FAIL anticheat if speed is above 750 char/sec (150wpm)
This introduces a hard max speed limit that is impossible to go over.
There's a good reason why it's there. However, 150 is far too slow.
Would it be possible to move more of the anticheat checks over to server side? Frontend code can easily be manipulated anyway. Right now I could simply delete that line and the request would be sent to the server. Not sure what would happen then but I'm not going to try and find out :)
More advanced serverside checks would enable you to see for example if the user has over 5,000 or 10,000 samples, maybe allow them to (apply to) have a higher speed cap.
Or run detailed analysis on timeToType. But not raw milliseconds. A couple I have freakishly low, like 9ms. On the same run, another key took 188ms. My keyboard has seen some shit, so there's some key chatter on my E key and that may contribute to some anomalies. But if the variance is 0, like if there's always 50ms to type K, then it's fairly obvious what is going on.
10ff has a captcha based anticheat. Seems to work fine. However, that's a lot of dev hours to implement.
Not sure how many users we have that believably can get past 150, so maybe a serverside whitelist curated by the dev team would even be the simplest solution to pull off.
The UI flow example:
1. Type, hit 151wpm
2. Popup: yo man nice speed bro, BUT this looks fishy af. Would you like to apply to a higher speed cap, say 175?
3. Dialog options: [YES] -- [Nope, I was cheating]
4. If it gets past basic checks (not a fresh user etc), notify the dev team
5. Dev team looks at users history
6. And makes a decision to raise the limit or make good use of the banhammer.
7. If user looks legit, raise max speed cap for him to 175
8. Practice more, hit 176, repeat the whole process
TLDR:
150wpm limit is too low, please raise.
Maybe use instead: manual whitelist, server-side anticheat or a mix of both.
I also think that 150 WPM is a low upper bound & more complex methods should be implemented to help distinguish and prevent bot usage.
http://twiddler.tekgear.com/tutor/twiddler.html
Here's an alternative site that some how incorporated the basic engine of keybr.com without the erroneous wpm limitation -- the catch being that there is no login profiling.