Seven ways DARPA is trying to kill the password
- 11 August, 2014 09:01
A seemingly constant stream of data breaches and this week's news that Russian hackers have amassed a database of 1.2 billion Internet credentials has many people asking: Isn't it time we dumped the user name and password?
A lot of the best technology of today exploits biometric factors such as retina patterns, fingerprints and voice analysis, but beyond that a number of researchers are looking to tap into the way we think, walk and breathe to differentiate between us and an intruder.
Helping to lead the research is DARPA, the U.S. military's Defense Advanced Research Projects Agency. Its active authentication project is funding research at a number of institutions working on desktop and mobile technologies that work not just for the initial login but continuously while the user is accessing a device. The array of sensors already found in mobile phones makes some of the ideas particularly interesting.
The technologies exploit data that's already available inside devices, but utilize it in new ways, said Richard Guidorizzi, program manager of the project at DARPA.
"Except during lab testing, we did not need to create new devices to attach to your phone and drain your battery. They were able to use what was already there with a great deal of success," he said.
So, when might they be available? The project is still going on, but it seems to be attracting interest.
"Some of my [teams] are already being approached by some of the largest companies in the world to incorporate their technology into their products, including smartphones and Web-based technologies," said Guidorizzi.
Micro hand movements
A project underway at the New York Institute of Technology aims to analyze micro movements and oscillations in your hand as you hold a smartphone to determine the identity of the user. It is looking at touch-burst activity, which happens when a user performs a series of touch strokes and gestures, and the pause between those touches and gestures while the user is consuming content.
SRI International in Silicon Valley is trying to exploit the accelerometers and gyro sensors already inside smartphones to extract unique and distinguishing characteristics of the way a user walks and stands.
Your stride length, the way you balance your body, the speed you walk all are individual to you. Additional sensors can help to determine physical characteristics, such as arm length, and the user's physical situation, such as proximity to others and whether the user is sitting, standing, picking something up, texting or talking on the phone.
The differences in how we use language could be enough to tell us apart. Drexel University is trying to extract author fingerprints from the large volumes of text we typically enter into our PCs and smartphones and then use that to spot when someone else might be at the keyboard.
This could be the words used, individual grammar quirks, sentence construction and even the errors individuals are prone to making again and again. The technology can be tied together with another keyboard-based authentication method -- the analysis of the way a user types, such as their keyboard speed and pauses between letters -- to make an even more secure authentication system.
NASA's Jet Propulsion Laboratory is trying to detect the individual features of your heartbeat from a phone. Microwave signals emitted by the phone are reflected back by your body, collected by sensors in the phone and amplified to detect your heart rhythm. This might have the added bonus of being able to alert you to see a doctor should a subtle change in your heartbeat happen.
The last thing anyone wants to see on a PC is an error message, but this particular type of annoyance might turn out to have a role to play in security.
By throwing up random error messages and analysing how users respond to them, the Southwest Research Institute is hoping to identify individuals and spot intruders. So next time your PC tells you it's out of memory and asks if you want to report the issue, think carefully. It could be testing you.
Perhaps most familiar to people through fingerprint sensors, biometric analysis seeks to exploit a wide range of personal characteristics. Li Creative Technologies is developing a voice-based system that can be used to unlock a mobile device.
You'll be prompted to say a passphrase, and the software doesn't just monitor if the phrase was correct but whether you were the one saying it. A second function continuously monitors what's being said around the device to detect if another user has picked up the phone and is attempting to access it.
The University of Maryland is using visual streams to make sure you're the one using your PC or phone. On the desktop it looks at things like the way you organise windows and resize them, your work patterns and limitations in mouse movements.
On the phone the system pulls in three video streams: an image of you from the front-facing camera, an image of your surroundings (or shoes or pants) captured with the rear-facing camera, and your screen activity from the display. Researchers hope that taken together, these three streams will be distinct enough to authenticate an individual user and keep them authenticated while using the device.
Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is email@example.com