Is behavioural analysis (e.g. keystroke dynamics) a reliable security mechanism for MFA?
This has already been done by numerous vendors (click here), and patents have been on technologies similar to keystroke dynamics dating back as far as 1986 (click here or here).
Here is a paper which addresses using keystroke dynamics as biometric authentication, but I'm not sure how "digestible" it is for the lay person.
It would be hard to implement this across the board because, although a person's keystroke dynamics are often similar day-to-day you need to be able to account for significant variation. If a person is sick or tired they won't type the same as if they are angry.
Although I don't think this technology is ready for prime-time, I think it's great to discuss and investigate different types of biometric authentication and individual profiling to strengthen your security posture.
The second link AviD posted in comments diagrams its concept thus:
|User's machine|--|Events Acquisition|--|Feature Extraction|--|Classifier|--|Auth. DB|
Several things need to be considered in order to make this work:
Tablets, phones, and other mobile devices will have VERY different user dynamics compared to keyboard/mouse. Any such system intended for use alongside credential authentication would need to account for this. (The linked paper even remarks in the closing section that the variety of configurations in mice alone would present difficulties.)
The dynamics authentication channel would need to be protected in some way. It wouldn't necessarily be trivial to MITM this, but it's certainly not impossible.
As others have posted, any such form of "cognitive footprint" authentication can be used only as a support for other forms of authentication. It cannot have equal weight to something one has or something one knows. Otherwise you run the risk of locking out a sick/emotional/tired user. (Usually fine for military applications, but for general public use it's a bad business decision.)
Bruce Schneier posted about this early this year, actually. There's some good discussion in the comments there, although nothing definitive.
TL;DR: Behavioural analysis cannot currently be given equal weight with other factors in MFA. Usage as a support factor is possible to about the same degree as biometrics.
Behavioral dynamics is about on par with signature analysis/forgery for security. Which is to say, a casual attacker isn't likely going to successfully impersonate you, but as you said, it's not something you are, it's something you do. It's habits rather than features.
Of course, behavioral tendencies are pretty instinctual, and difficult to change at-will, but nonetheless just about any behavior can be acquired given enough practice. So much the same way that written signature security is based on the assumption that no one will sufficiently practice forging your signature, the security of any other behavioral fingerprinting is based on the assumption that no one will train themselves to impersonate your behaviors.
So it's probably OK for casual security, but anything high-value where an actual concerted attack is likely; that's a bit more iffy. Some behaviors are probably much harder to impersonate than others, but in the end you're never going to have proof of the security of such a system, and your confidence in such a system should be correspondingly reserved.