Sophos Cloud Optix
Researchers at the US military’s elite West Point military academy have been awarded a multi-million dollar contract to produce a new identity verification system based on users’ behaviour.
The technology, described as ‘a next generation biometric capability’, is being developed as part the active authentication programme run by DARPA (the Defence Advanced Research Projects Agency).
Authentication has traditionally relied on users producing one or more of the following: something you know (such as a passwords or PIN), something you have (such as a number from an RSA key) or something you are (such as your fingerprints or face.)
The technology that West Point is working on, behaviour-based biometrics, adds another factor to the mix: something you do.
According to DARPA the first phase of the active authentication program will focus on biometrics that can be captured through existing technology, such as analysing how the user handles a mouse or how they craft the language in an email or document.
The contract document, seen by Sky News and reported by Yahoo Finance, describes the technology as a “cognitive fingerprint”:
...when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a 'cognitive fingerprint'
The biometrics program is creating a next generation biometric capability built from multiple stylometric/behavioural modalities using standard Department of Defence computer hardware.
If they’re effective, cognitive fingerprints could offer significant advantages over existing forms of authentication.
Unlike biometrics they don’t require specialist hardware and unlike password authentication they doen’t rely on users being good at something they’re naturally bad at.
The technology should also give systems the ability to authenticate users continuously, keeping people logged in so long as they’re present and then logging them out as soon as they leave.
The need to replace passwords in particular is pressing.
Generating and remembering effective passwords is difficult and unnatural. A lot of us are awful at it and there’s almost no improvement in the list of most common passwords from year to year. Meanwhile, computers improve their ability to crack passwords by brute force and cunning every year.
Biometrics has been waiting in the wings as the Next Big Thing in authentication for years.
While biometrics are used in household and business products, as a family of technologies it hasn’t come close to supplanting passwords.
Transparent, behaviour-based biometrics could provide the nudge that’s needed to push biometrics into the mainstream, but there are two major obstacles to overcome before that happens.
The first is that you can’t change your biometrics – so what’s the equivalent of changing your password if you’re compromised?
The second is that for all the frustration that comes with remembering (and forgetting) our passwords, we know and feel, tangibly, that they’re under our control.
Behaviour-based biometrics will happen invisibly, which will be convenient but it will require us to be comfortable ceding that feeling of control too.
Precursors to behaviour-based biometrics – technologies that determine things about us based on the way we behave – are already with us.
In December 2014, Google completely reinvented it’s reCAPTCHA product, replacing the annoyingly wibbly wobbly letters and the out of focus photos with a simple tick box.
The tick box, backed by Google’s trove of user data and a hat full of artificial intelligence, determines if you’re a human based on what it knows about you and how you tick the box.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) are tests used to tell whether an action performed is carried out by a human or a computer (normally so that the activity of computers can be ignored.)
Over time computers have got better at solving CAPTCHA puzzles, forcing us real humans to contend with increasingly frustrating and difficult to disentangle puzzles.
What Google realised was that advances in Artificial Intelligence that make it easier for unfriendly computers to guess “what number is in this photo?” also make it easier for friendly computers to solve difficult puzzles like “is this computer user behaving like a computer or a human?”
I think the Google reCAPTCHA change gives a hint at just how dramatic a shift to behaviour-based biometrics could be for both security and user experience.
We’d better get used to our new robot overlords.
Image of Cogs in the shape of a human brain, courtesy of Shutterstock.
Yeah, the new Google system works real well. 75% of the time I click the box, I still get a CAPTCHA I have to solve. It’s also slower that the previous CAPTCHA system.
And what happens when I want to change the way I do things? We humans don’t do things the same way every day for our entire lives.
No much difference from current methods. The behavioral analysis is much more in depth than a few aspects of how you do things. Likewise there is nothing which prevents accidents from altering your ability to complete current verification standards. This has always been a topic of note with bio-metrics.
What will really get your gears turning… is what can/will be done with this information? Who will have access to it? How will it be secured? How long until technology can replicate a “signature”? How will it be obtained? Who will obtain it? Etc….
Yay! No more passwords…but at what cost?
sounds like a trap to me !
Umm, measurements of the way I do things will vary drastically depending on whether I am using my desktop (trackball or mouse), laptop (trackpoint or touchpad) or Android phone (touchscreen). Will I be able to authenticate to more than one of these devices? If so, will others be able to authenticate as me?
Some captchas are really hard to decipher nowadays. Gives you a headache just figuring out what they are.
Given that password reuse is a huge security vulnerability these days because of laziness, wouldn’t this be a guaranteed vulnerability of using characteristics that are to some extent “universally” the same for a person from application to application?
e.g. Websites can already track mouse movements and typing through javascript, mimicing these “recordings” through a usb mouse/keyboard would not be too problematic, and if no other authentication was required would be less secure than a unique robust password (I know these aren’t that common).
Nice article Mark, thanks for keeping us informed.
I probably will do a ‘take-off’ from this and cover the areas you didn’t, with you and Sophos properly linked to and accredited of course, lol…
One question though: I love my Brit buddies at Sophos, and was wondering if you are a Yank like me, or where across the pond do you hail from?
While this has been partially implemented before, none of you are seeing the whole thing that comes. If they succeed, they’ll be able to tell anybody apart from anybody else at anytime, anywhere. This is (might be) based on several aspects of how you do everything: speed of writing, words you use, where you leave the mouse pointer while you look at the screen, how you stand on the chair, how you walk, your head wobble… Instant, universal identification of everybody. unfake-able, undeletable.