Finally, an alternative to the tyranny of passwords?
- By William Jackson
- Apr 16, 2012
The Defense Advanced Research Projects Agency — the folks who brought you the Internet and with it the scores of passwords that you now have to manage — is proposing an alternative form of authentication that would be based on the user’s behavior at the keyboard.
Called Active Authentication
, it is akin to biometrics but would be based on behavioral patterns rather than physical traits. It would take place continuously in the background while the user is accessing resources rather than only when signing on. At the moment it is a concept rather than a technology, but it promises to be a welcome alternative to the tyranny of passwords and other cumbersome credentials.
Passwords, the current standard for authentication, just don’t work. We have too many of them to manage, and if they are unique and complex enough to be secure, they can’t be remembered. And even secure passwords are subject to brute-force attacks and snooping. The government is moving to digital certificates on standardized smart cards for identity management, but this requires card readers and interface software and is taking longer to implement than anticipated.
Related coverage:DARPA: Dump passwords for always-on biometrics
One more reason why passwords are no darn good
What if we just used a piece of software that knows you by the way you act? Just as your friends recognize your face and your banker recognizes the signature on your check, your computer or an application would recognize your keystrokes or the patterns of your mouse movements. DARPA calls these patterns, which are based on how your mind processes information, a cognitive fingerprint.
I have been a fan of this kind of thing since I saw a product demonstrated years ago that could recognize a written signature based not on the writing itself, but on the dynamics of the writer. This included pressures and patterns unique to the signer and more difficult to counterfeit than the signature itself. There also are tools that recognize similar dynamics on a keyboard. Like the “fist” of telegraph operators that allowed experienced telegraphers to identify the invisible senders of messages a continent away, the rhythm of your typing is unique to you.
These tools have not caught on for a number of reasons. It is argued that they are not exact enough. But all biometrics, including fingerprints and iris scans, work on a “close enough” principle. Selected attributes from a template are compared, and the software is tuned to accept a certain level of matching. Match requirements can be tightened or loosened to minimize false positives or negatives, depending on your needs. Cognitive fingerprinting would work the same way but also would have the advantage of working over time, as long as the user was online. This could provide not only a high degree of reliability but also continuous authentication.
DARPA’s Active Authentication is not likely to appear on your desktop or laptop in the near future. The program is focusing first on identifying biometrics that could be used without additional hardware to produce cognitive fingerprints, and then there will be feasibility testing. But I, for one, would be glad to see any progress made on something that would enable strong authentication without complex passwords, smart cards or tokens and just let me be myself.
William Jackson is freelance writer and the author of the CyberEye blog.