Consider a system that you are proposing for authentication based on key-stroke patterns. The scheme works as follows. The server and the user go through a training session where a particular long password is typed a few times, and the server learns of the delays in key-strokes between each key typed. The delays between each keys are stored in the server, along with the password for each training session. During run- time authentication, the user will ideally type the same long password, and the server verifies the password and delays. This way, even if a malicious user steals the password of a benign user, the malicious user will not be able to replicate the exact delays. This is the premise of the proposed scheme.

In this framework, there are two options for authentication at run-time. Option A is to store the delays each time in the client terminal, and once the user types the full password and pushes a button, the password and delays are sent to server for authentication. Option B is to send a message to the server each time a key is pressed, and let the server record the key pressed and compute the corresponding delays in receiving each key while the user is typing the full password and then validate the correctness of keys and the delay.

Option A seems a valid technique for obvious reasons, but the problem is storing these delays, which can be exposed to an adversary that can hack the user terminal. Option B seems a little more secure because, nothing is stored in the host terminal, and server computes delays and compared key strokes typed. In this context, what would be a practical limitation of using Option B?