Continuous multi-factor authentication put to the test

FaceID is so 2018.

The Defense Department is testing new devices that could eliminate the need for passcodes while continuously authenticating users via multiple biometrics.

"Most mobile phones today you unlock them with your fingerprint or face," Stephen Wallace, systems innovation scientist for the Defense Information Systems Agency, told FCW. "That's a point in time; I can unlock it, hand it to you or leave it on a park bench and someone can pick it up and become me."

The devices DISA is testing prevent that by automatically locking "if somebody picks it up and starts to move around with it," said Wallace, speaking after a Jan. 30 presentation at the International Association of Innovation Professionals Disruption conference. "The trust score falls because they don't walk the same way [as the registered user]. They're potentially not in the same locations, their voice pattern might be different."

The device stays locked until the multi-factor criteria is met, and it can be remotely wiped by a mobile device manager if lost or stolen.

DISA now has 50 such devices in circulation among mission partners, Wallace said, including the Joint Interoperability Test Command, which is evaluating and testing against the test plan.

The devices -- or more specifically, the chipsets embedded within them -- analyze a user's walking gait, location, facial structure and voice patterns to validate identity. Such continuous multi-factor authentication has been a priority for DOD since at least 2016, when then-CIO Terry Halvorsen announced plans to move away from Common Access Cards. DISA later identified walking gait as particularly important biometric because of the obstacles a tactical environment can present for facial or fingerprint recognition.

The chips are being tested in Android phones, but are fashioned to be compatible with laptops, wearables and other mobile devices. "We specifically went after hardware rather than software because it could get smaller" and provide a higher level of assurance, Wallace said. "If you do it at a software level, you're dependent on the hardware below it for your security."

The initiative is part of a 2018 innovation contract with Qualcomm. The pilot also folds into DISA's assured identity initiative that combines artificial intelligence and machine learning techniques with behavioral analysis.

Wallace said the 50 devices are in an "alpha testing" phase, which will run through the spring. (The original contract with Qualcomm was for 75 devices, but the number was cut to better focus the pilot, a DISA spokesperson told FCW via email.)

The vendor will produce a reference design and, once accepted, it can be integrated into commercially available products, he said, "which then the rest of DOD can consume."

"Our goal with this is that it gets turned out to commercial industry and so your personal phone could end up with this technology," Wallace said. "It's not really just for our classified environment. We wanted something that was commercially viable so that we don't get driven down the route of high-cost, low-deployment devices."

"If you get a broad enough deployment, the cost comes down low enough that it's affordable for everybody," he added.