DARPA: Dump passwords for always-on biometrics

The Defense Advanced Research Projects Agency wants to eliminate passwords and use an individual’s typing style and other behavioral traits for user authentication.

Creating, remembering and managing long, complex passwords is “inherently unnatural,” the agency said on its Active Authentication site. And most active sessions don’t have mechanisms to identify that the current user is still the one originally authenticated.

Biometric features such as fingerprints haven long been used in some two-factor authentication systems, but even then it only confirms a user’s ID when logging in. DARPA is proposing behavior-based methods for continual verification.


Related stories:

Why so many bad passwords? Because the rules allow them.

One more reason why passwords are no darn good


The agency issued a Broad Agency Announcement solicitation in January for its Active Authentication program. Responses were due March 6.

The program is seeking new ways to identify users, based on intrinsic or behavioral traits. “Just as when you touch something [with] your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a ‘cognitive fingerprint,” DARPA’s statement said.

The first phase of Active Authentication will focus on researching biometrics that do not require additional hardware sensors, such as mouse and keystroke dynamics. An individual potentially could be identified by how fast he or she types or reads; what words he uses when creating a document or e-mail message; or how he moves the mouse across a page, DARPA said.

Later phases of the program will combine the biometrics with a new authentication program for standard Defense Department desktop or laptop PCs.

The program intends to combine its identification techniques into a continuous authentication process, so that the identity of a user at a machine is constantly being confirmed. The platform will be developed with open Application Programming Interfaces to allow for the easy addition of future biometric software and hardware, DARPA said.

“What I’d like to do,” Richard Guidorizzi, DARPA product manager, said at last year’s Cyber Colloquium in Arlington, Va., “is move to a world where you sit down at a console, you identify yourself, and you just start working, and the authentication happens in the background, invisible to you, while you continue to do your work without interruptions.”

Interestingly, a 2010 DARPA-funded study by the National Research Council found biometrics to not be as reliable or accurate as people think, GCN reported when the study’s results were released. The study, which was disputed by biometrics proponents, concluded that biometric systems were overly complex and inherently probabilistic, always leaving at least some room for error.



Reader Comments

Thu, May 9, 2013 CK Hollywood, Florida

How do keystroke dynamics work? I type very differently when I am transcribing something compared to when I am writing stuff from my head. I even occasionally type one handed , albeit very slowly, while on the phone. Do I face the possibility of getting kicked off of my own workstation because I happen to be typing a shorthand note to myself while on the phone because I switch to typing with one hand and seriously changing the typing dynamic?

Fri, Jun 22, 2012 Robert Lucas England

This is off topic and I am deeply sorry. Can you tell me where I can just send an e-mail to DARPA at all. I talk to NASA a bit and that is just 'e-mail NASA,' cool, huh, but I havn't really found an easy way to get in touch with DARPA. I am an old man and don't do twitter and blogs but I can be useful sometimes, although from what I've seen they don't need too much help. Hope you can help. Thanks.

Wed, Apr 18, 2012 Robert Lucas England

This is not the right website, but it seems difficult finding any at all. NASA has a simple portal and an e-mail can just be sent easily and without fuss. I can have ideas and you had a Pheonix programme which I wanted to contact, but I cannot. I can do space junk you see but I don't Twitter or blog or bloot, I'm just an old man who can do space junk, that's all. What do I do?

Thu, Apr 5, 2012

LOL, obviously the pending budget cuts have not made an impression on DARPA regarding wants vs. mission needs.

Sun, Mar 25, 2012 Yousef Sabbah Egypt

I am doing my PhD in this topic. I do not agree with the above comments. I have implemented a prototype for keystroke dynamics for continuous authentication. It is accurate and does not require considerable memory or processing power. This is a grate project. But I have one suggestion, that a password is still required for the first time log in, and continuous authentication via mouse and keystroke dynamics.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above