Websites that ID you by how you type: Great when someone's swiped your password, but...

Debate is raging over the discovery that simple web browser extensions can defeat behavior-based biometric technologies.

(In this case, behavior-based biometric technologies is a fancy way of saying JavaScript that profiles how people type so that they can be identified the next time they get behind the keyboard.)

Passive behavioral biometrics are being adopted by online shopping companies and banks as a way to protect users from ID theft and fraud, even when their passwords have been compromised. But the technology – which works by building a profile about how a person types, rather than just what they type – poses privacy risks.

Providing they have JavaScript enabled, netizens are profiled on sites using technology from the likes of BehavioSec and KeyTrac. Using Tor or a VPN has no effect. And surfers don't necessarily know if the technology is in play. If a biometric behavioral profile is either shared or stolen, it can't be changed like a password.

In response to these concerns, Per Thorsheim, founder of PasswordsCon and independent IT security consultant Paul Moore developed Keyboard Privacy, a proof-of-concept Google Chrome extension, as previously reported.

The technology is designed to outfox behavior-based biometric technology and protect a user's privacy. The main motive was to highlight a little-reported privacy issue and spark debate.

Neil Costigan, chief exec of BehavioSec, disagreed that the app is able to "defeat" a behavioral biometrics system. Rather it offers a means to decline to use the technology to gain access to sites that deploy the technology.

"The Keyboard Privacy app, developed by security researchers Paul Moore and Per Thorsheim, has sparked a great deal of conversation in the security industry," Costigan explained.

"As academics ourselves, we welcome people testing and exploring our software – in fact, that's one of the reasons we felt so strongly about making a live proof of concept demo available on our website. However, it is misleading to say that the app is able to 'defeat' a behavioral biometrics system, because it doesn't 'break in.' It's like someone refusing to put their finger on a fingerprint reader – it just won't let them gain access to any system protected by behavioral biometrics."

Costigan argued that behavioral biometrics is easier for users than other technologies designed to either supplement or replace traditional password login techniques.

Our opinion is that users should have a range of authentication methods available to them. If they choose to opt out of behavioral biometrics as a verification technique (for whatever reason), then they will simply be required to use an alternative – likely more complex and inconvenient – method, such as a keypad calculator or out of band SMS. That's what this is about however – opting out. We are confident that our system worked as intended."

We shared these points with Moore, who agreed that using the Keyboard Privacy app would make it harder to log onto a site protected with behavior-based biometric technology.