Yes, it's unclear how the FCC is allowing IEEE 802.11bf to proceed if it can be used to collect passwords and other typed data, not to mention what people are physically doing in different rooms of their homes and businesses. Good for vendors of 2FA and faraday rooms, but bad for the millions of buildings about to become transparent.
As for keystroke timing, it could theoretically have been collected for years by local and web (search?) services which offered autocomplete. Research and investment is ongoing, e.g. https://arxiv.org/pdf/2101.05570
> Our approach called TypeNet achieves state-of-the-art keystroke biometric authentication performance with an Equal Error Rate of 2.2% and 9.2% for physical and touchscreen keyboards, respectively ... the databases used in this work are the largest existing free-text keystroke databases available for research with more than 136 million keystrokes from 168,000 subjects in physical keyboards, and 60,000 subjects with more than 63 million keystrokes acquired on mobile touchscreens ... The global keystroke biometrics market is projected to grow from $129.8 million dollars (2017 estimate) to $754.9 million by 2025, a rate of up to 25% per year.
