Model trained on 4 people
Model trained on many people
Profile match case
Impostor case

KeyGuard: Behavioral Identity Firewall

The Problem

Every security system you've ever used authenticates you once. You enter a password, pass a 2FA check, and the system trusts you indefinitely for the rest of the session.

But what happens after you log in?

Session hijacking, shoulder surfing, a stolen unlocked machine, a colleague sitting down while you're away — none of these trip a traditional authentication system. It already thinks it's you. This is what security teams call post-authentication compromise, and it's one of the most underaddressed attack surfaces in enterprise security today. In high-stakes environments — financial trading desks, hospital systems, enterprise workstations, government terminals — that blind trust creates real risk. A session left open for thirty seconds is an attack surface. Identity today is treated as a checkpoint. Modern zero-trust architectures require it to be continuously verified.

Our Solution

KeyGuard is a behavioral identity firewall that continuously verifies the person typing, in real time, invisibly, with no extra steps for the user.

One-sentence value proposition: we make identity continuous, not just a checkpoint.

Instead of authenticating once at login, KeyGuard monitors how you type throughout your entire session and continuously confirms you are still you. The moment someone else takes over the keyboard, the system detects it and triggers step-up verification automatically. Legitimate users experience zero friction. Security teams gain continuous identity assurance without adding any burden to the people they're protecting.

Platform & Accessibility

KeyGuard currently runs as a local desktop security layer with real-time inference — no cloud dependency, no data leaving the device, no external API calls required during operation. The production roadmap is a lightweight background agent deployable through enterprise endpoint management systems like JAMF and Intune, meaning IT teams can push it to hundreds of machines silently without any action from end users.

Deployment models include:

Silent background agent
SDK integrating into existing identity providers
Enterprise endpoint add-on for zero-trust stacks

The user flow is intentionally minimal. A two-minute enrollment session of natural typing builds a behavioral profile. After that, the system runs passively. The only time a user is prompted is when a sustained anomaly is detected — at which point a Touch ID or PIN challenge appears. No behavioral change required. No content stored. No invasive monitoring.

How It Works

Every person has a unique typing rhythm. Dwell time, flight time, and timing relationships between key pairs form a behavioral signature that is stable, personal, and hard to fake under pressure.

KeyGuard uses a shared embedding model trained to map raw keystroke timing sequences into a compact behavioral representation space, separating users based on behavioral rhythm — not what they typed.

During enrollment, keystroke timing data is passed through the model, producing a stable identity embedding vector stored locally in encrypted storage. No raw content is retained — only the derived behavioral representation.

During live sessions, a sliding window of events is passed through the model every five seconds. The resulting embedding is compared to the enrolled identity embedding. If similarity drops below threshold for three consecutive windows — roughly fifteen seconds — KeyGuard triggers step-up authentication. The three-window requirement is deliberate: a single anomalous window could mean a distraction or typo. Requiring sustained deviation reduces false positives while still catching real intrusions fast. The system surfaces a continuous confidence signal — green (verified), yellow (uncertain), red (anomalous).

Why This AI Approach

KeyGuard uses a lightweight deep embedding model trained for behavioral classification in keystroke timing space — not generative AI or LLMs.

Embedding models scale better than per-user statistical distributions, learn richer nonlinear behavioral structure, and improve for all users as the training dataset grows. They also enable a capability simpler models can't support: in shared environments, the system doesn't just detect that the wrong person is typing — it identifies which enrolled user has taken over, enabling clean and accountable session handoffs. Without machine learning, continuous behavioral verification at this fidelity would not be possible. The embedding model transforms the keyboard into a real-time biometric sensor.

Architecture Overview

The pipeline runs entirely on-device:

Keystroke Event Capture → Feature Extraction (dwell, flight, digraph latencies) → Sliding Window Aggregation (5s) → Global Embedding Model → Similarity Scoring (local encrypted identity store) → Policy Engine (three-anomaly threshold) → Step-Up Authentication Trigger

No typed content is stored. No video or audio monitoring. No invasive sensors beyond the keyboard itself. Future architecture includes optional secure cloud aggregation for enterprise analytics while preserving on-device inference for privacy.

For an in depth review, visit our Github: https://github.com/jayadevgh/KeyStroke-ID/tree/master

The Demo

We enrolled two user profiles to demonstrate the full threat lifecycle.

Profile 1 — Legitimate Session: Profile 1 logs in and types normally. Similarity stays high, the banner stays green, the session continues uninterrupted — the system running invisibly in the background.

Impostor Scenario — Account Takeover: Profile 1 steps away. An impostor sits down. To any traditional system, nothing has changed. But embedding similarity begins drifting immediately. After three consecutive anomalous windows, KeyGuard flags the intrusion and prompts Touch ID. The impostor fails. Session locked. Total detection time: fifteen seconds.

Profile 2 — Clean Handoff: Profile 2 authenticates via Touch ID and begins typing. Within a few windows, similarity stabilizes against Profile 2's stored profile and the banner returns to green.

Key insight: KeyGuard doesn't just know who logged in. It knows who is typing right now — and it knows the difference.

Target Audience

KeyGuard is built for environments where session integrity is mission-critical:

Financial terminals and trading desks — unauthorized transactions from open sessions have immediate consequences
Enterprise workstations handling sensitive intellectual property or regulated data
Hospital kiosks and shared clinical systems — patient data access is heavily audited
Government and defense environments requiring strict identity accountability
Organizations implementing zero-trust architecture — where continuous verification is the standard

End users never need to think about it. The security team is the primary stakeholder.

Differentiation

Existing behavioral biometric solutions are cloud-dependent, require heavy enterprise integration, and focus primarily on mouse or touchscreen dynamics. KeyGuard is:

Local-first — all inference on-device
Lightweight — no compute or privacy overhead
Keystroke-native — built around the most common enterprise input modality
Platform-independent — deploys on top of any existing authentication system without replacing or disrupting anything

Market Validation

Account takeover and session hijacking remain among the most common enterprise security incident vectors. Zero-trust frameworks like NIST 800-207 explicitly call for continuous verification beyond initial login. Financial and healthcare sectors face growing regulatory pressure to strengthen post-authentication safeguards. The behavioral biometrics market is expanding as organizations recognize that checkpoint-based security models are no longer sufficient.

Limitations and Honest Tradeoffs

Enrollment dependency — requires a short typing session before the system can protect a user
Behavioral drift — injury, fatigue, or new hardware can affect embeddings over time
Deployment tooling — enterprise-scale rollout requires endpoint distribution infrastructure

These are engineering iteration opportunities, not structural limitations. Adaptive re-enrollment, embedding refinement, and seamless MDM deployment are all on the near-term roadmap.

What's Next

Immediate roadmap:

Silent enterprise background agent
MDM deployment integration
Security dashboard and SIEM integration
Adaptive embedding refinement

Longer term:

Multi-modal behavioral fusion combining keystroke and mouse dynamics
Federated model improvement across organizations
Seamless background learning that eliminates explicit re-enrollment entirely

KeyGuard transforms authentication from a gate into a guardian — something that doesn't just let you in, but stays with you the entire time you're there.

Built With

Python · Neural embedding model for keystroke dynamics · Real-time feature extraction pipeline · Similarity scoring engine · Touch ID integration · Local encrypted identity embedding store