The United States’ military mad-tech unit, better known as DARPA (the Defence Advanced Research Projects Agency) is building a behavior-based biometric identification system that it believes could one day replace traditional passwords.
DARPA apparently thinks that a behavior-based biometric system, which looks at how a computer user handles their mouse or crafts an email, would prove much harder to crack than traditional authentication techniques, which include such things as passwords and PIN codes, physical keys and conventional biometrics (like eye scans and fingerprints). As such, the agency has just awared a multimillion-dollar grant to researchers at the West Point academy, one of the US’s most prestigious military institutions.
The award comes under DARPA’s “active authentication” program, which seeks to replace traditional authentication techniques with something safer and more convenient to use. The money will be used by researchers to develop cognitive fingerprint algorithms that can learn and recognize behavioral patterns based on the way someone uses a mobile device or computer mouse. The idea is that each individual moves the cursor or swipes a mobile screen in a way that’s unique, and can therefore be positively identified when they do so.
The award document, which was seen by Sky News, gives an explanation of how the system would work:
“Just as when you touch something with your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a ‘cognitive fingerprint.”
“The biometrics program is creating a next generation biometric capability built from multiple stylometric/behavioural modalities using standard Department of Defence computer hardware.”
DARPA is hoping that behavior-based biometrics can be developed and applied to encrypted data communications as a first step. But if the technology proves itself, the implications could go well beyond the US military, perhaps one day even replacing passwords and giving private organizations better protection from ‘phishing’ attacks that aim to steal user’s login credentials.
“If they’re effective, cognitive fingerprints could offer significant advantages over existing forms of authentication,” noted web consultant Mark Stockley on Sophos Naked Security’s blog. “Unlike biometrics they don’t require specialist hardware and unlike password authentication they don’t rely on users being good at something they’re naturally bad at.”
This isn’t the first time someone has thought of using behavioral patterns to identify users though. Last year, Google announced its reCAPTCHA project that aims to replace the old, annoying CAPTCHA authentication technique with a simple tick box. The system is smart enough to tell whether you’re a human or a bot based on which boxes you tick, together with the web browsing data Google already has on you.