Keystroke Entropy, Mouse Micro-Tremors, and the BioToken: A Rigorous Treatment of Behavioral Biometrics for Continuous Authentication

Passwords are a solved problem — solved in favor of the attacker. Credential databases are breached at industrial scale, credential-stuffing tools are freely available, and even multi-factor authentication is defeated by real-time phishing proxies (EvilGinx, Modlishka) and SIM-swap attacks. The next authentication frontier is not what you know or what you have, but how you behave.

Titan's BioToken pipeline implements continuous behavioral authentication through three orthogonal biometric modalities, each grounded in established signal-processing theory.

Modality 1: Keystroke Dynamics — Shannon Entropy of Flight-Time Distributions

Theoretical Foundation

Every individual exhibits a characteristic rhythm when typing. This rhythm manifests in two measurable quantities:

• Dwell time: Duration a key is held down (typically 80–150ms for proficient typists)
• Flight time: Duration between releasing one key and pressing the next (highly variable, 50–300ms)

The flight-time distribution is particularly discriminative because it encodes the biomechanical constraints of the typist's hands — finger reach, hand dominance, learned motor patterns, and neuromuscular response characteristics.

Entropy Measurement

Titan computes the Shannon entropy of the flight-time distribution:

H(X) = -Σ p(xᵢ) · log₂(p(xᵢ))

where p(xᵢ) is the probability of flight-time falling in bin i (bins of 10ms width, range 0–500ms).

Interpretation

• Human typing: H(X) ∈ [3.2, 4.8] bits — moderate entropy reflecting natural variability within a consistent personal rhythm
• Bot typing: H(X) < 2.0 bits — low entropy from programmatic timing (too regular) or H(X) > 5.5 bits — high entropy from naive randomization (too random)
• Replay attacks: H(X) ≈ 0 bits — zero entropy from exact repetition of recorded timings

The entropy metric is elegant because it detects both overly regular (bot) and overly random (randomized bot) typing patterns — the adversary is trapped in a statistical vice.

Modality 2: Mouse Micro-Tremor Analysis — Hurst Exponent R/S Method

The Physics of Human Motor Control

Human hand movements exhibit involuntary micro-tremors in the 8–12 Hz frequency band, arising from the stretch reflex loop between muscle spindles and the spinal cord. These tremors are a physiological constant — present in every human hand movement, absent in synthetic mouse trajectories.

Rescaled Range (R/S) Analysis

Titan applies the Hurst exponent estimation via the rescaled range method:

1. Partition mouse trajectory into windows of length n
2. For each window, compute cumulative deviation from mean
3. Calculate range R = max(cumulative) - min(cumulative)
4. Calculate standard deviation S of the window
5. Compute R/S ratio for each window
6. Estimate H from log-log regression: E[R/S] ~ n^H

Interpretation

• H ∈ [0.55, 0.80]: Persistent, long-memory process — consistent with human motor control (micro-corrections, momentum-based movements)
• H < 0.30: Anti-persistent process — consistent with synthetic trajectories (programmatic zig-zag patterns)
• H ≈ 0.50: Random walk — consistent with naive randomization (Brownian motion simulation)

Spectral Validation

As a cross-check, Titan performs power spectral density analysis on the mouse velocity signal. Human trajectories exhibit a characteristic peak in the 8–12 Hz band (physiological tremor). Synthetic trajectories either lack this peak entirely or exhibit it at the wrong frequency.

Modality 3: Jerk-Curvature Bézier Deviation

Motor Planning Theory

Human movements follow the minimum-jerk principle (Flash & Hogan, 1985): the nervous system plans movements that minimize the integral of squared jerk (third derivative of position). This produces smooth, bell-shaped velocity profiles that are characteristic of biological motor control.

Measurement

Titan fits a minimum-jerk Bézier curve to each mouse movement segment and computes the deviation between the observed trajectory and the theoretical optimum:

D_jerk = ∫|trajectory(t) - bézier_optimal(t)|² dt / ∫|bézier_optimal(t)|² dt

Interpretation

• D_jerk ∈ [0.02, 0.15]: Human — small deviations from optimal trajectory due to motor noise
• D_jerk < 0.005: Synthetic — too perfect (programmatic Bézier interpolation)
• D_jerk > 0.30: Synthetic — too erratic (random perturbation injection)

BioToken Fusion

The three modalities are fused into a single BioToken confidence score via the same Beta distribution framework used by the Fusion Core:

BioToken = {
  keystroke_entropy: H(X),
  mouse_hurst: H_hurst,
  jerk_deviation: D_jerk,
  click_hesitation: median_pre_click_pause,
  human_score: posterior_mean(α_bio, β_bio)
}

The human_score is a continuous value in [0, 1] where 1 indicates highest confidence of human operation. This score feeds into the Fusion Core as an independent evidence layer with calibrated weight.

Privacy Architecture

All behavioral signals are processed client-side. Only the statistical summaries (entropy values, Hurst exponents, deviation metrics) are transmitted — never raw coordinates, timings, or keystroke content. The BioToken cannot be reversed to reconstruct what the user typed or where they clicked.

Adversarial Resistance

Modern behavioral-mimicry tools (e.g., AI-generated mouse paths via GPT-driven trajectory synthesis) can approximate individual modalities in isolation. However, simultaneously satisfying the entropy, Hurst exponent, jerk-curvature, and spectral constraints across all three modalities has proven infeasible in our adversarial testing. The biological signals are too deeply intertwined — they arise from the same neuromuscular system and exhibit cross-modal correlations that synthetic generation cannot reproduce.

Continuous Authentication: Beyond Login

The BioToken is not a one-time check. It operates continuously throughout the session, updating the behavioral posterior with every keystroke, mouse movement, and interaction event. This enables detection of mid-session account takeover — the moment a different human (or bot) begins operating the device, the behavioral profile diverges and the risk score adjusts in real time.