At the same time, I'm sure this still helps against drive-by attackers. For more motivated attackers, it's one more hoop for them to jump through, though you'd want to do some hardening on the client-side script since it's easy to manipulate the Javascript environment.
Edit: I ended up testing it, not bad! The basic script got to about 0.45 in the end, but never was confidently marked as human. With the hint of the 5 metrics in the prompt, a more advanced script did get to 0.63 (human and confident), but that needed the insider information.
I built isHumanCadence as a proof-of-concept to see if we can move the "proof of humanity" signal from visual puzzles to behavioral biometrics specifically keystroke dynamics.
How it works: It measures dwell time (key down duration), flight time (gaps between keys), and rollover (overlapping key presses). Humans are messy biological engines; we have a rhythmic entropy that is currently very expensive for bots to simulate at scale.
Technical Specs:
Zero dependencies.
< 1kb minified/gzipped.
Purely client-side (privacy-focused).
Uses a Schmitt trigger (hysteresis) to prevent "flickering" during natural pauses.
Caveat: This is a PoC. Client-side security is trustless, and "generative keystrokes" are the next frontier for AI. I'm curious to hear how HN would approach hardening these heuristics or if anyone has seen success with similar behavioral signals in production.