What the composition fingerprint can't do
The per-signal pages name the limitations of each individual measurement. This page names the limitations of the whole system. A reviewer who reads only one page in /science/ should read this one — the credibility of the rest depends on it.
Typed-out model output
The single most important limitation. A person who reads a model's response and types it into the editor character-by-character produces a composition fingerprint indistinguishable from genuine composition on most signals. Keystroke cadence looks human because a human is hitting the keys. Pause distribution looks human because the reader's eyes flick back to the source. Correction rate looks human because the typist makes the small errors a human makes. Mouse geometry looks human because a human hand is moving the mouse.
Red Stet catches mechanical automation — paste of full paragraphs, scripted keystroke injection, programmatic insertion through synthesized events. It does not catch a human cooperating with a model by acting as the model's transcription layer. That adversary defeats every per-signal measurement except the ones that look at the lexical content of what was typed, which the composition fingerprint deliberately does not.
The honest framing: the composition fingerprint proves a person sat at a keyboard and composed. It does not prove the words on the page originated in that person's head. Those are different claims. Closing the gap is the job of the integrity process — the writer's interview, the rubric, the in-class draft, the conversation about the piece — not of a single client-side signal stream. The verifier surfaces the evidence that is available. The interpretation belongs to a human reviewer who understands what the evidence does and doesn't reach.
"Behavioral biometrics resist algorithmic forgery much better than they resist a human adversary who has rehearsed the target's behavior. The mitigation is process, not better classifiers."
— Paraphrased from the threat-model framing across the Bergadano/Gunetti/Picardi line of work. The composition fingerprint inherits this property; naming it explicitly is the price of credibility.
Short documents
The composition fingerprint is a statistical claim. Keystroke σ, paste ratio, pause count, and the rest all rely on sample distributions over the course of a session. A 3,000-character paragraph yields thousands of inter-key intervals, dozens of pause-detection windows, a stable correction rate. A 200-character note yields a handful of samples for each. The signals don't separate cleanly at that scale; the confidence intervals on every estimate widen until the verdict is statistically meaningless.
Below 500 characters of typed content the verifier reports "Insufficient evidence — document too short to score" instead of a verdict tier. The composite is still computed and shown for transparency, with explicit copy saying it must not be read as a verdict — the per-signal estimates do not stabilize at that length. Between 500 and 2,000 typed characters the tier is reported with a reduced-confidence note; at 2,000 and above it is reported normally. Separately, the cadence signal scores a neutral 60 (with a note) whenever it has 10 or fewer inter-key samples, whatever the document length. Shipped 2026-06-11; previously the verifier computed a confident-looking composite at any length, which this page used to have to warn about.
Sample-count thresholds (live as of 2026-06-11)
- < 500 typed characters — "Insufficient evidence"; no verdict tier (composite shown for transparency only)
- 500–1,999 typed characters — tier reported with a reduced-confidence note
- ≥ 2,000 typed characters — tier reported at full confidence
Anchored on the keystroke-cadence σ stabilization point (~200 inter-key samples) and the correction-rate stabilization point (~20 backspace events). Short notes, single-sentence answers, and quick comments are explicitly out of scope.
Non-Latin scripts and non-English writing
The behavioral-biometrics literature is overwhelmingly calibrated on English Latin-alphabet typing at QWERTY keyboards. Bergadano, Gunetti, and Picardi demonstrated the keystroke-cadence signal survives in Italian — same alphabet, different digraph frequencies — but the rest of the field's threshold work assumes English bigram statistics. Red Stet's thresholds are no different. They were calibrated on an English sample corpus and ship with English-centered anchors.
Chinese typing through pinyin or stroke-based IMEs produces a fundamentally different keystroke distribution: the typist enters phonetic or radical sequences, then selects a character from a candidate list, which inserts multiple display characters per keystroke. Arabic and Hebrew typing run right-to-left with different cursor and selection patterns. Japanese mixes hiragana, katakana, and kanji selection within a single sentence. Korean Hangul typing composes syllable blocks from jamo. Each of these produces composition fingerprints that look uncommon against an English baseline but are entirely typical for the script. Red Stet's verifier does not currently distinguish "uncommon for hand-typed work" from "uncommon for English hand-typed work" — and the difference matters. Cross-language calibration is open work that has not started.
"Within-language inference is robust; cross-language comparisons require recalibration."
— The conclusion the keystroke-dynamics field reaches after every cross-script study. Red Stet inherits the result: the signal generalizes across writers within a script, not across scripts.
Adversarial corpora
Most published behavioral-biometric thresholds — the ones the per-signal pages cite — were calibrated on natural-distribution data: people writing as they naturally do. The classifiers separate writers from each other on that distribution and report accuracy on held-out natural samples. That is the regime the literature covers well.
The regime the literature covers less well is adversarial calibration: people deliberately trying to spoof the fingerprint. Killourhy and Maxion's benchmark dataset includes some attacker rounds, and the cadence-spoofing literature of the 2010s addresses fixed-string login authentication, but the combined-signal composition fingerprint Red Stet computes does not yet have an adversarial corpus calibrated to it. The individual signals each have some adversarial research; the way they combine in this product has been validated against natural samples and modeled against synthetic attackers, not against a corpus of real humans actively trying to defeat the composite. Building that corpus is open work. Until it lands, the published accuracy numbers describe natural-distribution performance, not adversarial performance.
"Detection accuracy reported on a natural-distribution corpus is an upper bound on performance against an adversary who has read the methodology."
— A recurring caveat in the keystroke-dynamics survey literature (Banerjee & Woodard 2012; Teh, Teoh & Yue 2013). Red Stet inherits the caveat; the per-signal weights in verify/index.html are tuned on natural samples.
Assistive input modalities
Voice-to-text dictation produces a keystroke stream that looks nothing like hand typing — long silent stretches followed by bursts of inserted text, no per-character timing, no biomechanical variance. Switch input devices, head-tracking input, and eye-tracking input produce their own characteristic patterns. Sticky-keys and on-screen keyboards change inter-key timing distributions in ways that look like neither natural typing nor mechanical insertion. Every assistive input modality has its own signature.
The right behavior is to flag these as different input modality and weight the composite accordingly — not to score them against a hand-typing baseline and call them "uncommon." Today's verifier does not make that distinction cleanly. A student using voice-to-text for an IEP-accommodated assignment, or a writer using a switch input device, will produce a composition fingerprint that scores poorly against the current thresholds. The fix is modality detection — recognizing the signature of a known assistive modality and routing the verdict around the standard scoring — and it's open work. Until it lands, reviewers handling a student with documented assistive input should weight the composite accordingly and lean on other evidence in the integrity process.
Modalities the current verifier does not distinguish from hand-typed
- Voice-to-text dictation (system-level or browser-level)
- Switch input devices
- Head-tracking and eye-tracking input
- On-screen keyboards (touch or pointer)
- Sticky-keys and modifier-key accessibility settings
- Braille input devices
Each produces a composition fingerprint that scores below the hand-typed thresholds. A reviewer evaluating a student with documented assistive input should treat the composite as not-applicable, not as evidence of anything.
Mobile vs desktop
A mobile soft-keyboard with autocomplete, predictive text, and swipe input produces a composition fingerprint that looks fundamentally different from desktop typing. Predictive completion inserts multi-character chunks on a single tap. Swipe-typing emits one event per word, not per character. Autocorrect rewrites already-typed text after the fact, producing what looks like a phantom paste. Inter-key timing reflects thumb-typing biomechanics, not finger-typing biomechanics. The σ thresholds, paste-ratio thresholds, and correction-rate thresholds that work on desktop don't transfer.
Since 2026-07-08 the analyzer detects virtual-keyboard sessions and routes the signals that don't transfer. The recorder stamps an input-capability block (touch points, coarse pointer, hover) into the session header, and soft-keyboard taps are recorded as their own event even when the keyboard withholds the key identity — Android keyboards report every tap as Unidentified, and before this change an essay typed on one recorded as zero keystrokes and read "insufficient evidence." Tap timing is real, so it carries the cadence and the evidence count. Autocorrect (insertReplacementText) counts as the human correction it is. A predictive-text or swipe commit — a keyless word-size insertion with the writer's taps around it — reads as ordinary mobile typing, not as programmatic injection. Key-hold times are withheld on touch sessions entirely: soft keyboards synthesize them, and a flat hold distribution there is the keyboard's artifact, not a replay script's.
Two things stay honest about what the record cannot tell. A long keyless insertion on a touch device is dictation or scripted insertion — the event stream is identical for both, so the verifier surfaces it as a question for the reviewer rather than silently excusing it or flagging it with desktop wording. And the composite's anchors — σ bands, correction rates, paste ratios — remain desktop-calibrated: thumb-typing runs raggier than finger-typing, so genuine mobile writers clear the existing cadence anchor comfortably, but a mobile calibration corpus is the real fix and that work has not started. The session manifest's kindUseMs field (milliseconds of pointer activity by kind — mouse, touch, pen) remains available as the coarse cross-check.
"Mobile keystroke dynamics is a separate research literature from desktop keystroke dynamics. The signal exists in both regimes, but the thresholds, the feature engineering, and the spoofing surface are distinct."
— The state of the field circa 2020. The mobile-vs-desktop split is well-documented in behavioral-biometrics surveys; the calibration work for Red Stet's combined fingerprint on mobile is incomplete.
Measurement-environment confounds
Four confounds the behavioral-biometrics literature documents that don't fit the categories above. Each can move a genuine writer's numbers for reasons that have nothing to do with how the document was composed.
Browser timer precision can fake mechanical cadence
Since the Spectre-era mitigations, browsers deliberately coarsen event timestamps. Firefox reduces timer precision to 1 ms by default and to 100 ms when privacy.resistFingerprinting is enabled; Tor Browser is coarser still. At 100 ms granularity, inter-key intervals quantize onto a grid and the computed σ is an artifact of the rounding, not the writer — a privacy-conscious human's session can read as mechanically uniform. Since 2026-06-11 the analyzer detects fully-quantized timing (≥ 90% of inter-key deltas on a 25 / 50 / 100 ms grid, against chance rates of ≤ 4%) and scores the cadence signal a neutral 60 with an explanatory note instead of machine-like. Partial coarsening below that detection bar remains undetected — a reviewer seeing implausibly regular timing that didn't trip the detector should still ask about the writer's browser configuration.
The same writer varies between sessions
Free-text keystroke-dynamics research consistently measures within-writer variance across sessions — fatigue, time of day, cognitive load, and task type all shift cadence and pause distributions for the same person (Gunetti & Picardi 2005; Conijn et al. 2019 document task effects directly). A writer's Tuesday-night session legitimately looks different from their Monday-morning one. Single-session thresholds absorb some of this; cross-session comparisons — "this doesn't look like their other work" — need to absorb much more of it, and should be made cautiously.
Keyboard hardware shifts timing distributions
Mechanical keyboards, laptop scissor switches, external Bluetooth boards, and on-screen keyboards have different key travel, debounce, and event-batching behavior. Bluetooth input in particular batches events in ways that add latency jitter indistinguishable from motor variance. The mouse-dynamics replication literature (Jorgensen & Yu 2011) showed environmental confounds of exactly this kind for pointing devices; the equivalent applies to keyboards, and the calibration corpus does not control for hardware.
Writers adapt under repeated recording
Behavioral baselines drift when subjects know they're measured — the template-aging problem in the continuous-authentication literature (surveyed in Banerjee & Woodard 2012). A student who writes under recording every week will, benignly, settle into different patterns than their first recorded session. This is distinct from adversarial spoofing: no deception is involved, but longitudinal comparisons against early-session baselines degrade.
"A measurement that doesn't know its instrument is part of the experiment will attribute the instrument's behavior to the subject."
— The framing these four share. Timer precision, hardware, session-to-session drift, and observation effects are all instrument problems, not writer problems. The composite cannot currently distinguish them from behavior; the reviewer has to.
Aware adversary spoofing
A student who knows their writing is being recorded — knows the verifier exists, knows roughly what it measures — can deliberately type with extra pauses, fake typos and corrections, exaggerated cadence variance, and inserted mouse drift to spoof a high human-typical score on a paste of a model's output. The published cadence-spoofing literature confirms this works at the level of fixed-string authentication; it works at least as well against a free-text composite.
The defensive response is not a better classifier. It is the per-moment evidence surface. The verifier surfaces every flagged, questionable, and key-human moment in the right-panel review — not just the composite. A reviewer who clicks through thirty key-human moments in a 5,000-word document can spot the artificial signal: humans don't sustain artificially high pause rates uniformly for an entire session, and the fake corrections cluster differently from real ones. The signature of over-performed human typing is its own kind of unusual, and a reviewer who knows what natural composition looks like can see it.
The structural defense is the integrity process around the verifier, not the verifier alone. An assignment that requires a brief in-class draft, a writer's interview, a rubric tied to process artifacts, or a peer-review pass anchors the verdict in evidence the composition fingerprint can't fake. The aware adversary is real. The mitigation is the same mitigation that handles every other authentication adversary: defense in depth.
"Behavioral signatures degrade when the subject is aware of measurement. The countermeasure is to design the process such that no single signature is decisive."
— The continuous-authentication literature's standard guidance. Red Stet's verifier is one piece of the integrity process, not a replacement for it.
The AI-detector comparison
AI detectors operate on the output text — the prose itself. They look at perplexity, burstiness, n-gram patterns, and other lexical features, then return a probability that a model generated the words. Red Stet operates on the process — the recording of how the words were typed. Different signals, different failure modes. The two systems are not interchangeable and they don't fail on the same documents.
AI detectors are known to fail on non-native English writers (whose prose statistics look closer to model output than to native-speaker output), on highly-edited prose (where revision smooths out the burstiness signal), and on writing in domains where the training corpus is thin (technical, philosophical, dialogic). Red Stet fails on typed-out model output (the section above), on cooperative adversaries (the same section), and on assistive-input modalities and mobile typing (the two sections before that). The two systems' failure modes are mostly disjoint. A document that fools one will not necessarily fool the other.
Stacked, the two classes of system catch more than either alone — and an integrity board with both signals available can triangulate. Used alone, each has known gaps that are too well-documented to ignore. The right framing for procurement: Red Stet is process evidence, not output classification, and the two are complementary rather than competing. The fuller treatment of how the two regimes differ lives at /science/comparisons/.
Where each system tends to fail
- AI detector — non-native English writers; highly-edited prose; thin-corpus domains (technical, philosophical, dialogic).
- Red Stet — typed-out model output; cooperative human adversaries; assistive-input modalities; mobile typing.
The failure sets are mostly disjoint. Procurement that wants robust signal across a population deploys both and weights them as independent evidence streams. See /science/comparisons/ for the side-by-side.
What we are and what we aren't
Procurement reviewers, integrity boards, and parents reading the FAQ ask the same question: what does this thing actually claim to be? The honest answer fits on a card.
Red Stet is NOT
- A court-admissible biometric verdict
- A replacement for academic-integrity processes that involve the writer
- An AI detector
- A truth machine
Red Stet IS
- Evidence of authorship process
- Material for a human reviewer to interpret
- One signal among many that an integrity board should weigh
A vendor that claims more than the second list is overclaiming. A reviewer who reads less than the second list out of the verdict is under-using the evidence. The product sits in between: enough to matter, not enough to decide alone.
Red Stet is not
- A court-admissible biometric verdict
- A replacement for academic-integrity processes that involve the writer
- An AI detector
- A truth machine
Red Stet is
- Evidence of authorship process
- Material for a human reviewer to interpret
- One signal among many that an integrity board should weigh
Bottom line
The verifier produces evidence, not verdicts. A composite score and a flagged-moment count are inputs to a human reviewer's judgment, not substitutes for it. The right way to read a Red Stet verification is to read the composite as one number among several, click through the flagged and key-human moments to see what they actually contain, weigh the result against the rest of the integrity process — the writer's interview, the assignment's rubric, the in-class draft, the conversation about the piece — and decide what to do based on the whole picture. The verifier is a microscope, not a courtroom. Treat it as one.
"The verifier produces evidence, not verdicts."
— The single sentence that should sit at the top of every integrity board's training material on how to use Red Stet. Everything else in this documentation is annotation on that line.