Keyboard fingerprint

With JavaScript enabled, user behavior can be tracked and profiled. Tor Browser implements defenses against user behavior tracking as of the beginning of the 5.x.x series.[1]

It reveals, how fast you type, how long your breaks are[2], which mistakes you make and how you correct them while writing the draft, also which type of local keyboard you are using.
Mouse tracking[3] analyzes the position and speed of cursor movement unique to each person as they interact with webpages.

Combined with stylometry which works with less data (final text only), keystroke fingerprinting will completely de-anonymize you. An adversary can compare statistics about user’s typing over clearnet, then compares it to texts composed over Tor in real-time.

I use the method kwrite–>browser in tor, if I have to use a VPS, would a virtual keyboard be useless to avoid keyword fingerprint between clearnet, where I use that of my pc, and VPS?
I am talking just about keyword fingerprint


Good day,

If you use a virtual, i.e. on-screen keyboard, keystroke fingerprinting isn’t possible, since the speed you type isn’t reflected in the speed you click on the on-screen keyboard.

Have a nice day,


I’d also worry about computer mouse fingerprinting.

1 Like

This is more hard to avoid
Can quantify in amount of minutes, hours, days that can be create a fingerprint enough defined which can be compared?


Good day,

That’s rather hard to say confidently. No conclusive information on how much is necessary to properly identify someone via their mouse movement.

Have a nice day,


Do you have any existing research in mind on computer mouse fingerprinting? @HulaHoop

There are various places where we should at least mention this.

User re-authentication via mouse movements

Relatively successful tracking active readers however mouse movements are not enough to fingerprint users. That was back in 2004.


Needs more work to achieve high accuracy. 2004.

An Efficient User Verification System via Mouse Movements

high accuracy achieved in limited situations - active authentication during log-on. Does not clear EU false positive requirements however so they recommend it for combining with keystroke dynamics as extra confirmation:

In the scenario of static verification, a user is required to perform a series of mouse movements and its mouse data is verified within a certain amount of time (e.g., login time). A good example of this scenario is a click-based graphical password for user login, where five clicks are estimated to be made in no more than 25 seconds.

By contrast, in the scenario of continuous verification, a user’s mouse data is continuously collected and verified throughout the entire session. This is non-intrusive to users and meets the goal of passive monitoring. However, the frequency of user mouse actions varies significantly in different sessions. In general, the average frequency of user mouse actions will be much lower than that of the static scenario.

Even for the same user at different times, the number of mouse events per unit time varies a lot. However, to the best of our knowledge, our work is the first to achieve high accuracy with a reasonably small number of mouse events.

search terms:

Mouse movement authentication


If the application window is not focused or active, the track still work?

Resume this topic without creating another, since it is related to my question
I don’t remember well but seem to have read something about the issue of wireless mouse that can send “something” because their connection isn’t encrypted, is right? Always about mouse is good idea to take it out of screen when not in use?

I’m not sure what you’re asking but its listed on our wiki that its not recommended to use wireless mice or keyboards.

1 Like