BehaviorKey Vault

Password-free encryption using your behavioral biometrics

Comment 2

Inspiration

Passwords are a 60-year-old idea, and they still don't work. People reuse them, forget them, and lose them to phishing attacks they didn't even notice. We kept asking the same question: what if the key to your data was something that couldn't be stolen because it doesn't exist as a string of characters anywhere? Your mouse movements, your typing rhythm, the way you slow down before hitting backspace — that's yours and only yours. That's what we wanted to build around.

What it does

BehaviorKey Vault encrypts files using your behavioral biometrics as the key. During enrollment, the app records how you move your mouse and type — speed, acceleration, inter-key timing, and cursor jitter. It derives a 256-bit AES encryption key from those patterns and uses it to encrypt any file into a .aadi container. To decrypt, you just behave like yourself. No password to type, no key to store, no secret to hand over to a breach.

How we built it

Entirely in the browser — React, the Web Crypto API for AES-256-GCM and PBKDF2, and the Canvas API for the behavioral fingerprint visualizer. The .aadi format is a custom binary structure we wrote from scratch using ArrayBuffer and DataView: a magic header, salt, IV, HMAC checksum, and encrypted payload. We built a tolerance-matching layer that allows for natural variance in behavior (you don't type identically twice) while still rejecting a different person entirely.

Challenges we ran into

Behavioral data is noisy. A lot more than we expected. Your typing rhythm at 2am after three coffees is not the same as at 10 am after a good night's sleep. Getting the tolerance window right — loose enough to recognize you across sessions, tight enough to keep someone else out — took way more iteration than we planned. We also had to design the binary .aadi format by hand, which meant debugging raw hex dumps more than any of us would like to admit.

Accomplishments that we're proud of

The live fingerprint visualizer. Watching your behavioral signature rendered as a real-time waveform on canvas, morphing as you move and type, is something we didn't expect to come together as well as it did. It makes an abstract security concept immediately visible. The other thing we're proud of: it runs entirely in the browser with no backend, so no server ever touches your key or your data. That's not just a convenience — it's the actual security model.

What we learned

Biometric systems live and die by their error rates — false acceptance and false rejection are at war with each other, and there's no clean answer, only tradeoffs. We also learned that building a custom binary file format is genuinely fun once you stop fighting the DataView API. And honestly, we learned that great UI isn't decoration — the fingerprint visualizer is what makes the concept land for someone who's never thought about behavioral biometrics before.

What's next for BehaviorKey Vault

The tolerance model we built is a heuristic. The real next step is training a lightweight ML classifier on behavioral samples to make acceptance/rejection more accurate and consistent across different hardware. We also want to add multi-factor behavioral profiles — enroll on your laptop, your phone, your tablet — and let the system reconcile across devices. Longer term, .aadi could support time-locked decryption: a file that only opens during hours when your behavior typically matches, adding a time-of-day layer on top of the biometric one.

Built With

Share this project:

Updates