On the Insecurity of Keystroke-Based AI Authorship Detection: Timing-Forgery Attacks Against Motor-Signal Verification
David Condrey
TL;DR
This work interrogates keystroke-based AI authorship detectors that rely solely on motor timing signals to infer content provenance. It defines copy-type and timing-forgery attacks and proves a formal non-identifiability bound for timing-only observations, showing that provenance information cannot be recovered from keystroke timing alone. Empirical validation on 13,000 human sessions and 2,000 attack sessions demonstrates near-perfect evasion (≥99.8%) across five classifiers, with AUC = 1.000 for motor-present vs motor-absent cases, while the attacks imitate human motor patterns so closely that they defeat timing-based thresholds. The authors argue that secure provenance requires content-binding or semantic-aware defenses (e.g., revision history, challenge-response) rather than additional timing features, since keystroke timing alone can only attest that a human operated the keyboard, not that the human originated the text.
Abstract
Recent proposals advocate using keystroke timing signals, specifically the coefficient of variation ($δ$) of inter-keystroke intervals, to distinguish human-composed text from AI-generated content. We demonstrate that this class of defenses is insecure against two practical attack classes: the copy-type attack, in which a human transcribes LLM-generated text producing authentic motor signals, and timing-forgery attacks, in which automated agents sample inter-keystroke intervals from empirical human distributions. Using 13,000 sessions from the SBU corpus and three timing-forgery variants (histogram sampling, statistical impersonation, and generative LSTM), we show all attacks achieve $\ge$99.8% evasion rates against five classifiers. While detectors achieve AUC=1.000 against fully-automated injection, they classify $\ge$99.8% of attack samples as human with mean confidence $\ge$0.993. We formalize a non-identifiability result: when the detector observes only timing, the mutual information between features and content provenance is zero for copy-type attacks. Although composition and transcription produce statistically distinguishable motor patterns (Cohen's d=1.28), both yield $δ$ values 2-4x above detection thresholds, rendering the distinction security-irrelevant. These systems confirm a human operated the keyboard, but not whether that human originated the text. Securing provenance requires architectures that bind the writing process to semantic content.
