How the Pentagon plans to replace the password
No matter how strong it is, the password is one of the weakest forms of security.
Punching the correct code into a computer can't verify your identity.聽It simply shows that someone remembered 鈥 or stole 鈥 the right combination of letters and numbers.
The Pentagon鈥檚 research arm wants to solve the password problem, which plagues even the US military, by turning people and their behavior and thought processes into passwords. After all, it's hard to hack the brain.
鈥淭he human mind is the most complicated computer in existence,鈥 said Richard Guidorizzi, who until recently was the director of the Active Authentication program at the Pentagon's Defense Advanced Research Projects Agency (DARPA).
How it could work
A soldier would insert his Common Access Card, used by the military as a form of ID, to log in to his computer on the military network.
As he uses the computer, sensors and cameras on the device would monitor his physical traits and behavior 鈥 from eye movements to mouse movements, typing rhythms to web browsing habits. The system would incorporate all that data into a composite profile.
Every time he logs on,聽the system would use the stored profile to determine聽whether the person at the keyboard is actually the soldier who is supposed to be using that computer. If the user鈥檚 patterns of behavior deviate too much, it would raise red flags to the system operator or automatically shut down the soldier鈥檚 computer.
The new biometrics
Altogether, 10 teams of researchers at universities and companies are working on different ways to verify people鈥檚 identities as part of the Active Authentication program, which is so far limited to desktop computers but will eventually expand to mobile phones. Those research partners are coming up with entirely new ways for verifying identity, including how a person constructs sentences and chooses words.
The New York Institute of Technology is working on a way to use people鈥檚 linguistic patterns as they type as a way to identify them 鈥 for instance, how person revises sentences and how long they take before correcting typing mistakes, and the amount of time they pause before beginning a new sentence.
Data from this program alone, according to DARPA, would take one minute to verify a person鈥檚 identity with 92 percent accuracy.聽That鈥檚 because these types of behavioral biometrics, Guidorizzi says, are virtually impossible for another person to emulate.
For example, Dan Kaufman, director of DARPA鈥檚 Information Innovation Office, has an iPhone. So does his son. 鈥淗is son can instant message 10 times faster than him on the same iPhone,鈥 Guidorizzi says. 鈥淏ecause his son knows the iPhone well enough he deliberately causes typos to get it to fill out the full word, whereas Dan after makes a typo [he deletes it] and actually types the word out.鈥
In this case, if Mr. Kaufman鈥檚 son started using his father鈥檚 iPhone, the Active Authentication system would pick up the typo-riddled deviations. 鈥淚t starts raising a flag to the centralized platform, saying, 鈥楬ey, wait a second, my confidence this is who it claims to be is lower,鈥 鈥 Guidorizzi says. 鈥淚f we actually get this running, it could tell the difference between you and malware running computer, and shut down [its] access.鈥
Researchers at Iowa State University are exploring ways to use people鈥檚 keystrokes and mouse movements to verify their identities. Essentially, this biometric measures cognitive processing time. The length of time it takes for a user to point to an object on the computer screen and actually click it, the program says, is an indication of how much time an individual needs to process his thoughts before making a decision. This Iowa State program, according to DARPA, takes less than half a minute to verify a person鈥檚 identity 鈥 with 93 percent accuracy.
Other researchers on the project at the Naval Research Laboratory are working on way verify identity by gather information from people鈥檚 Internet browsing habits. Metrics include the types of pages visited, how long a user spends on a page, and how often a user returns to them. Because the webpages users visit can vary so much each day, it takes the lab four hours to verify identity with only 82 percent certainty. For a full list of DARPA鈥檚 performers, (Since the time of the Passcode interview, Angelos Keromytis replaced Guidorizzi as the program director.)
Keeping this deeply personal data accurate, and secure
Of course, people鈥檚 behavior changes over time. That鈥檚 one reason why the program collects all the various data streams and decide whether, in the aggregate, users are close enough to their usual behavior.
That score 鈥 not the biometric data 鈥 is passed along to the main server, where an administrator can decide whether the score good enough to allow the computer to keep running or not. This would also prevent constant lockouts as a person changes behavior.
It also leaves virtually nothing of value for a hacker to intercept as the numerical scores travel to the central database, Guidorizzi says. 鈥淚鈥檓 not trying to create the next database to be hacked that has everybody鈥檚 biometric in the world,鈥 he says. 鈥淲e鈥檙e not even storing your personal information, all we鈥檙e doing is reading it and developing a profile score and saying, 鈥極K, this is in the range.鈥 鈥
Active Authentication is already gaining traction in the military, but it鈥檚 in the very early stages.
The Army鈥檚 center for research and development of advanced cyber operations 鈥 its Intelligence and Information Warfare Directorate 鈥 is building a platform to use a version of the Active Authentication system he describes.
And Guidorizzi has larger ambitions for the technology, even beyond computers and mobile devices. Take the Pentagon, for instance, which requires swiping a badge to enter. 聽鈥淢y dream case is when you walk down the big corridors at the Pentagon, hundreds of people a minute who all have badges, [the system] can tell how they鈥檙e walking, pick up their face.鈥
What do you think it should be used for? Write us at聽Passcode@csmonitor.com聽or tweet us @.
