Dump passwords, use biometrics instead, says DARPA

The Defense Advanced Research Projects Agency wants to eliminate passwords and use an individual’s typing style and other behavioral traits for user authentication.

Creating, remembering and managing long, complex passwords is “inherently unnatural,” the agency said on its Active Authentication site. And most active sessions don’t have mechanisms to identify that the current user is still the one originally authenticated.

Biometric features such as fingerprints have long been used in some two-factor authentication systems, but even then it only confirms a user’s ID when logging in. DARPA is proposing behavior-based methods for continual verification.

Related stories:

Why so many bad passwords? Because the rules allow them.

One more reason why passwords are no darn good

The agency issued a Broad Agency Announcement solicitation in January for its Active Authentication program. Responses were due March 6.

The program is seeking new ways to identify users, based on intrinsic or behavioral traits. “Just as when you touch something [with] your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a ‘cognitive fingerprint,” DARPA’s statement said.

The first phase of Active Authentication will focus on researching biometrics that do not require additional hardware sensors, such as mouse and keystroke dynamics. An individual potentially could be identified by how fast he or she types or reads; what words he uses when creating a document or e-mail message; or how he moves the mouse across a page, DARPA said.

Later phases of the program will combine the biometrics with a new authentication program for standard Defense Department desktop or laptop PCs.

The program intends to combine its identification techniques into a continuous authentication process, so that the identity of a user at a machine is constantly being confirmed. The platform will be developed with open Application Programming Interfaces to allow for the easy addition of future biometric software and hardware, DARPA said.

“What I’d like to do,” Richard Guidorizzi, DARPA product manager, said at last year’s Cyber Colloquium in Arlington, Va., “is move to a world where you sit down at a console, you identify yourself, and you just start working, and the authentication happens in the background, invisible to you, while you continue to do your work without interruptions.”

Interestingly, a 2010 DARPA-funded study by the National Research Council found biometrics to not be as reliable or accurate as people think, GCN reported when the study’s results were released. The study, which was disputed by biometrics proponents, concluded that biometric systems were overly complex and inherently probabilistic, always leaving at least some room for error.