DARPA authentication project focuses on humans as secrets

DARPA is working on a plan to create innovative biometric measurements, such as keystrokes and mouse tracking, as a means of authenticating users to Department of Defense (DOD) IT systems. The full system would eventually replace passwords and government Common Access Cards.
Written by John Fontana, Contributor

The U.S. agency that brought you the Internet is now angling to develop new biometric techniques for authentication that will tap computer users as human secrets.

The U.S. Defense Advanced Research Projects Agency (DARPA) is soliciting proposals for biometric research with the intent of developing software-based systems that identify users based on movements or habits while they use their computers or laptops.

The project, called Active Authentication (AA), would eventually move authentication from passwords and Common Access Cards to biometrics for validating the identity of users on Department of Defense IT systems.

AA isn't focused on extending current technology, it seeks innovative ways to identify a user by collecting behavior metrics, or what DARPA calls "cognitive fingerprints" or "human secrets."  The fingerprint could include eye movement, keystrokes, mouse tracking or even language usage patterns.

The first phase of the project, slated to run until April 2013, focuses on developing methods of continuous authentication, which tracks the user at the keyboard after they log-in to ensure they are the same person who originally signed on to the computer.

"My house key will get you into my house, but the dog in my living room knows you're not me. No amount of holding up my key and saying you're me is going to convince my dog you're who you say you are," says Richard Guidorizzi, the program manager for AA.  " My dog knows you don't look like me, smell like me or act like me. What we want out of this program is to find those things that are unique to you, and not some single aspect of computer security that an adversary can use to compromise your system."

Smell, and activity like eye movement, might be out of the realm of possibility the first go round. DARPA says proposals cannot include adding any hardware sensors to computers. Data collection is limited to interaction with the keyboard, mouse, Windows 7, virus scanning programs, office applications, network interface cards and printer connections.

The overall goal of AA is to release users from having to remember long and complicated passwords or from writing them down on sticky notes.

The second and third phases or the plan which run from early 2013 to the end of 2015 focus on developing biometric pilots and a platform for integrating software and hardware-based biometrics into a single authentication platform.

The platform would handle authentication for individual IT devices, and the plan is to include open Application Programming Interfaces (APIs) to allow integration of other technologies.

DARPA will fund Phase 1 projects with amounts up to $500,000 per year. The U.S. Military Academy in West Point, N.Y. is conducting a feasibility study as part of AA.

DARPA also is addressing privacy concerns over the collection of user data. The agency says Phase 2 of AA will include development of a system relying on user attributes, key exchanges and a central authentication engine so the user's attributes are never stored in a central database.

Do you think such a system can prove to be secure? What do you think are the pros and cons of biometric-based systems?

Editorial standards