Adobe Patents a Password System That Uses Keystroke Timing as a Security Factor
Your password isn't just the characters you type — it could also include *when* you pause between them. Adobe has filed a patent that embeds deliberate timing gaps directly into the password itself.
What Adobe's pause-based password system actually does
Imagine your password is dog. Normally, any attacker who steals that string can use it. But what if part of the password was a one-second pause between the 'd' and the 'o'? That's the idea here.
Adobe's patent describes a password creation interface where you pick not just your characters but also a pause time between specific characters. You'd set something like: type 'p-a-s-s', wait 1.5 seconds, then type 'word'. The system stores that pause as part of the credential itself.
When you log in later, you'd have to reproduce both the right characters and the right timing gap. A password that leaks as plain text — or even in a hashed database dump — wouldn't be fully usable without knowing the rhythm you built into it.
How the pause time gets stored alongside your password
The patent describes a character entry pause system built into a password creation UI. During setup, a user sees a list of selectable pause-time options — think of them like discrete choices (half a second, one second, two seconds) — that they can assign to the gap between any two specific characters in their password.
The system records three things:
- The first character at the pause boundary
- The second character immediately after the pause
- The selected pause duration between them
All three are bundled together and stored as part of the credential. The pause time isn't just metadata — it's treated as an integral component of the password itself.
At authentication time (implied but not fully detailed in the published claim), the system would presumably measure how long the user waits between those two characters and compare it against the stored value. A bot or script that replays a stolen password string at full typing speed would fail the timing check even with the correct characters.
Why keystroke timing could tighten password security
Password databases get breached. When they do, stolen hashes or plaintext credentials are immediately usable elsewhere. By baking a timing dimension into the credential, Adobe's system means a leaked password string is incomplete — an attacker also needs to know the rhythm, which isn't typically captured or stored in the same attack vectors.
For you as a user, this adds a layer of authentication that's harder to phish or replay without significantly more sophisticated interception. It's closest in spirit to behavioral biometrics, but it's deterministic rather than probabilistic — you choose and reproduce a specific pause rather than having your natural typing style analyzed. That's a meaningful distinction for how it gets implemented and audited.
This is a genuinely interesting credential design idea that occupies a clever middle ground between standard passwords and full behavioral biometrics. The weak point is usability — reproducing a precise pause consistently, especially on mobile or when stressed, could generate a lot of lockouts. Whether Adobe ships this in something like Acrobat Sign or an enterprise identity product will determine if it's a useful innovation or a friction nightmare.
Get one Big Tech patent every Sunday
Plain English, intelligent commentary, no hype. Free.
Editorial commentary on a publicly published patent application. Not legal advice.