Seven Ways DARPA Is Trying To Kill The Password
Martyn Williams, writing on the August 8, 2014 website — TechWorld.com, writes that “from analyzing the way you walk — to your heartbeat — these futuristic systems could soon be here.” “With the news last week that Russian hackers stole as many as 1.2B Internet credentials,” Mr. Marty asks, “Isn’t it time we dumped the user name and password?”
“A lot of the best technology today,” Mr. Williams writes, “exploits biometric factors, such as retina patterns, fingerprints, and voice analysis; but beyond that, — a number of researchers are looking to tap into the way we think, walk, and breathe, to differentiate between us — and, an intruder.” “Helping to lead this effort,” notes Mr. Williams, “is DARPA, the U.S. military’s Defense Advanced Research Projects Agency. It’s Active Authentication Project, is funding research at a number of institutions working on desktop and mobile technologies that work — not just for the initial login; but, continuously, while the user is accessing the device. The array of sensors already found in mobile phones, makes some of the ideas particularly interesting,” Mr. Williams observes.
“The technologies exploit data that’s already available inside [the] devices; but, utilize it in new ways,” said Richard Guidorizzi, Program Manager of the project at DARPA. “Except during lab testing, we did not need to create new devices to attach to your phone to drain your battery. They were able to use what was already there with a great deal of success,” he said.
“So, when might that be available?,” asks Mr. Williams. “The project is still ongoing; but, is starting to attract some interest,” he adds. “Some of my [teams] are already being approached by some of the largest companies in the world to incorporate their technology into their products, including smartphones, and Web-based technologies,” Guidorizzi said.
Micro Hand Movements
“A project underway at the New York Institute of Technology, aims to analyze micro movements and oscillations in your hand, as you hold a smartphone to determine the identity of the user. It is looking at touch-burst activity, which happens when a user performs a series of touch stokes and gestures, and the pause between those touches and gestures while the user is consuming content.”
“SRI International in Silicon Valley is trying to exploit the accelerometers and gyro sensors already in smartphones to extract unique and distinguishing characteristics of the way a user walks and stands,” writes Mr. Williams. “Your stride length, the way you balance your body, the speed you walk — are all individual to you. Additional sensors can help determine physical characteristics, such as arm length, and the users physical situation, i.e., – proximity to others; and, whether the user is sitting, standing, or picking something up, as well as texting or talking on the phone.”
“The differences in how we use language, could be enough to tell us apart,” notes Mr. Williams. “Drexel University is trying to extract author fingerprints from the large volumes of text we typically enter into our PCs and smartphones; and then, use that to spot when someone else might be at [out] keyboard. This could be the words used, individual grammar quirks, sentence construction; and, even the errors individuals are prone to making again, and again. The technology can be tied together with another keyboard-based authentication method — the analysis of the way a user types, such as their keyboard speed and pauses between letters — to make an even more secure authentication system.”
“NASA’s Jet Propulsion Laboratory,” writes Mr. Williams, “is trying to detect the individual features of your heartbeat from a phone. Microwave signals emitted by the phone are reflected back by your body, collected by sensors in the phone; and, amplified to detect your heart rhythm. This might have the added bonus of being able to alert you to see a doctor — should a subtle change in your heartbeat happen.
“The last thing anyone wants to see on a PC is an error message,” writes Mr. Williams [I can think of much worse]; but, this type of annoyance might have a role to play in [web-based] security. By throwing up random error messages; and, analyzing how users respond to them, the Southwest Research Institute is hoping to identify individuals and spot intruders. So, next time your PC tells you it’s out of memory; and, asks if you want to report the issue — think carefully — it could be testing you.”
“Perhaps most familiar to people through fingerprint sensors,” Mr. Williams observes, “biometric analysis seeks to exploit a wide-range of personal characteristics. Li Creative Technologies, is developing a voice-based system that can be used to unlock a mobile device. You’ll be prompted to say a paraphrase, and the software doesn’t just monitor if the phrase was correct; but, whether you were the one saying it. A second function continuously monitors what’s being said around the device to detect if another user has picked up the phone — and, is attempting to access it.”
“The University of Maryland is using visual streams to make sure you’re the one using your PC or phone,” Mr. Williams notes. “On the desktop it looks at things like the way you organize windows and resize them, your work patterns; and, limitations in mouse movements. On the phone, the system pulls in three video streams: an image of you from the front-facing camera, an image of your surroundings (or shoes, or pants) captured with the rear-facing camera, and your screen activity from the display. Researchers hope that taken together, these three streams will be distinct enough while using the device.”
We’re Losing The Password War
Leslie Horn, writing in the August 12, 2012 edition of Gizmodo.com, summed it up pretty well: “The problem, you see, is that our passwords are spreading across more and more accounts, while technology makes cracking passwords ever easier.” Charlie Warzel, writing in the April 11, 2014 edition of BuzzFeed.com, writes that “the critical flaw with Internet passwords is systemic; and, the fundamental structure of usernames and passwords grow more obsolete each day. It’s a technology built for the Internet that no longer exists,” he argues.
And, experts don’t seem to agree on the best course of action/way ahead. Jeffery Goldberg, an engineer for the for the password management software firm, 1Password, who’s official title is the “Defender Against The Dark Arts,” argues that “biometrics are emphatically not a solution. Imagine,” he says, “a password that you could never change; and that, anyone within listening, photographing, or fingerprint lifting distance could copy. Your voice may be your passport, but it is a lousy secret.”
Let’s hope that DARPA is successful in devising a new way to verify we are who we say we are for Internet purposes in the not too distant future. Until then, two-step authentication should be used as much as possible. One password, is not enough. V/R, RCP