How the Pentagon plans to replace the password
No matter how strong it is, the password is one of the weakest forms of security.
Punching the correct code into a computer can't verify your identity. It simply shows that someone remembered – or stole – the right combination of letters and numbers.
The Pentagon’s research arm wants to solve the password problem, which plagues even the US military, by turning people and their behavior and thought processes into passwords. After all, it's hard to hack the brain.
“The human mind is the most complicated computer in existence,” said Richard Guidorizzi, who until recently was the director of the Active Authentication program at the Pentagon's Defense Advanced Research Projects Agency (DARPA).
How it could work
A soldier would insert his Common Access Card, used by the military as a form of ID, to log in to his computer on the military network.
As he uses the computer, sensors and cameras on the device would monitor his physical traits and behavior – from eye movements to mouse movements, typing rhythms to web browsing habits. The system would incorporate all that data into a composite profile.
Every time he logs on, the system would use the stored profile to determine whether the person at the keyboard is actually the soldier who is supposed to be using that computer. If the user’s patterns of behavior deviate too much, it would raise red flags to the system operator or automatically shut down the soldier’s computer.
The new biometrics
Altogether, 10 teams of researchers at universities and companies are working on different ways to verify people’s identities as part of the Active Authentication program, which is so far limited to desktop computers but will eventually expand to mobile phones. Those research partners are coming up with entirely new ways for verifying identity, including how a person constructs sentences and chooses words.
The New York Institute of Technology is working on a way to use people’s linguistic patterns as they type as a way to identify them – for instance, how person revises sentences and how long they take before correcting typing mistakes, and the amount of time they pause before beginning a new sentence.
Data from this program alone, according to DARPA, would take one minute to verify a person’s identity with 92 percent accuracy. That’s because these types of behavioral biometrics, Guidorizzi says, are virtually impossible for another person to emulate.
For example, Dan Kaufman, director of DARPA’s Information Innovation Office, has an iPhone. So does his son. “His son can instant message 10 times faster than him on the same iPhone,” Guidorizzi says. “Because his son knows the iPhone well enough he deliberately causes typos to get it to fill out the full word, whereas Dan after makes a typo [he deletes it] and actually types the word out.”
In this case, if Mr. Kaufman’s son started using his father’s iPhone, the Active Authentication system would pick up the typo-riddled deviations. “It starts raising a flag to the centralized platform, saying, ‘Hey, wait a second, my confidence this is who it claims to be is lower,’ ” Guidorizzi says. “If we actually get this running, it could tell the difference between you and malware running computer, and shut down [its] access.”
Researchers at Iowa State University are exploring ways to use people’s keystrokes and mouse movements to verify their identities. Essentially, this biometric measures cognitive processing time. The length of time it takes for a user to point to an object on the computer screen and actually click it, the program says, is an indication of how much time an individual needs to process his thoughts before making a decision. This Iowa State program, according to DARPA, takes less than half a minute to verify a person’s identity – with 93 percent accuracy.
Other researchers on the project at the Naval Research Laboratory are working on way verify identity by gather information from people’s Internet browsing habits. Metrics include the types of pages visited, how long a user spends on a page, and how often a user returns to them. Because the webpages users visit can vary so much each day, it takes the lab four hours to verify identity with only 82 percent certainty. For a full list of DARPA’s performers, see the Active Authentication powerpoint it provided to Passcode. (Since the time of the Passcode interview, Angelos Keromytis replaced Guidorizzi as the program director.)
Keeping this deeply personal data accurate, and secure
Of course, people’s behavior changes over time. That’s one reason why the program collects all the various data streams and decide whether, in the aggregate, users are close enough to their usual behavior.
That score – not the biometric data – is passed along to the main server, where an administrator can decide whether the score good enough to allow the computer to keep running or not. This would also prevent constant lockouts as a person changes behavior.
It also leaves virtually nothing of value for a hacker to intercept as the numerical scores travel to the central database, Guidorizzi says. “I’m not trying to create the next database to be hacked that has everybody’s biometric in the world,” he says. “We’re not even storing your personal information, all we’re doing is reading it and developing a profile score and saying, ‘OK, this is in the range.’ ”
Active Authentication is already gaining traction in the military, but it’s in the very early stages.
The Army’s center for research and development of advanced cyber operations – its Intelligence and Information Warfare Directorate – is building a platform to use a version of the Active Authentication system he describes.
And Guidorizzi has larger ambitions for the technology, even beyond computers and mobile devices. Take the Pentagon, for instance, which requires swiping a badge to enter. “My dream case is when you walk down the big corridors at the Pentagon, hundreds of people a minute who all have badges, [the system] can tell how they’re walking, pick up their face.”
What do you think it should be used for? Write us at Passcode@csmonitor.com or tweet us @CSMPasscode.
