How AI augments mobile authentication
- By Stephanie Kanowitz
- May 08, 2019
In its continuing effort to shore up authentication, the Defense Department earlier this year awarded a 20-month contract to a company that makes artificial intelligence-based technology that continuously authenticates mobile users based on their behavior.
Under a $2.42 million contract from the Army Contracting Command, TWOSENSE.AI will be working with the Defense Information Systems Agency to deploy deep neural networks for multifactor authentication on mobile devices. The technology fends off compromises by continuously -- and nondisruptively -- monitoring and learning user behaviors such as gait, keystrokes and fingertip pressure on mobile devices. When something seems amiss, the device will ask users to enter their standard login information, such as username and password, one-time personal identification number, biometric or other identifier.
The technology, therefore, does not replace traditional authenticators, said Dawud Gordon, chief executive officer of TWOSENSE.AI. It simply augments them.
"What it does do is make it so that those [authenticators] can be used effectively and be used in a way where they secure the access of the user," Gordon said. "Instead of having a clock that ticks down after somebody’s authenticated in or have to re-challenge again and again for authentication, that we can rely on looking at how the user behaves [provides] continuous authentication across their entire interaction.” he said.
DISA has been exploring alternatives to Common Access Card, an authentication tool developed nearly 20 years ago that relies on an ID card with an embedded chip holding employees’ cryptographic credentials. To use it, employees insert the card into a reader attached to their PC or phone, enter a PIN and gain access to the system. Users must reauthenticate only when a timeout is reached or the CAC is removed.
“This contract allows us to add the Continuous Multi-Factor Authentication (CMFA) capabilities to mobile devices that already leverage the derived credentials from a CAC,” Steve Wallace, systems innovation scientist at DISA, said in an email to GCN. “The purpose of CMFA is to use the same cryptographically-backed authentication as the CAC, but then maintain the login using a variety of factors both contextual (ex: location) and biometric (ex: gate or facial, etc.).”
To work, TWOSENSE.AI integrates with existing authentication systems and the sensors that exist on mobile devices, such as an accelerometer, gyroscope, compass, light level, temperature and air pressure. All of these are fairly ubiquitous, and the operating systems on the devices provide easy access to them, Gordon said.
There are elements not usually considered sensors that the technology can also tap, such as the Wi-Fi chip or Bluetooth, which can show the connectivity environment.
The project leverages DISA's partnerships with Qualcomm for hardware-backed device-level attestation and with Samsung for its mobile Trusted Execution Environment that ensures the secure storage and processing of sensitive data and trusted applications.
TWOSENSE.AI looks at two things when determining which behaviors to use. The first is what sensors are available and which will provide the most value for authentication. “Something like gait is fantastic because it is very unique to an individual and differentiating -- or at least unique enough to be differentiating -- and at the same time there is a sensor in the device that can be used to measure it,” Gordon said. The name of the game is not making users change who they are or what they are doing, he added.
To ensure there is enough bandwidth to handle the vast amount of data being transmitted, AI at the edge is necessary. That means cloud is required on the back end so that the technology can decide whether a behavior is normal right where it is being used for authentication. “Deploying a behavioral profile to the component that is making a behavioral decision actually has to happen on a closed loop on a device,” Gordon said.
Another challenge is networking. To minimize battery consumption, the technology syncs data on Wi-Fi when the device is connected. At the same time, it uses whatever network capabilities are available -- Wi-Fi or cellular, for example -- for behavior signatures.
Additionally, TWOSENSE.AI does not use personally identifiable information or keylogging, only behaviors.
Gordon expects this technology to become a standard layer in the cybersecurity of mobile devices.
He said he believes the technology will be a component in "every future authentication stack," replacing that clock that ticks down and regularly re-challenges users for authentication. “I don’t see behavior as replacing any other form of authentication,” he said.
Stephanie Kanowitz is a freelance writer based in northern Virginia.