Finally, an alternative to the tyranny of passwords?

The Defense Advanced Research Projects Agency — the folks who brought you the Internet and with it the scores of passwords that you now have to manage — is proposing an alternative form of authentication that would be based on the user’s behavior at the keyboard.

Called Active Authentication, it is akin to biometrics but would be based on behavioral patterns rather than physical traits. It would take place continuously in the background while the user is accessing resources rather than only when signing on. At the moment it is a concept rather than a technology, but it promises to be a welcome alternative to the tyranny of passwords and other cumbersome credentials.

Passwords, the current standard for authentication, just don’t work. We have too many of them to manage, and if they are unique and complex enough to be secure, they can’t be remembered. And even secure passwords are subject to brute-force attacks and snooping. The government is moving to digital certificates on standardized smart cards for identity management, but this requires card readers and interface software and is taking longer to implement than anticipated.

Related coverage:

DARPA: Dump passwords for always-on biometrics

One more reason why passwords are no darn good

What if we just used a piece of software that knows you by the way you act? Just as your friends recognize your face and your banker recognizes the signature on your check, your computer or an application would recognize your keystrokes or the patterns of your mouse movements. DARPA calls these patterns, which are based on how your mind processes information, a cognitive fingerprint.

I have been a fan of this kind of thing since I saw a product demonstrated years ago that could recognize a written signature based not on the writing itself, but on the dynamics of the writer. This included pressures and patterns unique to the signer and more difficult to counterfeit than the signature itself. There also are tools that recognize similar dynamics on a keyboard. Like the “fist” of telegraph operators that allowed experienced telegraphers to identify the invisible senders of messages a continent away, the rhythm of your typing is unique to you.

These tools have not caught on for a number of reasons. It is argued that they are not exact enough. But all biometrics, including fingerprints and iris scans, work on a “close enough” principle. Selected attributes from a template are compared, and the software is tuned to accept a certain level of matching. Match requirements can be tightened or loosened to minimize false positives or negatives, depending on your needs. Cognitive fingerprinting would work the same way but also would have the advantage of working over time, as long as the user was online. This could provide not only a high degree of reliability but also continuous authentication.

DARPA’s Active Authentication is not likely to appear on your desktop or laptop in the near future. The program is focusing first on identifying biometrics that could be used without additional hardware to produce cognitive fingerprints, and then there will be feasibility testing. But I, for one, would be glad to see any progress made on something that would enable strong authentication without complex passwords, smart cards or tokens and just let me be myself.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • Google Map of free sandbags in Los Angeles

    When simple is best: Google Maps for disaster prep

Reader Comments

Thu, Apr 19, 2012 Oregon

I agree with the person that sees this as an invasion of privacy! If this type of authentication becomes easily possible (and I think it will) it is likely to become the de facto method of authenticating ID on everything, so it will be running all the time tracking our every casual move, interest, and action whether we need/want to be authenticated or not. We will not be able to avoid it if we use the Internet, or possibly other things that currently don't involve the Internet or our showing our ID somewhere. Currently if I pay cash at a store and don't use any type of rewards card, there is no record that I (identified as me) was there or that I purchased certain items. I don't have any reason for keeping that secret, but I like to have the option to keep this my own business when I choose and not that of government agencies and corporations I don't even know about.

Wed, Apr 18, 2012

Working in a office that supports end users, I see NOTHING good in this concept. Every new Rube Goldberg security system adds system overhead, as well as failure and exploit points. For the forseeable future 2-factor suthentication is the most cost-effective and least instrusive solution. If I am typing and handling a phone call and an over-the-shoulder visitor at the same time, is the magic software going to assume I am someone else?

Wed, Apr 18, 2012

I prefer the "tyranny" of passwords to an active process in the background recording everything I do. I have nothing to hide, but that doesn't mean I'm not entitled to my privacy. The tyranny of having other agents or agencies, via software, having access to every aspect of my life, when I do not have compensatory information about theirs is socially unhealthy and unsafe.

Tue, Apr 17, 2012 Michael

Typing patterns, along with your fingerprints, irises, how you walk, how you talk, etc, are all considered valid biometric modalities, so if we can use them to identify people of interest, it can certainly be used for authentication. A major concern not discussed is when someone suffers a cognitive or physical injury that renders at least some or all of their biometric profile invalid.

Tue, Apr 17, 2012

While interesting, this has still quite aways to go. Smart card based strong authentication is doable and available now. Yes, it requires readers and software, but I am sure active authentication will require software as well.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group