Relief could be on the way from the Defense Advanced Research Projects Agency (DARPA), which says the current method of authenticating access to a site requires people to do something inherently unnatural for most: create, remember and manage long passwords.
And are those passwords really doing what they’re supposed to do? DARPA points out that as long as a computer session remains active, typical systems have no mechanism to ensure that the user originally authenticated as the valid user is the one still in control of the keyboard. (Some sites log off a user automatically if the session goes idle.) Or someone might gain access to someone else’s password and use it to log onto a site.
DARPA’s Active Authentication program aims to address this by developing novel ways to validate identity that focus on the unique aspects of the individual through the use of software-based biometrics—the behavioral traits that can be observed through the way we interact with the world. Just as when you touch something with your finger, you leave behind a fingerprint, when you interact with technology, you also do so in a way that is unique to you, DARPA says. You create patterns based on the way your mind processes information, leaving behind a so- called cognitive fingerprint.
This may sound impossible, but a computer science professor at Pace University, Charles C. Tappert, has collected keystroke data patterns from hundreds of test subjects, and claims his system can correctly identify users an average of 99.3% of the time. His system requires a large sample from each user to work, however, and DARPA wants a system that would immediately authenticate, as well as detect a change in user.
The first phase will focus on biometrics that do not require additional hardware sensors. The focus will be on biometrics that can be captured through technology we already use looking for evidence of this cognitive fingerprint. These could include how a user handles the mouse and crafts written language in an e-mail or document.
Later phases will aim for a solution that works on a typical desktop or laptop computer.
The goal is ongoing user identification and authentication that feels natural to the user during a computer session. The authentication platform will be developed with open Application Programming Interfaces (APIs) to allow future integration of other software or hardware biometrics from other sources when they become available.