DARPA Seeks New Authentication Methods

January 23, 2012

I’ve talked many times here about the problems with passwords as a means of authenticating computer users (most recently here and here), and about the search for better alternatives.   Some improvements are available, such as two-factor identification methods, but these have their own issues, and are not always enormously secure, either.

Network World reports on a new effort being launched by DARPA, the Defense Advanced Research Projects Agency, to develop new techniques for authenticating users.  The project, which DARPA calls “Active Authentication”, takes a slightly different approach from most past efforts in this area.

… the agency’s Active Authentication program looks to develop what DARPA calls “novel ways of validating the identity of the person at the console that focus on the unique aspects of the individual through the use of software-based biometrics.”

The “biometrics” that are mentioned here are not the usual ones, like fingerprints or hand geometry, but are drawn from a broader set of user characteristics and behavior.

Active Authorization focuses on the computational behavioral traits that can be observed through how we interact with the world.

Examples of the kinds of user behavior that might be considered as authentication factors include:

  • – keystrokes
  • – eye scans
  • – how the user searches for information (verbs and predicates used)
  • – eye tracking on the page
  • – speed with which the individual reads the content

Some of this is similar in concept to some earlier work on user profiles for security.  In its current announcement, DARPA emphasizes that the first phase of the project will concentrate on developing techniques that can be implemented without installing additional hardware devices in a standard office environment.  Later phases might consider new types of sensor technology.

This is an intriguing approach.  The use of multiple authentication factors should increase reliability of the system; also, as DARPA point out, it might help detect intrusions from logged-in workstations left unattended, since the behavioral authentication factors can be measured on an ongoing basis.

%d bloggers like this: