This was published 12 years ago
Out with passwords, in with cognitive fingerprints
By Randall Stross
Imagine sitting down at your work keyboard, typing in your user name and starting work right away - no password needed.
That's a vision the Defence Advanced Research Projects Agency, part of the Defence Department, wants to turn into a reality. It will distribute research funds to develop software that determines, just by the way you type, that you are indeed the person you say you are.
We are moving to a world where you sit down at a console, you identify yourself, and you just start working, and the authentication happens in the background.
DARPA's purpose is to sponsor "revolutionary, high-payoff research" for military use. But technology developed under DARPA's auspices - the internet itself being only one among many achievements traceable to its initiatives - eventually tends to find its way into the civilian world.
Passwords like "6tFcVbNhTfCvBn" meet the Defence Department's definition of "strong," says Richard Guidorizzi, a program manager at DARPA. "The problem is, they don't meet human requirements," he says. "Humans aren't built to understand random connections of characters."
Guidorizzi made those comments in a talk titled Beyond Passwords, presented in November at a DARPA symposium in Virginia. Humans use patterns to make passwords manageable, he said. He displayed five handwritten passwords, each a slight variation of "Jane123" - and all of them easily cracked.
"What I'd like to do," Guidorizzi said, "is move to a world where you sit down at a console, you identify yourself, and you just start working, and the authentication happens in the background, invisible to you, while you continue to do your work without interruptions."
No biometric sensors, like thumb print or iris scanners, would be used. Instead, he is seeking technology that relies solely on an individual's distinct behavioural characteristics, which he calls the cognitive fingerprint.
Academic experts are trying several approaches to determine users' identities solely through their computer behaviour.
Roy Maxion, a research professor of computer science at Carnegie Mellon University in Pittsburgh, oversees research on "keystroke dynamics," including the length of time a user holds down a given key and moves from one particular key to another.
Motions that we've performed countless times, Maxion says, are governed by motor control, not deliberate thought. "That is why successfully mimicking keystroke dynamics is physiologically improbable," he says.
He gives this example: A computer user holds down a key for an average of 100 milliseconds. Suppose that a fraudster is trying to mimic a person who is slightly faster than average - typically holding the key down for 90 milliseconds. "Then the spoofer is in the dubious position of having to consciously shorten a key-press action by 10 milliseconds," Maxion says. Having such control doesn't seem realistic, he says, when one considers that "a voluntary eye-blink takes 275 milliseconds."
He says there is some evidence that a user's emotional state affects typing rhythms. But just as people can recognise a familiar song even if it is mangled by inept musicians, so, too, he hypothesizes, could software recognise one's distinct "core rhythm," which would be "perceptible even through the noise of emotion, fatigue or intoxication." He adds that the notion of core rhythm has not been experimentally confirmed.
Charles C. Tappert, a professor of computer science at Pace University in New York, has also conducted research on the keystroke biometric, verifying identities by looking at the way students type their answers to questions on online tests. His research group has developed software that analyses the distinctive pattern of keyboard pressure; it accurately confirms the claimed identity of a test taker in 99.5 per cent of cases, he says.
The situations that DARPA has in mind would require a system that quickly authenticates the user, without waiting to collect data on hundreds of keystrokes. But Tappert says an intruder's movement within an internal network would show telltale irregularities and that his software would be able to detect them.
Research overseen by Salvatore J. Stolfo, professor of computer science at Columbia University, has led to the development of software that uses a simple means of detecting an intruder: placing decoy documents on the computer. "For example, we have the user place a document with a juicy name like ‘CreditCards.doc' on the PC," Stolfo says. "He or she knows it's there only as a lure. But an intruder would be enticed to open it. Bingo!"
When a decoy file is opened, the system software checks to see whether the person has conducted file searches on the computer that fit the expected search pattern. If there is no close match, the system sets off an alarm and asks the user to confirm his or her identity, Stolfo says. He compares the process to what consumers periodically experience when they receive a call from a credit card company's fraud-prevention department.
Continuous monitoring of a user's behaviour is an essential element of DARPA's requirements. Because of the conventional password-based systems used today, the agency says, there is now no way "to verify that the user originally authenticated is the user still in control of the keyboard."
Research done by Maxion of Carnegie Mellon suggests that just a few key taps may be needed for continuous authentication. Test subjects were invited to mimic the keystroke timing of another person they were observing, and were permitted to practice that person's 10-character password 100 times. He said no one succeeded in mimicking the target.
Maxion has worked on another behavioral biometric for user verification: mouse dynamics. He explains that "everyone has an idiosyncratic way of using a mouse, such as the speed with which you move the cursor across the screen; the path - straight line, convex or concave arc; and the presence or absence of jitter."
A password-free security system would fit users' needs nicely - and would ask absolutely nothing from the ever-fallible human mind.
The New York Times