Back in January, we described a new Defense Advanced Research Projects Agency (DARPA) program focused on innovative research proposals “in support of the development of new software-based biometric modalities” that go beyond passwords for identity validation. Now The New York Times is out with a story that sheds more light on the initiative:
IMAGINE sitting down at your work keyboard, typing in your user name and starting work right away — no password needed.
That’s a vision that the Defense Advanced Research Projects Agency, part of the Defense Department, wants to turn into a reality. It will distribute research funds to develop software that determines, just by the way you type, that you are indeed the person you say you are [more after the jump].
Darpa’s purpose is to sponsor “revolutionary, high-payoff research” for military use. But technology developed under Darpa’s auspices — the Internet itself being only one among many achievements traceable to its initiatives — eventually tends to find its way into the civilian world.
Passwords like “6tFcVbNh^TfCvBn” meet the Defense Department’s definition of “strong,” says Richard Guidorizzi, a program manager at Darpa. “The problem is, they don’t meet human requirements,” he says. “Humans aren’t built to understand random connections of characters.”
Mr. Guidorizzi made those comments in a talk titled “Beyond Passwords,” presented last November at a Darpa symposium in Arlington, Va. Humans use patterns to make passwords manageable, he said. He displayed five handwritten passwords, each a slight variation of “Jane123” — and all of them easily cracked.
“What I’d like to do,” Mr. Guidorizzi said, “is move to a world where you sit down at a console, you identify yourself, and you just start working, and the authentication happens in the background, invisible to you, while you continue to do your work without interruptions.”
No biometric sensors, like thumbprint or iris scanners, would be used. Instead, he is seeking technology that relies solely on an individual’s distinct behavioral characteristics, which he calls the cognitive fingerprint.
Academic experts are trying several approaches to determine users’ identities solely through their computer behavior.
Roy Maxion, a research professor of computer science at Carnegie Mellon University, oversees research on “keystroke dynamics,” including the length of time a user holds down a given key and moves from one particular key to another.
Motions that we’ve performed countless times, Professor Maxion says, are governed by motor control, not deliberate thought. “That is why successfully mimicking keystroke dynamics is physiologically improbable,” he says.
He gives this example: A computer user holds down a key for an average of 100 milliseconds. Suppose that a fraudster is trying to mimic a person who is slightly faster than average — typically holding the key down for 90 milliseconds. “Then the spoofer is in the dubious position of having to consciously shorten a key-press action by 10 milliseconds,” Professor Maxion says. Having such control doesn’t seem realistic, he says, when one considers that “a voluntary eye-blink takes 275 milliseconds.”
He says that there is some evidence that a user’s emotional state affects typing rhythms. But just as people can recognize a familiar song even if it is mangled by inept musicians, so, too, he hypothesizes, could software recognize one’s distinct “core rhythm,” which would be “perceptible even through the noise of emotion, fatigue or intoxication.” He adds that the notion of core rhythm has not been experimentally confirmed.
…
CONTINUOUS monitoring of a user’s behavior is an essential element of Darpa’s requirements. Because of the conventional password-based systems used today, the agency says, there is now no way “to verify that the user originally authenticated is the user still in control of the keyboard.”
Research done by Professor Maxion of Carnegie Mellon suggests that just a few key taps may be needed for continuous authentication. Test subjects were invited to mimic the keystroke timing of another person they were observing, and were permitted to practice that person’s 10-character password 100 times. He said no one succeeded in mimicking the target.
Professor Maxion has worked on another behavioral biometric for user verification: mouse dynamics. He explains that “everyone has an idiosyncratic way of using a mouse, such as the speed with which you move the cursor across the screen; the path — straight line, convex or concave arc; and the presence or absence of jitter.”
A password-free security system would fit users’ needs nicely — and would ask absolutely nothing from the ever-fallible human mind.
Read more in The New York Times‘ article, and check out our previous post about DARPA’s Active Authentication program. And below, video of the talk last November by DARPA program manager Richard Guidorizzi, introducing the initiative:
(Contributed by Erwin Gianchandani, CCC Director)