Motions that we’ve performed countless times, Professor Maxion says, are governed by motor control, not deliberate thought. “That is why successfully mimicking keystroke dynamics is physiologically improbable,” he says.

He gives this example: A computer user holds down a key for an average of 100 milliseconds. Suppose that a fraudster is trying to mimic a person who is slightly faster than average — typically holding the key down for 90 milliseconds. “Then the spoofer is in the dubious position of having to consciously shorten a key-press action by 10 milliseconds,” Professor Maxion says. Having such control doesn’t seem realistic, he says, when one considers that “a voluntary eye-blink takes 275 milliseconds.”

He says that there is some evidence that a user’s emotional state affects typing rhythms. But just as people can recognize a familiar song even if it is mangled by inept musicians, so, too, he hypothesizes, could software recognize one’s distinct “core rhythm,” which would be “perceptible even through the noise of emotion, fatigue or intoxication.” He adds that the notion of core rhythm has not been experimentally confirmed.

Charles C. Tappert, a professor of computer science at Pace University, has also conducted research on the keystroke biometric, verifying identities by looking at the way students type their answers to questions on online tests. His research group has developed software that analyzes the distinctive pattern of keyboard pressure; it accurately confirms the claimed identity of a test taker in 99.5 percent of cases, he says.

The situations that Darpa has in mind would require a system that quickly authenticates the user, without waiting to collect data on hundreds of keystrokes. But Professor Tappert says that an intruder’s movement within an internal network would show telltale irregularities and that his software would be able to detect them.

Research overseen by Salvatore J. Stolfo, professor of computer science at Columbia University, has led to the development of software that uses a simple means of detecting an intruder: placing decoy documents on the computer. “For example, we have the user place a document with a juicy name like ‘CreditCards.doc’ on the P.C.,” Professor Stolfo says. “He or she knows it’s there only as a lure. But an intruder would be enticed to open it. Bingo!”