PromptPrint: Behavioral Biometrics Through Natural Language Prompting in LLMs

2026-06-08 · Source: cs.CL updates on arXiv.org · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, extended

Summary

PromptPrint introduces a systematic study of "prompt-based identity," a novel behavioral biometric that identifies users through their habitual vocabulary, syntax, and discourse patterns in large language model (LLM) prompts. Analyzing 20,680 real prompts from 1,034 users, the research found that lexical representations, specifically TF-IDF, significantly outperform semantic encoders like SBERT for user identification, achieving a d' of 0.671 compared to SBERT-NN's 0.159. This supports the "lexical stability hypothesis," indicating identity is encoded in surface-level word choice. While stylometric features show high inter-user distinctiveness (d'=0.950), they lack intra-user consistency (Top-1=24.9%). Adversarial testing revealed prompt-based identity is robust to minor lexical changes (synonym substitution ΔTop-1=-0.001) but severely degrades under full semantic paraphrasing (Top-1=0.429, EER=0.703). The ensemble model achieved 64.2% Top-1 accuracy for 1,034 users, establishing prompt-based identity as a viable, passive biometric with implications for security and privacy.

Key takeaway

For AI Security Engineers evaluating user authentication in LLM applications, consider prompt-based identity as a passive biometric. Your systems should prioritize lexical analysis (TF-IDF) over semantic embeddings for robust identification, as identity resides in surface-level phrasing. Be aware that semantic paraphrasing can effectively sanitize this signal. For AI Ethicists, recognize this as a new surveillance surface, necessitating privacy-preserving countermeasures and transparent user awareness.

Key insights

Prompt-based identity, a new behavioral biometric, is primarily encoded in a user's surface-level lexical choices, not semantic intent.

Principles

• Identity signals reside in surface-level word choice.
• Instrumental text requires distinct biometric models.
• Score-level fusion improves identification over feature-level.

Method

PromptPrint extracts lexical (TF-IDF), semantic (SBERT), and stylometric features from initial user prompts in the WildChat-1M dataset. It uses 5-fold cross-validation with Logistic Regression and MLP classifiers, evaluating identification and verification metrics.

In practice

• Use TF-IDF for robust prompt-based user identification.
• Combine lexical and semantic models via score-level fusion.
• Require at least 10 prompts for stable user enrollment.

Topics

• PromptPrint
• Behavioral Biometrics
• LLM User Identification
• Authorship Attribution
• Lexical Analysis
• Adversarial Robustness

Best for: Research Scientist, CTO, NLP Engineer, AI Scientist, AI Security Engineer, AI Ethicist

Related on AIssential

• PromptPrint: Behavioral Biometrics Through Natural Language Prompting in LLMs — User identity can be reliably inferred from LLM prompts based on surface-level lexical patterns.
• AtelierEval: Agentic Evaluation of Humans & LLMs as Text-to-Image Prompters — AtelierEval benchmarks T2I prompter proficiency using an agentic evaluator, revealing mimicry's superiority over planning.
• The Unsampled Truth: Psychometrics in SLMs Measure Prompt Artifacts, Not Psychological Constructs — SLMs often reflect prompt compliance over semantic understanding in psychometric tasks due to artifactual variance.
• Context Engineering: Foundations, Categories, and Techniques of Prompt Engineering — Prompt engineering is "soft programming" LLMs by crafting inputs to guide their behavior and leverage inherent knowledge.
• How Aara Reads: The Secret Language Beneath the Words — LLMs translate human language into numerical vectors via tokenization, embedding, and attention to process meaning.
• 7 Specific Unconventional Things to Do with Language Models — LLMs offer diverse unconventional applications beyond chat, enabled by intentional, role-based prompting.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.CL updates on arXiv.org.