Researchers at the US military’s elite West Point military academy have been awarded a multi-million dollar contract to produce a new identity verification system based on users’ behaviour.
The technology, described as ‘a next generation biometric capability’, is being developed as part the active authentication programme run by DARPA (the Defence Advanced Research Projects Agency).
Authentication has traditionally relied on users producing one or more of the following: something you know (such as a passwords or PIN), something you have (such as a number from an RSA key) or something you are (such as your fingerprints or face.)
The technology that West Point is working on, behaviour-based biometrics, adds another factor to the mix: something you do.
According to DARPA the first phase of the active authentication program will focus on biometrics that can be captured through existing technology, such as analysing how the user handles a mouse or how they craft the language in an email or document.
The contract document, seen by Sky News and reported by Yahoo Finance, describes the technology as a “cognitive fingerprint”:
...when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a 'cognitive fingerprint'
The biometrics program is creating a next generation biometric capability built from multiple stylometric/behavioural modalities using standard Department of Defence computer hardware.
If they’re effective, cognitive fingerprints could offer significant advantages over existing forms of authentication.
Unlike biometrics they don’t require specialist hardware and unlike password authentication they doen’t rely on users being good at something they’re naturally bad at.
The technology should also give systems the ability to authenticate users continuously, keeping people logged in so long as they’re present and then logging them out as soon as they leave.
The need to replace passwords in particular is pressing.
Generating and remembering effective passwords is difficult and unnatural. A lot of us are awful at it and there’s almost no improvement in the list of most common passwords from year to year. Meanwhile, computers improve their ability to crack passwords by brute force and cunning every year.
Biometrics has been waiting in the wings as the Next Big Thing in authentication for years.
While biometrics are used in household and business products, as a family of technologies it hasn’t come close to supplanting passwords.
Transparent, behaviour-based biometrics could provide the nudge that’s needed to push biometrics into the mainstream, but there are two major obstacles to overcome before that happens.
The first is that you can’t change your biometrics – so what’s the equivalent of changing your password if you’re compromised?
The second is that for all the frustration that comes with remembering (and forgetting) our passwords, we know and feel, tangibly, that they’re under our control.
Behaviour-based biometrics will happen invisibly, which will be convenient but it will require us to be comfortable ceding that feeling of control too.
Precursors to behaviour-based biometrics – technologies that determine things about us based on the way we behave – are already with us.
In December 2014, Google completely reinvented it’s reCAPTCHA product, replacing the annoyingly wibbly wobbly letters and the out of focus photos with a simple tick box.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) are tests used to tell whether an action performed is carried out by a human or a computer (normally so that the activity of computers can be ignored.)
Over time computers have got better at solving CAPTCHA puzzles, forcing us real humans to contend with increasingly frustrating and difficult to disentangle puzzles.
What Google realised was that advances in Artificial Intelligence that make it easier for unfriendly computers to guess “what number is in this photo?” also make it easier for friendly computers to solve difficult puzzles like “is this computer user behaving like a computer or a human?”
I think the Google reCAPTCHA change gives a hint at just how dramatic a shift to behaviour-based biometrics could be for both security and user experience.
We’d better get used to our new robot overlords.