We all know that passwords are hideous things. They take up to much time and are not that effective. In fact, Gartner (IT) says that password resets represent 30% of help desk calls. Readers of Bach Seat know that the most common hacked passwords change very little from year to year.
Generating and remembering effective passwords is difficult and unnatural. A lot of us are awful at it and there’s almost no improvement in the list of most common passwords from year to year (as I most recently covered here). Meanwhile, computers improve their ability to crack passwords by brute force and cunning every year.
So where there is chaos this is profit. A new area of research is to replace passwords with a users’ behavior. Mark Stockley at Sophos’ Naked Security blog, reports that researchers at West Point are working to get rid of passwords. The Cadets are working to produce a new identity verification system based on users’ behavior, described as a next-generation biometric capability. The research is being developed as part the active authentication program run by DARPA.
Th
e article explains that authentication has traditionally relied on users producing one or more of the following: something you know (such as a password or PIN), something you have (such as a number from an RSA key) or something you are (such as your fingerprints or face.) The technology that West Point is working on called, behavior-based biometrics, adds another factor to the mix: something you do.
According to DARPA the first phase of the active authentication program will focus on biometrics that can be captured through existing technology, such as analyzing how the user handles a mouse or how they craft the language in an email. The contract document, reported by Yahoo Finance, describes the technology as a “cognitive fingerprint.”
…when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a ‘cognitive fingerprint’
Cognitive fingerprints will offer significant advantages over existing forms of authentication. According to Sophos, the new technology has several advantages over passwords because they do not:
- Require specialized hardware required by biometrics and
- Rely on users remembering strong passwords, something humans are naturally bad at.
Cognitive fingerprints should also give systems the ability to authenticate users continuously, keeping people logged in so long as they’re present and then logging them out as soon as they leave.
Nancy Gohring at FierceITSecurity recently wrote about a similar approach to user behavior authentication. Alohar Mobile, now owned by Alibaba, has figured out a way to use the sensors in mobile phones to create a profile of the unique way that you walk, using that “fingerprint” for authentication. Sam Liang, Alohar’s founder, and CEO has claimed, “We have a system that allows the payment system to use the location tracking and the motion sensor to authenticate and detect fraud.”
According to Ms. Gohring, Alohar’s patent describes a host of unique biometric pattern patterns the firm can collect from the phone’s accelerometer and gyroscope to identify the person using the phone. They include:
- The speed/cadence/pace at which the mobile user normally walks
- The ‘bounce’ of the mobile device in a person’s pocket, bag or purse as they walk or run
- The motion pattern when a person reaches for their mobile device in a pocket
- How the user moves the device to their ear
- Even the angle they hold the mobile device.
After collecting data about a user’s movements, the system would create a profile of the user. When the person tries to use the phone to buy something in a store, the system would compare the user’s profile against the recent movements of the person using the phone, making sure they match. If they don’t, the retailer can ask the user for other forms of identification. The system could work similarly for e-commerce transactions.
The patent describes other uses for the profiling system beyond authentication. The article claims the inventor describes a scenario where if a user often goes to an elementary school or a daycare center, the service could send targeted advertising or information about kid-related events to the user.
In the future, Mr. Liang hopes to be able to collect even more data from more kinds of devices, like fitness trackers and health monitors. He told FierceITSecurity, “In the future, the phone will be able to tell, are you happy or depressed based on the way you walk, the speed you move around, the way you swing the phone,” he predicted.
rb-
Biometrics has been waiting in the wings as the Next Big Thing in authentication for years. Transparent, behavior-based biometrics like those being developed by Alohar and West Point could give the nudge that’s needed to push biometrics into the mainstream, but Sophos’ Stokely argues there are two major obstacles to the widespread adoption of biometrics.
- You can’t change your biometrics – How do you change yourself if your biometric password is compromised?
- For all the frustration that comes with remembering (and forgetting) our passwords, we know and feel, tangibly, that they’re under our control.
Behavior-based biometrics will happen invisibly, while convenient but it will require us to be comfortable ceding that feeling of control too, says Mr. Stockley.
Behavior-based biometrics will draw the ire of privacy advocates for its invisible, seamless identification and roots in the military, as it may allow for wider monitoring of society.
Related articles
- Qualcomm Technologies releases ultrasonic-based 3D fingerprint authentication solution (biometricupdate.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.