DARPA authentication project focuses on humans as secrets

DARPA authentication project focuses on humans as secrets

Summary: DARPA is working on a plan to create innovative biometric measurements, such as keystrokes and mouse tracking, as a means of authenticating users to Department of Defense (DOD) IT systems. The full system would eventually replace passwords and government Common Access Cards.

TOPICS: Hardware, Security

The U.S. agency that brought you the Internet is now angling to develop new biometric techniques for authentication that will tap computer users as human secrets.

The U.S. Defense Advanced Research Projects Agency (DARPA) is soliciting proposals for biometric research with the intent of developing software-based systems that identify users based on movements or habits while they use their computers or laptops.

The project, called Active Authentication (AA), would eventually move authentication from passwords and Common Access Cards to biometrics for validating the identity of users on Department of Defense IT systems.

AA isn't focused on extending current technology, it seeks innovative ways to identify a user by collecting behavior metrics, or what DARPA calls "cognitive fingerprints" or "human secrets."  The fingerprint could include eye movement, keystrokes, mouse tracking or even language usage patterns.

The first phase of the project, slated to run until April 2013, focuses on developing methods of continuous authentication, which tracks the user at the keyboard after they log-in to ensure they are the same person who originally signed on to the computer.

"My house key will get you into my house, but the dog in my living room knows you're not me. No amount of holding up my key and saying you're me is going to convince my dog you're who you say you are," says Richard Guidorizzi, the program manager for AA.  " My dog knows you don't look like me, smell like me or act like me. What we want out of this program is to find those things that are unique to you, and not some single aspect of computer security that an adversary can use to compromise your system."

Smell, and activity like eye movement, might be out of the realm of possibility the first go round. DARPA says proposals cannot include adding any hardware sensors to computers. Data collection is limited to interaction with the keyboard, mouse, Windows 7, virus scanning programs, office applications, network interface cards and printer connections.

The overall goal of AA is to release users from having to remember long and complicated passwords or from writing them down on sticky notes.

The second and third phases or the plan which run from early 2013 to the end of 2015 focus on developing biometric pilots and a platform for integrating software and hardware-based biometrics into a single authentication platform.

The platform would handle authentication for individual IT devices, and the plan is to include open Application Programming Interfaces (APIs) to allow integration of other technologies.

DARPA will fund Phase 1 projects with amounts up to $500,000 per year. The U.S. Military Academy in West Point, N.Y. is conducting a feasibility study as part of AA.

DARPA also is addressing privacy concerns over the collection of user data. The agency says Phase 2 of AA will include development of a system relying on user attributes, key exchanges and a central authentication engine so the user's attributes are never stored in a central database.

Do you think such a system can prove to be secure? What do you think are the pros and cons of biometric-based systems?

Topics: Hardware, Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: DARPA authentication project focuses on humans as secrets

    I graduated from an on-line driver's ed program here in NY last year. Each time I logged in and every 20 to 40 minutes, the program required me to type my password. It seemed to follow a very strict protocol, because I had to do it over again sometimes, and as far as I could tell I wasn't changing my keystroke behavior.

    So I think this is a practical DARPA project and it can be accomplished, using this or other types of pattern recognition.
  • RE: DARPA authentication project focuses on humans as secrets

    It's too static. Imagine a hotel with computers. Keep you there long enough and they'll eventually know as much about you as the system you're going to authenticate to. Then they can probably mimic you too, just by disconnecting the mouse and keyboard and plugging in their own little device that imitates your behavior. The targeted system won't be able to tell the difference.

    Authentication secrets must be things that NEVER are revealed or hinted at during day-to-day life, and they MUST NOT be static.
  • RE: DARPA authentication project focuses on humans as secrets

    Maybe this would work, but I can't see it focusing on keystrokes and mouse movements alone. What if your injured, or sick, and your movements have changed slightly? Wouldn't it be easier to have a fingerprint reader and voice analysis?
  • RE: DARPA authentication project focuses on humans as secrets

    I recently injured my shoulder, which greatly affected my ability to type. Luckily it wasn't my mouse arm, but had it been, my mouse behavior would have changed in addition to my typing. A system designed around keyboard and mouse behavior would fail in that circumstance, and I might have been locked out of the application. Also, changes in keyboard hardware and mouse hardware (mouse sensitivity, keyboard key sensitivity and placement) could potentially change behavior as well. Instead of the normal password reset, I am imaging a help desk call on that: "I recently injured my shoulder, so can't use my mouse the same way I normally do. Can you reset my mouse behavior patterns so I can log in?"

    My example is not to suggest this concept is a bad idea, but that in its infancy, a lot of time and effort will need to be spent on how to get past the false negatives. How can valid and approved users continue to be productive when the software 'thinks' they are not who they really are?
  • RE: DARPA authentication project focuses on humans as secrets

    Maybe a continuous brain wave scan while operating the computer would work. It would tell the system that you are the actual and authorized operator. Or, just get a dog.
  • The industry has been trying one thing after another for years

    And keeps falling back on tried and true passwords. Go figure.
  • RE: DARPA authentication project focuses on humans as secrets

    Fine if there are strict guidelines as to its use, but knowing the military and government per se , they will try and use it for more sinister purposes including tracking computer use not connected to government. Now why did I get a chill down my spine when someone mentioned Microsoft?
  • So how long to authenticate...

    While it sounds interesting as an academic exercise, the dog will recognise you before you enter the front door. This proposal would seem to have to monitor actions and reactions for a period of time to come to a conclusion. So, do you let the unknown person in and then watch to see if you can tell if they are who they say they are? What are they allowed to do in the interim? How long do you prevent the user from working or seeing any data before authentication is established?

    Although the old userid / password has a lot of disadvantages, I can't see that this proposal is going to replace it any time soon.

    Of course the analogy with the dog breaks down when the dog knows your friends, but does not understand that friends shouldn't be going through your filing cabinet!
  • RE: DARPA authentication project focuses on humans as secrets

    Injury and illness have been mentioned, but how about good old-fashioned stress? High stress levels do all sorts of things to my 'bio-metrics', sharper keystrokes, more aggressive mouse movements, glaring, more rigid body movements, etc. I understand how this Active Authentication could work on a day-to-day basis, but if these folks working for the DoD go into crisis mode and suddenly half the staff can't use their computers because the computers don't think they are who they are, there are going to be even more serious problems than a locked account.