Back to home
ExperienceJanuary 2025ยท7 min read

The behavioral signals that reveal you're not who you say you are

How keystroke dynamics, mouse patterns, and location anomalies can be used as a form of identification.

Passwords don't work anymore, and everyone knows it. Two-factor authentication helps, but people find ways around it - stealing SIM cards, tricking call center employees, sending fake emails.

But there's one thing that's very hard to steal: behavior. The way someone types, moves their mouse, uses an app. These patterns are unique, almost like a fingerprint.

I worked on systems that use these signals to catch fraud, and I want to share what I learned along the way.

Typing rhythm

Everyone types differently. Some people are fast, some slow. Some hold keys down longer than others. Some make lots of typos, some almost none. There's quite a lot of research on this - in lab settings, researchers can identify people by their typing patterns with high accuracy. In the real world it's messier, but still works surprisingly well.

Measuring how long each key is held down, the gaps between key presses, timing patterns for common letter combinations like "th" or "er", is a good start. A fraudster might have the right password, but they won't have the same typing rhythm.

Mouse movement story

Think about an app that someone uses every day. They know where everything is, so the mouse goes straight to the right buttons without any searching around. The motions are efficient, going straight to the target. But when a fraudster uses that same account for the first time they are in the exploratory phase. They move the mouse around looking for things, hesitate.

Finding whether movements are direct or wandering, how fast the cursor moves, whether clicks land exactly on target or need adjustment, and where people tend to pause. Real users move with confidence. Fraudsters move like they're learning, because that's exactly what they're doing.

Other signals

Device information - not just the device ID (which is easy to fake), but lots of small things together like screen size, browser settings, timezone. Each signal alone is weak, but combined they create something stronger.

Location patterns matter too. Most people log in from the same few places, like home and work. A login from a new country isn't automatically fraud, but it's worth paying attention to. And if someone logs in from Zurich and then from Singapore thirty minutes later? That's physically impossible - something is clearly wrong.

Usage patterns also help. When does someone usually use the app, for how long, and which features do they use? A login at 3 AM going straight to rarely-used features raises questions.

False alarms

Real users don't always behave consistently - they're typing slower when tired, maybe they hurt their hand, got a new computer, or are traveling. If the system flags every small change as fraud, it ends up annoying real users who get blocked and have to verify themselves. That's bad for everyone.

It becomes important to figure out how much change is normal versus how much is suspicious.

There's also a cold start problem - when someone is new, there's no baseline yet for their normal behavior. The system needs time to build a profile. And until then, there's less confidence in any signals.

Machine learning

Good, now how do we actually make sense of it all? A human can't sit there and manually check every login. This is where machine learning (ML) comes in.

The basic idea is to train a model on what "normal" looks like for each user, then flag anything that doesn't fit. Some algorithms that work well for this are K-Nearest Neighbors (KNN) and Random Forest. KNN is simple - it looks at the closest examples in the training data and decides based on what those look like. If your current behavior is closest to fraudulent sessions, that's a red flag. Random Forest builds many decision trees and combines their answers, which tends to be more accurate and handles noisy data well.

No single algorithm is perfect for every situation. KNN works great when you have clean, well-separated data, but struggles with high-dimensional inputs. Random Forest handles complexity better but needs more data to train properly. In practice you should combine multiple approaches - using one model for mouse movements and another for deeper analysis of keystrokes.

The models also need to be maintained. Fraudsters learn and adapt, so what worked six months ago might not catch new attacks. And user behavior changes too - how will the widespread use of AI agents change user behavior? The system has to keep learning.

Privacy matters

I want to be honest - collecting behavioral data raises real privacy questions, it's important to take that seriously:

  • Users should be informed this is happening
  • The focus should be on saving patterns, not the actual content of what was typed
  • The data should only be used for fraud detection
  • Old data should be deleted after a reasonable period

I think getting this balance right is important. Protecting users from fraud matters, but so does respecting their privacy.

Conclusion

Behavioral signals aren't perfect - they're just one tool among many. But they catch something that passwords and codes can't: someone who has all the right credentials but isn't the right person.