Industry-insights · Dec 14, 2025 · 8 minute read

Typing Biometrics: Catch "Two Operators" in One Interview

An operator playbook for spotting when the person coding isn’t the person messaging—without slowing the funnel or nuking candidate trust.

Michael O’Connell

Head of Trust & Safety

Michael runs red teams and fraud defense strategy for high-stakes hiring pipelines.

Typing biometrics shouldn’t be a lie detector. It’s an early-warning sensor that helps you route risk without slowing the funnel.

Back to all posts

The “two operators” interview that blows up your week

If you overreact, you risk falsely accusing a legitimate candidate and creating a reputational incident.
If you add friction, you risk funnel leakage and missed headcount timelines. This is exactly where typing biometrics can help—not as a courtroom verdict, but as an early-warning sensor that routes the candidate to the right lane.

Why it matters to Operations: speed, cost, and reputational blast radius

COOs live in the constraint triangle: hire fast, hire well, stay compliant. Fraud turns that triangle into a tradeoff you didn’t agree to. Two realities are driving urgency in remote roles: - Fraud is already in the funnel. Pindrop reports 1 in 6 applicants to remote roles showed signs of fraud in one real-world pipeline. That’s not a corner case—it’s throughput risk. (Source in “Sources.”)

Identity issues are showing up after the interview. Checkr found 31% of hiring managers say they’ve interviewed a candidate who later turned out to be using a false identity. That’s a governance and brand problem, not just a recruiting problem. (Source in “Sources.”) And when it slips through, the operational cost isn’t just the salary line. SHRM cites replacement costs estimated at 50–200% of annual salary (role-dependent). Even if you don’t use that number in forecasting, you feel the downstream effects: rework, missed delivery, and leadership distraction. (Source in “Sources.”) Typing biometrics is valuable here because it’s one of the few signals that can help detect a hand-off: the candidate in chat (or on voice) isn’t the same “operator” doing the work product.

Proxy assistance during coding while the candidate maintains “ownership” in chat/voice.
Live coaching via a second person in the room, with the candidate acting as a relay.
Tool-assisted cheating where the interaction pattern (not the output alone) changes sharply.

Typing biometrics in plain operator terms (and what it’s not)

Flight time (time between key releases/presses)
Error-and-correction rhythm (backspace bursts, edit patterns)
Burstiness (clusters of rapid input vs long pauses)
Paste/insert behavior (large insertions, frequency, timing) What it’s not: - A single “gotcha” score that auto-rejects candidates
A replacement for identity verification or proctoring
A reason to store raw keystrokes or sensitive content Operational stance: treat typing signals as risk inputs that must be corroborated by other evidence (identity verification results, interview telemetry, assessment integrity signals).

Prefer derived timing features over raw keystroke logs.
Minimize retention: keep short-lived features tied to an Evidence Pack for auditability.
Separate content from behavior: you don’t need to record what they typed to understand rhythm anomalies.
Provide a candidate-facing explanation and an appeal path (false positives happen).

build a split-operator detection loop (step-by-step)

Define the “two operators” hypothesis
Write down the exact pattern you’re trying to detect: The person typing chat responses is not the same person producing the code (or the same person is being actively piloted). #

Choose signals you can defend
Start with signals that are hard to fake consistently and easy to explain: - Chat vs editor cadence mismatch (steady chat rhythm, erratic code rhythm)

Paste spikes during coding (especially after long idle)
Sudden style discontinuity (typing speed variance, correction patterns)
Session discontinuities (device/browser changes mid-interview, focus switches) #

Normalize per candidate (avoid “fast typist” bias)
Measure change relative to the candidate’s own baseline during the session. You’re looking for discontinuities, not absolute speed. #

Use Risk-Tiered Verification (fast path + escalation)
Create tiers so low-risk candidates move quickly while suspicious sessions get additional checks: - Tier 0 (Green): No anomalies → proceed.

Tier 1 (Yellow): One anomaly class → ask for a lightweight integrity step (e.g., a short live coding confirmation).
Tier 2 (Orange): Multiple anomaly classes or high-severity signal → require enhanced verification before continuing.
Tier 3 (Red): Corroborated identity mismatch + strong integrity anomalies → pause process, route to security/ops review. #

Design reviewer ergonomics (avoid fatigue)
If every case looks “kinda weird,” reviewers burn out and start rubber-stamping. Build: - A single queue with labels (“cadence discontinuity”, “paste spike”, “device switch”)

Time-boxed review (e.g., 5–7 minutes) with a default action
Consistent evidence snapshots (timeline + highlights) #

False-positive management (protect brand)
Your goal is not to “catch” candidates—it’s to avoid wrong calls while still stopping obvious fraud: - Require two independent signal classes before escalation beyond Tier 1

Provide a retry path (“We need to re-run a short integrity check”) rather than an accusation
Track outcomes: which signals correlated with confirmed issues vs cleared candidates #

Close the loop with governance
Document:

What you collect
How long you retain it
Who can view it
How candidates can appeal
How you audit decisions

Never reject on typing biometrics alone.
Escalate when (a) typing discontinuity is strong AND (b) at least one other integrity signal appears (identity anomaly, suspicious paste behavior, or environment change).
Prefer “confirmatory steps” (short live task) over “gotcha” messaging.

Risk-tiered policy for typing vs coding inconsistency

Use a policy like this to standardize actions, reduce reviewer variance, and make escalation consistent. It’s designed to be auditable and to explicitly manage false positives.

Example runbook: what happens when the signal fires

Timeline: chat bursts, editor idle, paste events, device/browser changes
Derived typing features summary (no raw keystrokes)
Links to identity verification outcome and interview step metadata 2) Route to the right queue
Recruiting ops reviews Tier 1–2
Security/compliance reviews Tier 3 3) Candidate-safe escalation message
“We run integrity checks to keep the process fair for everyone. We need to re-confirm a short portion live.” 4) Confirmatory step (fast)
5–8 minute live coding micro-task or “explain-this-code” checkpoint 5) Resolution
Clear and proceed, or pause and request enhanced verification, or close with documented rationale The key is to avoid improvisation. Improvisation is where inconsistent treatment—and reputational damage—happens.

Mismatch between chat typing rhythm and editor rhythm (within-session discontinuity).
Large paste inserts immediately after long idle or app focus change.
Repeated context switches (tab blur/focus) clustered around key moments.
Coding style shifts that align with timing shifts (not just “different solution”).

Risk: false positives, accessibility, and how to avoid a PR incident

Accessibility-aware options: allow candidates to disclose assistive tech without penalty; ensure escalation steps are compatible.
Explainability: show reviewers why it was flagged (e.g., “paste spike + device switch”), not a mysterious score.
Appeal/retry path: a clean re-check is cheaper than a reputational fight.
Separation of duties: recruiters shouldn’t be making final fraud determinations alone; define who signs off at each tier. Fraud defense is a continuous loop. Attackers adapt; your thresholds and playbooks need quarterly review.

Don’t record raw keystrokes “just in case.”
Don’t tell a candidate you think they used a proxy; frame it as process integrity.
Don’t let a single reviewer make ad-hoc calls without an Evidence Pack.

Where IntegrityLens fits

Identity verification (pre-interview): verify identity in under three minutes (typical 2–3 minutes document + voice + face) before interviews start—reducing the chance you’re evaluating the wrong person.
Fraud detection: correlate typing-behavior anomalies with other integrity signals (device changes, session anomalies) into Risk-Tiered Verification.
AI screening interviews (24/7): run initial screens instantly in any timezone, then escalate higher-risk candidates to live confirmation.
Technical assessments (40+ languages): capture assessment telemetry (like paste behavior and timing patterns) in a consistent environment to reduce ambiguity. Who uses it: - TA leaders to protect funnel speed and candidate experience
Recruiting ops to operationalize queues, policies, and Evidence Packs
CISOs / security teams to ensure controls, access, encryption (256-bit AES baseline), and governance stand up to audits Security posture note: IntegrityLens runs on Google Cloud SOC 2 Type II audited infrastructure, ISO 27001-certified infrastructure, with GDPR/CCPA-ready controls.

Fewer handoffs = fewer gaps where fraud hides.
One evidence model (Evidence Packs) reduces back-and-forth during escalations.
Idempotent Webhooks let you integrate signals into your HRIS/security stack without double-processing or missing events.

the COO-grade operating model

Treat it as a risk input that triggers confirmatory steps.
Require corroboration (two independent signal classes) for higher-tier escalations.
Standardize actions with a Risk-Tiered Verification policy.
Preserve dignity with candidate-safe messaging and a retry path.
Store outcomes as Evidence Packs for auditability and continuous tuning. Fraud evolves. Your advantage isn’t a single clever signal—it’s a repeatable loop that improves every quarter.

Questions to pressure-test your current process

Do we have a documented false-positive playbook, or do reviewers improvise?
Are we correlating signals across steps (ID verification + interview + assessment), or treating them as separate tools?
If Legal asked tomorrow, could we show retention limits and access controls for integrity data?
Do we have a candidate-safe “redo” path that doesn’t feel punitive?

Related Resources

Key takeaways

Typing biometrics (keystroke dynamics) can help flag “split-operator” fraud: one person typing messages, another person writing code.
Use typing signals as a risk input—not a conviction—paired with identity verification, interview evidence, and assessment telemetry.
Implement a Risk-Tiered Verification ladder with a fast-path for low-risk candidates and an escalation path that’s respectful and auditable.
False-positive management is the whole game: define thresholds, require corroborating signals, and give candidates an appeal/retry path.
Operationalize with Evidence Packs: store what happened (timestamps, diffs, anomaly reasons), not “vibes.”

Risk-Tiered Verification policy: typing vs coding inconsistencyyaml

A deployable policy that escalates only when typing biometrics corroborate with other integrity signals.

Designed to minimize false positives, standardize reviewer actions, and produce audit-ready Evidence Packs.

version: 1
policy: split-operator-typing-vs-coding
owner: recruiting-ops
purpose: >-
  Detect within-session inconsistency between candidate messaging (chat) and coding activity
  to flag potential proxy assistance or operator hand-off. Typing biometrics are a risk input
  only and must not be used as a sole rejection criterion.

data_minimization:
  collect:
    - derived_keystroke_timing_features  # e.g., hold/flight distributions, burstiness
    - editor_event_telemetry            # paste events, idle time, focus/blur
    - chat_event_telemetry              # message timestamps, burst patterns
  do_not_collect:
    - raw_keystrokes
    - message_content
    - clipboard_content
  retention:
    evidence_pack_days: 30
    derived_features_days: 30
    access_logs_days: 365

signals:
  typing_discontinuity:
    description: "Within-session shift in typing rhythm beyond candidate baseline"
    severity: medium
    threshold:
      method: zscore_vs_candidate_baseline
      zscore_min: 3.0
      minimum_samples: 200
  paste_spike:
    description: "Large code insertion following prolonged idle or focus change"
    severity: high
    threshold:
      paste_chars_min: 400
      preceding_idle_seconds_min: 45
  environment_switch:
    description: "Browser/device/session fingerprint change mid-step"
    severity: high
    threshold:
      allowed_switches_per_step: 0
  id_verification_anomaly:
    description: "Identity verification mismatch or low-confidence match"
    severity: high
    threshold:
      allow_manual_review: true

decision_tree:
  tier_0_green:
    when: "no_signals"
    action:
      - proceed
  tier_1_yellow:
    when: "typing_discontinuity"
    guardrails:
      - "must_not_auto_reject"
    action:
      - create_evidence_pack
      - request_confirmatory_step:
          type: "live-micro-task"
          duration_minutes: 8
          candidate_copy: "We run integrity checks to keep the process fair. Please complete a short live confirmation."
  tier_2_orange:
    when: "typing_discontinuity AND (paste_spike OR environment_switch)"
    guardrails:
      - "require_second_reviewer"
    action:
      - create_evidence_pack
      - pause_pipeline_max_hours: 24
      - request_enhanced_verification:
          type: "re-verify-identity"
          notes: "Re-run doc+voice+face verification before continuing"
      - request_confirmatory_step:
          type: "explain-code"
          duration_minutes: 10
  tier_3_red:
    when: "(id_verification_anomaly) AND (paste_spike OR environment_switch OR typing_discontinuity)"
    guardrails:
      - "security_signoff_required"
      - "must_provide_candidate_appeal_path"
    action:
      - create_evidence_pack
      - lock_offer_flow
      - route_to_queue: "security-review"
      - candidate_outreach_template: "integrity-review-pending"

reviewer_ergonomics:
  evidence_pack_contents:
    - timeline_summary
    - top_signals_with_thresholds
    - replay_links_to_step_artifacts
    - reviewer_notes
  sla:
    tier_1_review_minutes: 7
    tier_2_review_minutes: 10
    tier_3_review_minutes: 15

appeal_flow:
  allow_retest: true
  retest_limit: 1
  escalation_owner: "recruiting-ops-manager"
  security_owner: "ciso-delegate"

integration:
  webhooks:
    - event: "integritylens.risk_tier_assigned"
      idempotency_key: "candidate_id+step_id+risk_tier"
    - event: "integritylens.evidence_pack_created"
      idempotency_key: "evidence_pack_id"

Outcome proof: What changes

Before

Escalations were ad-hoc (“something felt off”), causing inconsistent candidate treatment, slow reviews, and occasional late-stage reversals when concerns surfaced after team interviews.

After

Introduced a Risk-Tiered Verification ladder that treats typing/coding inconsistency as a routing signal. Reviews became consistent (Evidence Packs + defined thresholds), and escalations shifted earlier in the funnel without broadly increasing friction.

Governance Notes: Legal and Security signed off because the control is privacy-minimized (derived timing features, no raw keystrokes, explicit retention limits), access-controlled with logged reviewer activity, and structured around an appeal/retest flow. Typing biometrics are not used as a sole rejection criterion; escalations require corroborating signals and produce an Evidence Pack that supports consistent, non-discriminatory decisioning.

Implementation checklist

Define the split-operator threat model (chat vs code vs voice/video) and what you will/won’t act on.
Choose 5–8 low-privacy typing features (timing + rhythm), avoid raw keystroke capture where possible.
Set risk tiers and escalation rules (no single signal triggers rejection).
Add reviewer ergonomics: one queue, consistent labels, and time-boxed review.
Publish candidate-facing language: what you measure, why, and how to appeal.
Run a two-week calibration: measure false positives and tune thresholds before hard enforcement.

Questions we hear from teams

Is typing biometrics reliable enough to make a decision?: It’s reliable as a consistency signal, not as a standalone identity claim. Use it to trigger a confirmatory step, and require corroborating signals before any high-impact action.
Won’t this slow down hiring?: It only slows down the subset of candidates routed to an escalation tier. The operator move is to keep Tier 0 fast, make Tier 1 lightweight, and time-box reviews so escalations don’t become a backlog.
How do we avoid false positives and discrimination risk?: Normalize to the candidate’s own baseline, avoid absolute speed thresholds, require multiple signal classes for higher tiers, provide an accessible confirmatory step, and maintain a documented appeal path.
Do we need to store keystrokes?: No. Prefer derived timing features and editor telemetry (paste/idle/focus) with strict retention limits. This is typically easier to justify to Legal and Security.
How does this connect to proxy interviews and deepfakes?: It’s one sensor in a defense-in-depth model. Pair it with identity verification (doc+voice+face), interview integrity checks, and assessment telemetry so you’re not betting on any single signal.

Ready to secure your hiring pipeline?

Let IntegrityLens help you verify identity, stop proxy interviews, and standardize screening from first touch to final offer.

Try it free Book a demo

Watch IntegrityLens in action

See how IntegrityLens verifies identity, detects proxy interviewing, and standardizes screening with AI interviews and coding assessments.