Technology that verifies MOOC test takers on the spot

8DEver hear of MOOCs? The acronym stands for massive open online courses: the free online courses taught by professors at leading universities.

MOOC business model problems

  • Cheating: Professors can’t tell just how much students rely on Google for help during an exam. A proposed solution has been that students take exams at regional testing centers, but barriers to this include: access to these centers especially in multiple countries, cost and convenience – after all these are free courses.
  • Student identity: Who’s to say the person taking the test isn’t an imposter and not the person who will actually get the grade?
  • Completion rate: Even something as simple as having skin in the game can make students feel more engaged. Most MOOCs are free, so students don’t feel a financial bite if they drop a course or perform poorly.

Many prominent schools, such as MIT, are investing significant resources in MOOCs; however, the viability and success of MOOCs will be ultimately be determined by the legitimacy of the degrees received—and that goes back to the legitimacy of the identities of the people who study the courses and take the final exams.

Remote proctoring

Just like sitting in a classroom under the supervision of a teacher, students need to be monitored as they are sitting in front of their PC, phone or tablet to ensure that they in fact are the ones that took the test.

How does remote proctoring work?

One proctor can monitor via webcams a maximum of six students simultaneously, keeping on the alert for suspicious behaviors such as suddenly wandering eyes.

Human monitors can track students via screen sharing and webcams, even monitoring students’ typing styles to possibly identify test-taking imposters. Newer technologies can remotely track test takers’ mouse clicks and even keystrokes. What these proctors don’t do is verify the identity of the test taker, read on.

Why webcams and keystrokes fail

It’s possible for a test taker to be a different person than the one who enrolled. One technology to nab this problem matches photo IDs to webcam photos.

The obvious flaw here is that if the test-taking imposter resembles (either naturally or artificially) the enrollee, the scam may work. However, a software program analyzes typing rhythm or keystroke dynamics of the enrollee, which is then compared to typing done during a test—but one of the major problems that keystroke dynamics runs into is that a person’s typing varies substantially during a day and between different days. People may get tired, or angry, or have a beer, or switch computers, or move their keyboard tray to a new location, or use a virtual keyboard, or be pasting in information from another source (cut-and-paste), or working with a voice-to-text converter.

Additionally, many tests/exams use multiple choice questions so keystroke analysis is not useful. The student also needs to enroll their typing pattern initially, so this pattern can be compared to subsequent log ins, adding an extra layer of cost. Additionally, any biometric capture of typing rhythm must be independently tested by a third party lab to prove acceptable (NIST) levels of false positives/negatives. At least one study I know suggests that keystroke analysis did not achieve minimum levels of security making this technology un-acceptable as a true means of verifying identity.

Maybe combining photo matching with typing analysis seems like foolproof technology—but webcams are often grainy, not everyone has one, IDs can be forged and things like makeup, hair dye, hairstyles, glasses and facial hair can all obscure the truth.

Technology will continue to be refined, and as it does it will soon get ahead of the imposters; likewise, more educational institutions will implement this technology, which isn’t airtight yet. However with MOOC’s the need to verify student identity exists and may make a large difference in how well they evolve in the marketplace. We need technology that can snuff out cheaters and identity fraudsters, and will work toward verifying the legitimacy of test takers.

Biometric signature IDs (BioSig-ID) argument:

One of the MOOC’s business models is to have students pay for a “verification” certificate that will establish that the student did attend/take exams/complete gradable events or generally was present for other course content. Personal investment in the process seems to work: Research has found that students who pay to be identified and verified to have taken a course and passed are substantially more likely to finish the course.

However, the MOOC’s typical methods of student verification fall short and don’t sit well with security experts. Different methods of verification are needed in order for the business model to succeed. Employers, to consider whether a “verified ID” certificate has any meaning in the workplace need more confidence that the student was “there” and learned the material- not just they signed up for the course.  To be successful, students need to be “identity proofed” at inception and at various times before accessing gradable events like tests, quizzes, interactive chats etc…Throwing up a photo ID and using keystroke analysis with their obvious limitations described above are just not acceptable in todays’ security world.

Some Biometrics like BioSig-ID use gestures such as length, speed, direction angle, and height of each stroke to define one’s unique pattern and can positively identify users as they log in from any PC, mobile or tablet.

These patterns are unique, and BioSig-ID software can distinguish the user from all others. Only a user who has successfully authenticated himself or herself against a previously created enrollment profile can access the device, exam, bank account, health information or other digital asset. What’s more they have created a robust audit trail that captures and compares the IP addresses and other history of behaviors over time. This forensic tool has even been helpful in catching student cheaters.

BioSig-ID’s “Missing Link” creation is patented software-only biometric that complies with the new gold standard for identity verification required by the Reauthorization of the Higher Education Act. It’s the strongest form of identity verification on the market today.

And there’s a twist: No additional hardware is required. This software biometric measures the unique way a user moves his or her mouse, finger or stylus when logging in with a password (consisting of a few simple strokes) created with BioSig-ID.

The BioSig-ID technology already used in over 55 countries for student verification, must have something going for it as it was chosen for the White House based initiative -National Strategy for Trusted Identities in Cyberspace (NSTIC) to create a new solution to verify user identity over the Internet before they can access a digital asset. Check them out at

Robert Siciliano, personal security and identity theft expert and BioSid-ID advisory board member. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.