Integration of TypingDNA with WSO2 Identity Server

TypingDNA is a technology that is able to authenticate people based on the typing patterns by analyzing the way we type and creating our own ‘typing identity’.

Being a Romanian startup, TypingDNA developed their own AI-based algorithms to make this work. This technology observes factors such as the time it takes to press, release, and move between keys, so TypingDNA can recognize user login attempts and other important security elements.

TypingDNA technology, known as typing biometrics, creates a safer internet. It allows for known applications, such as authentication, fraud detection or password recovery, and it can be used in a lot of fields, from banking to online assessments.

To highlight the importance of this feature, consider the fact that almost any device today has a keyboard. Implicitly, typing behavior can become the most common biometric system for regular users. hence leveraging typing biometrics into an identity management solution is important as an additional layer of robust protection against potential cyber threats.

WSO2 Identity Server 5.11.0 onwards has the support for typingDNA feature. I will take you through a simple demonstration of authenticating to a sample application when typingDNA is enabled.

1. Download and install the WSO2 identity server.
2. Download the typingDNA authenticator and artifacts from IS connector store.
3. Copy the downloaded org.wso2.carbon.identity.conditional.auth.typingdna.functions-x.x.x.jar file into the <IS-Home>/repository/components/dropins directory.
4. Copy the api#identity#typingdna#v_.war file into the <IS-Home>/repository/deployment/server/webapps directory.
5. Add the below configuration in the <IS-Home>/repository/conf/deployment.toml file.

[myaccount.security]
enabled_features=["security.loginVerifyData.typingDNA"]

7. If you are having IS 5.11.0 version, there are few more additional configs to be done which are listed here.

TypingDNA account setup

1. Signup here to create a new typingDNA account. See the instructions for more details.

2. Login to the account and navigate to Authentication API tab. Go to the API settings and enable Auto-enroll and Force initial enrollments as shown in the screenshot below. Fill the other required fields too, according to your requirement.

Minimum initial enrollments mean the no of times it will initially enroll the pattern automatically without verification, for each unique user. I have set this figure to 3, so that the typing pattern verification will happen from the 4th enrollment onwards.

TypingDNA configuration in the Identity Server

1. As Adaptive Authentication is disabled by default from IS 6.0.0 onwards, enable it by running adaptive.sh script in <IS_home>/bin folder.

1. Run the below command from the same location to start the WSO2 Identity Server.

sh wso2server.sh

2. Login to the management console with admin:admin credentials.

3. Navigate to Identity Providers -> Resident -> Other settings -> TypingDNA Configuration.

• Enable typingDNA.
• Configure the API key and secret which can be copied from the typingDNA account dashboard.
• Enable advance TypingDNA-API Mode if your TypingDNA account is pro or enterprise. Pro/ enterprise account provides access to advanced APIs and allows advanced authentication options.
• Configure the region ( eu or us ).

Configure a service provider to use TypingDNA

1. Go to Service Providers → Add. Provide a name and click register.

2. Go to Inbound Authentication Configuration -> OAuth/OpenID Connect Configuration and provide the Callback Url as https://oidcdebugger.com/debug.

3. Navigate to Local & Outbound Authentication Configuration -> Advanced configuration and add basic and totp as authentication step 1 and 2 , respectively.

4. Add the Typing DNA adaptive script as shown below.

// This script will step up 2FA authentication if the user's typing behaviour does not match with the enrolled behaviour.

// You can use the parameters 'score' (num 0-100), 'result' (boolean), 'confidence' (num 0-100), 'comparedPatterns' in your 
// authentication logic to trigger the 2nd step. 
// Only the 'result' parameter has been used in the sample script. 

var onLoginRequest = function(context) {
    executeStep(1, {
        onSuccess: function (context) {
            verifyUserWithTypingDNA(context, {
                onSuccess: function(context,data){
                    // Change the definition here as required.
                    var userVerified = data.result;

                    // data.isTypingPatternReceived indicates whether a typing pattern is received from the login portal.
                    if (data.isTypingPatternReceived && !userVerified){
                        executeStep(2);
                    }
                },onFail: function(context,data){
                    executeStep(2);
                }
            });
        }
    });
};

5. Click update.

6. Add a new user tom from Users and Roles -> Add -> Add new user.

Now all configurations are done. Lets try out the flow.

• Navigate to https://oidcdebugger.com/ and provide https://<host_name>:<port>/oauth2/authorize as Authorize URI. Provide the client Id of the service provider as well.
• Click Send request and you’ll be redirected to the login page of the application as shown below. Type the username and password of user tom you just created.

• Observe that the user is prompted with TOTP-based login as a second factor. Scan the QR code using an authenticator app.

• Provide the totp generated from the authenticator app, in the next step.

• You will be successfully logged in to the application.
• From a new incognito window, login to the application from the same user for 2 more times. You will be prompted to provide the totp for all these 3 attempts.
• Now try to log into the application for the 4th time. You will be logged in without prompting for the totp due to your typing pattern being verified from the typingDNA saved typing biometrics.
• Try to log in by providing the username and password with a different typing pattern. You will be asked for the totp authentication step.

Go to your typingDNA account -> logs tabs and you’ll see 1st three login attempts as enrollments and the 4th attempt as a verify & enroll type.

From IS 6.0.0 onwards, you can also delete the saved typing patterns of tom by logging in to tom’s myaccount.

Navigate to https://localhost:9443/myaccount , Security tab. Scroll down to Data used to verify your login section where you’ll see the option to delete the saved typingDNA typing patterns.

Then refresh the Logs tab of your typingDNA account to see the Delete user record there.

Refer TypingDNA documentation to learn more on their API services.

Thats it for today. Hope you got an idea on how to simply integrate the typingDNA feature with WSO2 identity server.

Let’s meet in another blog! Until then, Happy learning!