the username and send the typing_pattern(tp) in the body of the request. For authentication, we base64 our API key and secret and add that to the Authorization header of the request.

After we send the first request, we should receive a JSON payload:

{"message": Pattern(s) enrolled. Not enough patterns for verification., "action": enroll, "message_code": 10, "status": 200, "enrollment": 1}

In the action parameter, we receive the word enroll. This means that we have begun the authentication process.

Check API

The next step is to make a request to the /check endpoint. This will allow us to verify that the pattern was accepted and allow us to log in, as long as we have sent at least three typing patterns.

func check_user(user_id:String, completionHandler:@escaping (_ result:[String: Any]) -> Void) {

        let hashed_user_id = MD5(string: user_id)
        let serviceUrl = URL(string: base_url+"/user/"+hashed_user_id + "?type=1")

         var request = URLRequest(url: serviceUrl!)
         request.httpMethod = "GET"
         request.setValue("Application/json", forHTTPHeaderField: "Content-Type")

            let authString = encode_auth()
            request.setValue(authString, forHTTPHeaderField: "Authorization")

         let session = URLSession.shared
         session.dataTask(with: request) { (data, response, error) in

             if let data = data {
                 do {
                     let json = try JSONSerialization.jsonObject(with: data, options: []) as? [String: Any]
                    completionHandler(json!)
                 } catch {
                     print(error)
                 }
             }
         }.resume()
    }

This is very similar to the /auto endpoint call. We pass the MD5 version of the username and a type parameter, which is set to 1. This is to tell the /check endpoint that our typing pattern came from a set of repeated text, rather than being a random sentence. If we set the type to 0, it would mean that we allow the user to enter any text they want.

Putting it all together

After we finished writing our two API calls, we can now put it all together.

In the SignupViewController, after we enter a username and record a typing pattern, we can now request the /auto endpoint to send the typing pattern. Once we send the typing pattern, we need to imminently call the /check API to verify that the enrollment process has begun.

When using a free account, the API calls are limited to one call per second. Therefore, we need to add a one-second delay when making a request to the /check endpoint.

We will use the response from the /check endpoint to know what the status of the authentication process is and when we can have the user login.

First, let’s make a request to /auto endpoint and send the username as well as the typing pattern.

let typingPattern = TypingDNARecorderMobile.getTypingPattern(1, 0, "", 0, typing_pattern);
networkManager.save_pattern(user_id: userId, typing_pattern: typingPattern) { (json) in
user.pattern_response = json
}

This will return the following JSON response:

{"status":200,"message_code":10,"action":"enroll","message":"Pattern(s) enrolled. Not enough patterns for verification.”,"enrollment":1}

The full documentation for the response is here.

For our application, we are considered the action parameter. From the documentation:

“Returns one of the following values, corresponding to the action performed on the request: enroll, verify, verify;enroll. Enroll is returned if the typing profile has less than 3 previous enrollments. Verify is returned if initial enrollments are met, only a verification was performed, and the pattern was not additionally enrolled. If both a verification and enrollment are performed, the value is verify;enroll.”

Next, we need to call the /check endpoint. This is used to get the number of times the user has tried to authenticate. The JSON payload from the /check app looks like this:

{"mobilecount":1,"type":1,"count":0,"message":"Done","status":200,"success":1,"message_code":1}

For our example, we need to know the mobilecount, which is the number of times the user tried to authenticate. Please note that the mobilecount parameter will only increment when on a mobile device. If you are using the APIs on the web, the “count” parameter will be incremented.

After the user makes the first attempt of authenticating, the “action” parameter will return “enroll”, which means that the user is in the process of authentication. After the user makes two more attempts of authenticating, the “action” parameter will return “verify;enroll”, which means that the user has been authenticated and can now log in.

Once they log in using the same username and password, they are directed to the AuthenticatedView Controller, and can now use the application as a logged-in user. The following is a video of the demo application:

Conclusion

The TypingDNA Authentication API allows you as a developer to easily add authentication to your iOS application—without having to worry about storing encrypted passwords, which makes it easier for you to focus on building your application.

At the same time, users won’t need to worry about security breaches or hacks that can access your data. Also they no longer need another service to save their password.

To access their accounts, all they need to do is type like they do all day long. It’s the easiest way to ensure only authorized individuals can access their own accounts.

The way you type tells a lot about you, including your IQ

silvie demie — Fri, 22 Jan 2021 14:47:31 +0000

Ever since the use of papyrus in ancient times, the way people write has been a fascinating curiosity known as graphology or the study of physical characteristics and patterns of handwriting. The first book on handwriting analysis appeared in 1575 and was written by the renowned scholar Juan Huarte de San Juan.

In modern times, how much does one reveal when typing on a keyboard or device? Quite a lot, it turns out.

The fist of the Sender – ally or enemy?

During World War II, military intelligence successfully identified the rhythm of morse code to distinguish allies from enemies. Even in the mid-1800s, based on the typestyle, telegraph operators' identities could be revealed.
How we interact with devices divulges a series of unique patterns, which, when analyzed, can reveal our age, gender, personality, state of mind, IQ, and, in a nutshell, who we are—our identity.

The technology that captures and analyzes typing patterns is known as typing biometrics. Over the last few years, typing biometrics has seen rapid growth and is quickly gaining momentum. The use cases and industries they apply to are endless. The popularity of this technology could be guaranteed by a faulty technology that might soon be obsolete, illegal, and replaced for good: facial recognition.

Facial recognition technology will be obsolete soon

Most smartphones today incorporate facial recognition, which is a great alternative to other biometrics such as fingerprints. Still, more and more people today see facial recognition as a faulty method to authenticate individuals and a very easy to use tool for mass surveillance.

Facial recognition was first introduced to devices in 2005 by OMRON Corporation. The breakthrough method of authentication easily spread from personal devices to private and public organizations using it for various applications.

One successful use case was proctoring online courses and exams. It didn't take long to notice the racial bias in facial recognition technology, with several studies conducted by governmental research or universities debunking the myth of secure facial recognition. A reliable, unbiased alternative was needed.

In the worst case, the failure rate on darker female faces is over one in three for a task with a 50 percent chance of being correct. In the best case, one classifier achieves flawless performance on lighter males: 0 percent error rate. - The Gender Shades Project
Another alarming toll of this technology is individuals' privacy concerns. More and more people around the globe criticize the technology because it can be used to infringe human rights or civil liberties and for mass surveillance.

In June 2019, law enforcement agencies held the most substantial chunk of the facial recognition technology on the market. And according to a new bill—the Facial Recognition and Biometric Technology Moratorium Act, which was introduced to ban the use of facial recognition technology by federal law enforcement agencies—this will change.

Also, as of June 2020, tech giants like Microsoft, Amazon, and IBM have decided to stop the research, use, and selling of facial recognition technology at least until stronger laws have been enacted to ensure safe deployment.

The alternative: Typing biometrics

In addition to physiological biometrics (e.g., fingerprint, facial identification, and retina scans), there are other metrics that measure human behavior characteristics called behavioral biometrics.

Broadly, behavioral biometrics represent uniquely identifying and measurable patterns in individual interaction with devices. These behaviors are virtually impossible to imitate due to the innate nature of their characteristics. Powered by machine learning algorithms, typing biometrics technology is able to learn about a variety of pattern elements that are unique to the individual.

The prevalence of typing biometrics in the future is also highlighted by the shift in modes of human interaction. According to research by the American Psychological Association, people favor typing over talking. Since 2014, much of oral communication has transitioned to text-based communication, and now 75% of individuals under 30 prefer written communication over phone calls. Also, keyboards are widely available in any household and are present in most technologies today.

Shifting from authentication to other uses cases

Since facial recognition opens a playing ground for other biometrics in authentication, typing biometrics can do more and thus are intriguing due to their versatility and broad use cases.

Mental health and well-being

As previously noted, the technology can be used to analyze the way people are. The complexity of the human mind and body is yet to be understood. Still, the traces we leave when typing is quite revealing with respect to physical and mental traits.

This leads to a more complex analysis of more than just who we are but also how we behave. Just just like our DNA can tell a lot about our ancestry, reveal health conditions, and identify personality indicators, our typing similarly says a lot about us, including gender or IQ.

To illustrate, a new product called TypingDNA Focus, which is currently in the research phase can analyze data based on how people type on their keyboards and reveal information about their state of mind. A fitness tracker for the mind, Focus provides statistics about when users are tired, focused, or stressed, and that data can then be analyzed to enhance productivity.

Focus aims to help users better understand how and when they focus and gain visibility and control over the stressful periods during a day. Additionally, users get insights based on their typing behavior and see weekly trends, a breakdown of daily activity, a window into when they’re most engaged, focus levels, immediate mood analysis, and more.

This use case of typing biometrics is a natural response to the current state of individuals experiencing burnout, high anxiety, stress levels, and the inability to focus on tasks and get productive. According to the Anxiety and Depression Association of America, stress over a long period leads to anxiety and depression, disorders associated with severe chronic diseases.

The fin-de-siècle neurasthenic, in whom exhaustion and innervation converge, uncannily anticipates the burnout of today. They have in common an overloaded and overstimulated nervous system.
Josh Cohen, psychoanalyst, and Professor of Modern Literary Theory at the Goldsmiths University of London.

Reports from the World Health Organization (WHO) indicate depression will become a primary reason for disability worldwide by 2030, while more than 16% of the global population is already affected by it today.

Medical disorders prevention and diagnostics

Due to its innate nature, typing biometrics are virtually impossible to imitate, revealing each individual's unique typing pattern. Therefore, behavioral biometrics technology is suitable for medical research to address disease prevention. Recent medical advancements focus on analyzing any changes that occur in someone's typing pattern over time, which can sometimes indicate neurological system disorders, damage, or other transformations. Abnormal locomotions, movement patterns, or synergies have been described after CNS disorders, such as stroke or traumatic brain injury.

The aim here is to help patients suffering from different diseases or disabilities to rehabilitate and, in the future, even detect various anomalies that can indicate a specific disorder, assisting medical professionals in diagnosing their patients more effectively.

An alternative to privacy-intrusive surveillance technologies
Over the past decade, data protection and privacy-enhancing online and offline tools have gained momentum, and various public institutions are addressing the ban of intrusive surveillance technologies.

This approach may seem like a win for privacy and civil rights advocates who speak out against the use of facial recognition for mass surveillance. This sends an alarming global signal on the effects of the lack of regulation in facial biometrics and addresses the need for less privacy-invasive substitute technologies.

Given this context, typing biometrics represents a viable authentication solution for mobile and desktop without putting civil liberties at risk.

E-learning and student verification

Suffice it to say that 2020 has ushered in challenges around innovation, digitalization, and adaptability.

Governments have been required to take an integrated cross-sectoral approach to prevent and minimize the impact of COVID-19. According to UNESCO, the changing education imperative comes after 1.38 billion learners have been impacted by national school closures worldwide due to the coronavirus.

The ability to verify a student's identity is a crucial part of an equitable and effective learning experience and process. Since most of the curriculum is currently online at all education stages, typing biometrics is a seamless, non-intrusive way to verify the course and exam participants' identities, allowing students to focus on learning—not the proctoring technology.

Looking ahead, typing biometrics will be present in our daily lives And it will also be found in complex use cases developed today that will shape the future for good, influencing our lives and while helping people explore the unknown areas of who we are.

Adding multi-factor authentication to your app, the easy way

Alex Lakatos 🥑 — Wed, 20 Jan 2021 13:31:19 +0000

First, let’s look at what Multi-Factor Authentication or MFA is. Most applications use a username/password combination to authenticate or log in their users. Some of them use a second method on top of the first, like a token or code sent via SMS. That is commonly called 2FA or two-factor authentication.

In light of countless security breaches across the industry, 2FA is becoming increasingly popular In the event that one of the methods used for authentication is compromised, an additional check will make it more difficult to impersonate a user.

The methods of authenticating users are also called factors, or pieces of evidence required for authentication, which is where the term multi-factor authentication originates.

Multi-factor implies more than one factor is used, so technically 2FA is the minimum number of factors to be used for MFA. Depending on your application’s security level, you can choose to increase the number of factors used to authenticate your users. Before we get ahead of ourselves and ask for ten pieces of data, let’s look at the available options.

The options for authentication factors

Here are the different types of evidence you can ask users to provide: :

Knowledge - Something the user knows — a password, for example. Most authentication mechanisms use this factor. And, usually, it's the only one. Or at least the first one.
Location - Somewhere the user is — the office building, for example. Most corporate networks used to be geofenced back in my day. Still, with the rise of remote work, especially during the pandemic, this factor has severely fallen out of favour. Not to mention, most use cases for MFA work from anywhere in the world, so being locked inside a geographical area might be irrelevant. Location might not necessarily mean geolocation though. In some cases, you can use the IP address as a factor instead. Think about all your “intranet” websites that are only accessible from inside the corporate VPN.
Possession - Something the user has — a token or a phone number, for example. This is the second most commonly used factor. When people talk about 2FA, this factor is usually the second factor (e.g., a second password that is sent via SMS to your phone). Sadly, having worked with SMS for a while, it's only as secure as your phone service provider. While this factor is preferred by someone like your banking provider, that also makes it a great incentive to bypass it, for many bad actors. It's also not free to use, as there is usually a fee associated with sending an SMS.
Proximity - Something the user has — unlocking a Macbook when an Apple Watch is nearby, without using a password, for example. While it's usually used in physical devices, this factor stops being useful for web apps, requiring sensors to work. It also has the inherent flaw that both devices that are supposed to be close to each other can be stolen at the same time.
Biometric - Something the user is or some physical characteristic the user has — the fingerprint or the face, for example. You'll see this as the most commonly used authentication mechanism for phones. When coupled with physical sensors, it's tough to beat. Since biometrics are free, they should be the default mechanism in 2FA. Unfortunately, you need advanced sensors to provide a high degree of security. Earlier versions of Face Detection on phones could be fooled with a person’s picture instead of the actual person, for example.

Again, depending on your application’s security level, you can choose how many factors you need — hence the multi-factor authentication mechanism involved.

What about risk-based authentication?

There is another trend emerging in application security called risk-based authentication (RBA). It relies on multiple factors and spreads out the authentication points based on the current user transaction and the security level needed for that.

RBA is used by companies like Google, Facebook, LinkedIn, and Amazon. For example, posting on Facebook only requires a user to be logged in but accessing profile settings requires an additional factor. The additional factor is usually an IP address or some other data if the IP address you’re using at the moment is not the one you commonly use for your account.

One of the factors that's well suited in both cases, and trending recently, is the biometric authentication factor. It turns out that some other things are just as unique as a fingerprint or your face.

For example, the way you type is pretty unique. So why not use that as an authentication mechanism? It doesn’t seem as easy to compare as a face or a fingerprint. No worries, someone else has done all the heavy lifting for you.

TypingDNA’s typing biometrics technology

Cue TypingDNA. That's right, there is an API that fingerprints people by the way they type. That makes biometric authentication accessible without a physical sensor — and just as secure as a fingerprint. It also happens to be free for your users (e.g., compared to possession factors).

Let's look at how you can add this extra layer of biometric authentication to your multi-factor authentication process.

The TypingDNA API allows you to recognize people by the way they type, both on a keyboard or a mobile device. It also doesn't require any particular hardware or sensor. The SDKs act as recorders for the way users type on web apps and mobile apps. You can check those recordings against a previously saved typing "DNA" — hence the name.

Personally, I've been watching TypingDNA for a while, and I'm impressed with how natural and simple it is to add on top of a traditional username/password authentication model.

An average username/email combination has around 30 characters. That’s plenty of characters to use typing biometrics with a high degree of confidence. You can record and store the typing pattern when a user signs up and then verify the pattern every time they log in. It has the benefit of being a seamless experience. You’re checking two factors in the same step instead of traditional MFA, where each factor requires an extra step.

Implementing with the TypingDNA API

In terms of implementing it, it's a three-part system. The first part is a recorder (TypingDNA provides this) that lives in your application and records the way users type when they perform a certain action, like logging in. The second part is your own back-end server application, and that's where the recorder sends the biometrics data. For the final step, you check that data against the saved biometrics TypingDNA has, using their REST API.

It sounds pretty easy, doesn't it?

It is.

One of the advantages of using this in an MFA flow is that — as opposed to most 2FA solutions — the second step here is invisible to the user. You're using two factors that you're gathering at the same time, so there is no extra step for your users — meaning there are fewer reasons to not complete the verification process. I'd say that is a big user experience win.

This approach can also replace some other existing forms of text or typing verification currently used — like Captcha. Instead of asking someone to type a single garbled word that’s hard to read or click several pictures of bikes, you can ask them to type a provided passphrase.

This way, you’re not only improving the accessibility of your application, but you’re also going the extra mile in verifying the user is “not a robot.” In other words, you’re not only verifying a user is a person but with matching typing patterns, you’re verifying the user is the right person to access your application.

What’s next?

If I’ve convinced you biometric authentication is the future, here are some resources that will help you integrate your application with the TypingDNA API.

First, sign up here. And then use the:

Tutorials to help you get started.
API Documentation to help you when you’re implementing this into your application.
GitHub Repositories full of demos and example implementations.
Case Studies, Webinars, Blog, Whitepapers (and others) in case you need to sell this to your Product Manager first.

Here’s to adding MFA to your applications — the easy way — with TypingDNA!

AI Facts Every Dev Should Know: Artificial intelligence is older than you, probably

silvie demie — Mon, 14 Dec 2020 15:43:20 +0000

The hype around AI is growing rapidly, as most research companies predict AI will take on an increasingly important role in the future.

While business leaders are very interested in leveraging machine learning technology, there’s a talent shortage standing in the way.

It turns out that there are very few developers that have the skills needed to spearhead serious new AI projects. This means that developers who can acquire these skills will be highly in demand.

With all this in mind, let’s take a look at several facts about AI every developer should know before changing their focus to machine learning, artificial intelligence, and—while we’re at it—deep learning and neural networks.

Artificial intelligence is older than you, probably.

The first recorded use of the term artificial intelligence was made by John McCarthy, an American computer scientist and one of the discipline's founders. Spending most of his academic career at Stanford, he invented Lisp in the late 1950s. Based on the lambda calculus, Lisp soon became the programming language of choice for AI applications after its publication in 1960.

Still, creating AI departments at Stanford and MIT didn't advance the field as much as the founders had imagined. In large part, this is because scientists encountered a myriad of issues, including limited computer power (i.e., the memory or processing speed needed to accomplish anything truly useful), intractability, the combinatorial explosion, lack of databases, and lack of the common sense knowledge and reasoning needed to train algorithms effectively.

The so-called AI winter began in the 1970s, and AI eventually reached its limits as substantial funding was put on hold. It was only in the 2000s that computational power and data became widely available. The ice was finally broken by ImageNET, a database project that stored 15 million images led by Stanford's Fei Fei Li in 2009. At the same time, data storage rates became affordable, setting the stage for more AI investments.

The talent pool is shallow.

Talent is in short supply in the A.I. industry, with various reports indicating that the worldwide market is seeking to fill millions of roles. Due to a widespread lack of education on AI skills and topics, there’s a bottleneck in delivering highly trained individuals. In fact, Element AI, a Montreal-based startup, estimated fewer than 22,000 people in the world with the expertise needed to create machine learning systems.

What’s more, another study made by the Chinese Tencent Research Institute estimates that there are currently 300,000 AI researchers and practitioners in the world today, out of which about 100,000 are still studying. Tencent claims the United States is far ahead when it comes to developing this talent, being home to more than 1,000 universities of the 2,600 schools teaching machine learning and related subjects in the world.

The same report claims the U.S. is also a leading nation when it comes to the number of startups developing AI technologies. Interestingly enough, more and more academic conferences turn into playgrounds for corporate recruiters, while entire AI research departments from well-known universities are transferred to privately held companies deploying AI.

AI Engineers get paid very well

Scarcity in any job market equates to higher salaries, and AI is no different. For example, DeepMind, acquired by Google for a reported $650 million in 2014, spends $138 million on 400 employees. The staff costs were researched by The New York Times, which had a look at the company's recently released annual financial accounts in the U.K. This translates to base salaries of between $300,000 and $500,000 a year.

Based on Monster.com's analysis, the median salary for data scientists, senior data scientists, artificial intelligence consultants, and machine learning managers was $127,000 in 2019.

Over the last four years, the demand for AI talent has increased by 74%, while technology and financial service companies are currently absorbing 60% of AI talent.

AI/ML Professionals need to possess a lot of skills

There are two job roles for every AI professional today, and similar growth is expected to be seen in the future. Currently, the three most in-demand AI positions on the market are data scientists and algorithm developers, machine learning engineers, and deep learning engineers.
According to the job site Indeed, the main skills and tools software developers need to be proficient on AI projects include math, algebra, statistics, big data, data mining, data science, machine learning, cognitive computing, natural language processing (NLP), Hadoop, Spark, and many others.

The most frequent programming languages AI developers use are Phyton, C++, Java, LISP, and Prolog. Still, qualifying job seekers must also be experienced working with open source development environments. For example, proficiency with Spark, MATLAB, and Hadoop is one of the most in-demand skills.

The hype around AI is worth it.

In 2018, Gartner predicted that 80% of emerging technologies would have AI foundations within three years. What’s more, the research firm Markets and Markets expects that the AI market will grow to a $190 billion industry by 2025. Beyond that, Accenture predicts that the impact of AI technologies on business will boost labor productivity by up to 40%. Also, according to IDC, the AI use cases that saw the most investment in 2019 were automated customer service agents ($4.5 billion worldwide), sales process recommendation and automation ($2.7 billion), and automated threat intelligence and prevention systems ($2.7 billion).

Add it all up, and the hype surrounding AI is worth it.

AI has all kinds of implications

Before wondering whether AI will replace software developers, let's take a look at what AI can actually do.

The industries and use cases where AI can be deployed have surged in the past few years.
In December 2018, the New York auction house Christie's sold Portrait of Edmond de Belamy, an algorithm-generated print in the style of 19th-century European portraiture, for $432,500. Various AI-generated works of art are now frequently exhibited; one example is the "Faceless Portraits Transcending Time" collection in New York. Dr. Ahmed Elgammal and his creation, the AICAM AI, benefit from the first solo gallery exhibit devoted to an AI artist. As Andy Warhol once said, art is what you can get away with.

The frenzy around AI-generated art is also touching the music industry. While continuing to read these words, play this piece generated in ASCII using roughly 500 megabytes worth of famous guitar tabs of mostly classical and rock music. It's called Recurrence, and—if it's not contemporary enough for your taste—please note this "record" is already five years old.

With a more substantial societal impact, AI tools are also being used to solve medical issues. AI is also being used in medical research to identify, prevent, and cure disorders and diseases is more appealing. These applications are projected to create $150 billion in annual savings for the healthcare economy by 2026.

AI-based typing patterns matching algorithms can also verify users' identity based solely on their typing behavior. In 2016, TypingDNA’s technology was launched to analyze how humans interact with keyboards to provide accurate authentication. The breakthrough discovery here relies on the fact that humans are all different and behave in a distinctive way. The demo how it works can turn into an addictive challenge game among your friends trying to "fool" the system and replicate each other's typing behavior.

Further, Google's Deep Learning machine learning program is accurate 89 percent of the time in detecting breast cancer compared to a human pathologist, who is just 73 percent accurate. This is why machine learning and AI are regarded as healthcare’s new nervous system.
Finally, AI is also very smart, shedding light on its future capabilities. For example, AlphaGo Zero, a Google Deep mind project, was able to achieve superhuman-level performance, flawlessly beating champion predecessor, AlphaGo, the first AI to defeat Ke Jie, the world's top-ranked player in the ancient Chinese strategy game Go. Interestingly, AlphaGo Zero taught itself how to play the game, given only the basic rules.

AI won’t replace human beings but their jobs.

Twenty-five years ago, Jeff Dean started working on a "brain" that mimicked the neural networks to analyze information and learn. But its capabilities were limited. It was only in 2012 that neural networks were successfully used for machine learning, memory, perception, and symbol processing.

Geoff Hinton marked a new era when introducing neural networks that could learn tasks mostly on their own by analyzing vast amounts of data. Both Dean and Hinton are now part of Google's AI research teams. In 2017, Google announced its project AutoML successfully taught itself to program machine learning software on its own. Completing basic programming tasks, AutoML also marked the popularization of a new fear: Because of their ability to learn on their own, will machines replace humans?

Welcome to this century's agnostophobia.

Unlike the Narrow/Weak AI, specified to handle singular or limited tasks humans can perform as well, General or Strong AI poses fears towards its capabilities once out of control. Currently, AI is used mostly to assist developers, and it will probably continue to grow its role in augmenting human teams' capabilities. We see it everywhere around us—in tools to help write documentation, test code, and even identify bugs and address them.

Open AI and it’s recent Generative Pre-trained Transformer 3 (GPT-3), an autoregressive language model with 175 billion parameters, achieves strong performance on many NLP datasets, including translation, question-answering, and cloze tasks, as well as several tasks that require on-the-fly reasoning or domain adaptation. This means it has capabilities to generate news articles in which human evaluators have difficulty distinguishing from articles written by humans while researchers claim GPT-3 has the "potential to advance both the beneficial and harmful applications of language models."

Researchers at MIT created a program that automatically fixed software bugs by replacing faulty code lines with working lines from other programs. Here are some more tools that help in the process of building software products: DeepCode, Synopsys Logojoy, and UIzard.

How do developers look at AI and its potential threats?

If you fear that AI will eventually replace your role, you're not alone. That’s how the majority of developers around the world feel.

According to Evans Data, when asked to identify the most worrisome thing in their careers, the largest plurality of software developers cited this: "I and my development efforts are replaced by artificial intelligence."

On a positive note, Stack Overflow research showed that 70% of respondents feel more excited about AI's possibilities instead of worrying about its potential dangers. And most developers are eagerly looking forward to the new possibilities automation brings to the table.

Just like the industrial revolution shifted humankind into developing new skills while leaving agricultural labor behind, so will intelligent robots. In fact, McKinsey predicts AI could replace 30% of the human workforce globally by 2030. According to AI technology statistics, robotics could replace about 800 million jobs, making about 30% of occupations extinct.

With this significant shift, nearly 400 million people will have to adapt and change careers. Forrester predicts cognitive technologies—such as robots, A.I., machine learning, and automation—will create 9% of new U.S. jobs by 2025. These new jobs include robot monitoring professionals, data scientists, automation specialists, and content curators.

It’s easy to start learning or teaching

Since the skilled workers needed to build advanced AI software are still scarce, companies like Facebook and Google have prepared educational programs designed to get anyone on board—no matter their level of expertise. If you are interested in online courses to grasp the basics of A.I., check these machine learning courses from Stanford, MIT, and Columbia University, or dive into the depths of deep learning at Nvidia's Deep Learning Institute.

For more information, you can also read this book, check out these popular open-source AI tools, and browse this list of popular AI projects. This will help you build the technology of the future and solve real-world problems.

And if you’re a teacher looking to introduce your students to AI, check out Tom Vander Ark’s compelling guide on how to teach artificial intelligence.

The graphics in this article can be downloaded here.

The TypingDNA Hackathon Saga – Volume 1

Madalina Burci — Tue, 24 Nov 2020 13:46:54 +0000

Once upon a time… two months ago,
We had the TypingDNA Hackathon challenge to throw,
And used every communications medium to raise the hype:
“What would you do if you could recognize people by the way they type?”

The news traveled fast, and many adventurous spirits appeared,
More than 600 hackers to the cause adhered,
Six weeks later, after much code,
Twenty-eight submissions in the Project Gallery showed.

They were all great, a pleasure to watch and test,
The Judges and Organizing team felt very blessed,
To have received so much, both ideas and implementations,
Projects powerful enough to improve nations upon nations.

After debating, seven projects were selected,
The ones with which most people clicked and inspected.
A big thank-you to those who judged and voted,
All your thoughts were duly noted!

For starters, the popularity choices,
The project that secured the real voices,
Among Us, Devpost Community Award,
The “Social Media <> No fake tweets/users” ward.

Talking about Social, Impact was there as well,
Does ChatAppNoDrive ring a bell?
If not, it’s an app that detects if you text while driving,
And notifies recipients and asks them to stop typing.

What about Business Potential, you may ask?
This one right here was no easy task,
There was ProctoPro, another project that did wonders,
Improving the online learning covers.

We couldn’t skip the WOW factor,
There were enough projects to write a whole chapter,
But the one that took our breath away,
Was eHealth App, tracking Dermatomyositis every day.

Now, for the big prizes, we start with third,
Biowallet definitely got heard,
Securing crypto wallets against viruses and malware,
Transferring Bitcoin from person to person without a care.

Dissociative Journal came in second place,
Giving all your identities their own space,
Using sentiment analysis to determine the state of mind,
So as to ensure no identity gets left behind.

Typdf captured our minds and hearts,
Taking home two of the awards at the top of the charts,
Signing docs with your typing pattern,
Brought it first place and the TypingDNA Popularity on a platter.

If you want to get in the hackathon zone,
Make custom wallpapers all on your own,
Follow the Mix&Match Spotify Playlist notes,
And read below some judges’ and participants’ quotes:

“This hackathon reminded me once again how nice it is to build upon a passion and how important it is to have great people to learn from along the way.”
Crina Coranga, Dissociative Journal

“TypingDNA is impressive and user-friendly. In fact, I could build an application using their API in a couple of hours!”
Bell Eapen, eHealth App

“Loved being part of the Judging Team for the TypingDNA Hackathon. The idea of Frictionless authentication based on how you type is super original and there were so many incredible use cases posited by the Hackathon entrants testing the limits of the API. My favorite one was around the idea that there would be a different typing pattern if someone was Texting whilst Driving – using the API for behavioral analytics rather than authentication. But each of the Judges had their own preferences and we spent a good while arguing over which deserved the prizes. In the end, TypingDNA decided to give out a few more prizes, just to pacify the judges – but even so, there were so many entrants that worked really hard to produce their solutions and we wished we could have told them all how impressed we were with the work they had done.”
Michelle Sandford, Judge and Developer Community Advocate

“TypingDNA is one of the APIs I’ve been keeping an eye out forever since I first saw it in action, a few years ago. The potential for fingerprinting people based on the way they type is amazing, and I think someday it’ll be ubiquitous.”
Alex Lakatos, Judge, and DevRel @ Fidel

“This hackathon was so engaging that it was the first time I underestimated the duration of project development and yet this turned out to be a very pleasant reality. The best part followed the day after the hackathon ended when once we started promoting the application, we received dozens of thanks messages from real users – those for whom we created it. It’s not about how well the app is written, it’s about how much it can change people’s lives – for the better.”
Bogdan Burdalescu, Dissociative Journal

“This was my very first Hackathon and I loved it! After seeing what TypingDNA can do, implementing and using it was both challenging and fun. Overall I had a great experience and I am very proud of my result. 10/10 would do it again! :)”
Calin Stroescu, ChatAppNoDrive

“Thanks to the TypingDNA hackathon, my team and I were able to develop competencies and skills that school can’t teach you. It was such an eye-opener when it comes to what the world of computer science and engineering can offer to young students with endless ambition.”
Saoud Messaoudi, ProctoPro

5 thoughts from the DevTalks conference

Madalina Burci — Thu, 30 Jul 2020 13:49:24 +0000

As a huge fan of live events, having to experience a conference digitally was an interesting change of pace, to say the least. However, my expectations for the virtual event were quickly surpassed. I was very impressed by the number of speakers and how diverse they were. I was also impressed by the wide range of topics the conference covered (3 days, 5000+ participants, 13 stages—check out the full DevTalks agenda).

TypingDNA @ DevTalks

If you’re curious, here are the TypingDNA talks from the conference. Laura Tamas and I approached theoretical and practical aspects of typing biometrics and passwords, as well as the reality of securing remote workforce. Check out our presentations using these links:

The brave new ‘Work From Anywhere’ world and how to secure it
To People Who Want To Integrate Biometrics – But Can’t Get Started
As a bonus, we had the opportunity to give participants a short company presentation.

Now that you are familiar with our role in DevTalks, I’d like to share five of the more engaging talks I saw during the virtual event.

1. Are bots good or bad?

Michelle Sandford addressed this question by putting forward arguments that brought together aspects of technology and sociology.

While, at its core, code is simply mathematics, algorithms and logic statements, keep in mind that what was designed for good could be used for evil, too.

Besides the programmer’s bias, there is also the way people use and train the software (just look at Tay vs. Xiaoice), which is why developers must be accountable for what we deploy and have a sound understanding of the real impact that bots have on people’s lives these days.

To ensure each user gets fair and unbiased treatment, include diversity on your development team and enable support in multiple languages.

2. Following your passion

We have endless opportunities today to follow our passions and beliefs, and this idea was best showcased by Denis Radin through karmawheel.org.

Starting by comparing Buddhism to a peer-to-peer connection, he digitized a prayer wheel so it could serve many people around the world.

Regardless of what technology stack you decide to use, having an objective and being determined will keep you on the right track—and even open the door for unexpected collaborations.

3. UX vs. DX in Web Development

As developers, we get more productive by using the latest frameworks. But is this the best for our users?

Stefan Judis started a debate around the developer experience (DX) and user experience (UX), ultimately ascertaining that we should focus more on building websites that work and less on the technology behind them.

He encouraged devs to go back to the foundations (e.g., HTML, CSS, JS) and build complex apps only when it makes sense.

Also, the session was a reminder for us all that we have the responsibility to pick the right tools. A decision made today will stick around our companies’ tech stack for a while.

4. Product Metrics <> Developers

There are three types of metrics: business, product, and tech. Developers should be connected to the last two in order to assess existing features, investigate new releases, and perform incremental improvements.

With metrics being the only source of true data, as shared by Dmitry Salahutdinov, they ensure changes are impact-driven and reduce communication blockers.

Some tips and tricks he shared are: keep a naming convention that prevents entropy, have separate environments for production and testing, and organize events and properties.

5. Killing mutants – a different approach to testing

Want to ensure your code is meaningful and the unit tests are strict? Give Mutant Testing a try!

As per Dave Aronson’s explanations, first, you need to find the tests (or create them in case there are none). Second, you have to slightly modify the functions (create the mutants), and third, don’t forget to apply those tests on the mutants!

If at least one test fails, then the mutant is killed and you move to the next one. If no tests fail, then the mutant survives, meaning the code is meaningless or the tests are not enough. Although resource-intensive (e.g., CPU and time for interpretation), this approach has a lot of potential for identifying gaps.

Forem: TypingDNA

How To Implement Biometric 2FA in a Cryptocurrency Wallet with Python, Flask and TypingDNA

Table of Contents

A Brief Introduction to TypingDNA

Getting Started with TypingDNA

Setting Up Our Flask Application

Enrolling New Users into TypingDNA

Downloading TypingDNA JavaScript Files

Building TypingDNA Enrollment Page

Recording Typing Patterns with TypingDNA

Saving Typing Patterns with TypingDNA

Authenticating Users with TypingDNA

Adding 2FA to Our Login

Building TypingDNA Verification Page

Verifying User Identities with TypingDNA

Implementing 2FA Fallback Option with Email OTP

Securing User Actions with TypingDNA

Conclusion

TypingDNA is launching a new typing biometrics 2FA solution to replace SMS OTP

Adding two-factor authentication to your iOS app using TypingDNA

TypingDNA overview

Create a TypingDNA account

iOS app

App overview

Integrating TypingDNARecorderMobile framework

Integration of TypingDNA Authentication API

Auto API

Check API

Putting it all together

Conclusion

The way you type tells a lot about you, including your IQ

The fist of the Sender – ally or enemy?

Facial recognition technology will be obsolete soon

The alternative: Typing biometrics

Shifting from authentication to other uses cases

Mental health and well-being

Medical disorders prevention and diagnostics

E-learning and student verification

Adding multi-factor authentication to your app, the easy way

The options for authentication factors

What about risk-based authentication?

TypingDNA’s typing biometrics technology

Implementing with the TypingDNA API

What’s next?

AI Facts Every Dev Should Know: Artificial intelligence is older than you, probably

The hype around AI is growing rapidly, as most research companies predict AI will take on an increasingly important role in the future.

Artificial intelligence is older than you, probably.

The talent pool is shallow.

AI Engineers get paid very well

The hype around AI is worth it.

AI has all kinds of implications

AI won’t replace human beings but their jobs.

It’s easy to start learning or teaching

The TypingDNA Hackathon Saga – Volume 1

5 thoughts from the DevTalks conference

TypingDNA @ DevTalks

1. Are bots good or bad?

2. Following your passion

3. UX vs. DX in Web Development

4. Product Metrics <> Developers

5. Killing mutants – a different approach to testing