DARPA Is After Your Password

The tech arm of the U.S. Department of Defense believes that even the most secure password is insecure—and that the future of account security will be biometric analysis of your typing style.

The Defense Advanced Research Projects Agency (DARPA) has played a crucial part in creating the modern tech world. DARPA helped lay the ground work for the Internet, played a crucial part in developing personal computers, and created GPS. One of the agency's newest projects is equally revolutionary and has massive commercial implications—scientists at DARPA want to create a new technology for account passwords that will be easy to use and mind-bogglingly secure.

Most of the password-replacement action at DARPA is taking place within the Active Authentication program, where researchers are studying “innovative approaches that enable revolutionary advances in science, software, or systems” that authenticate a user's identity while stationed at a computer terminal without relying on passwords. According to DARPA press materials, the agency is focusing on creating cutting-edge biometric identification products that can identify an individual user through their individual typing style. In the future, DARPA hopes smart computers will be able to verify account-holders' identities through their typing speed, finger motions and quirks of movement.

DARPA is holding a showcase, Active Authentication Industry Day, on Friday, November 18, in Arlington, VA. At the showcase, DARPA officials will brief government contractors, computer security firms and the general public on technologies being developed at the agency. Potential contractors and bidders for product development will also be assessed at the showcase. While no external bids or contracts have been tendered by the Defense Department at this time, the industry showcase indicates that DARPA plans to solicit contractor bids for post-password technologies in the near future.

Materials published by DARPA seem to indicate that researchers at the agency believe most contemporary account passwords—at least those adhering to best practices—are clunky, hard to remember, and ultimately insecure. According to program manager Richard Guidorizzi, “My house key will get you into my house, but the dog in my living room knows you’re not me. No amount of holding up my key and saying you’re me is going to convince my dog you’re who you say you are. My dog knows you don’t look like me, smell like me or act like me. What we want out of this program is to find those things that are unique to you, and not some single aspect of computer security that an adversary can use to compromise your system.”

Most password alternatives previously proposed by government or the private sector have revolved around biometric identifiers such as facial scans, fingerprints or retinal scans. These technologies, however, have been expensive to implement on a mass basis. In addition, concerns about privacy and security have also been raised. Creating a biometric identification system based around the individual user's typing style is cost-effective and also helps prevent potential civil liberties concerns.

Guidorizzi believes passwords will always be insecure. Instead, he proposes that “forensic authorship”—the analysis of a user's average word length, use of punctuation, type-token ratio (for us mortals, basically the number of unique words used in a document) and average word length to determine the identity of computer users. DARPA has not yet unveiled how they intend to turn forensic authorship into a replacement for the password—but their decision to hold an industry day shows that they believe the technology holds potential. Once the agency creates a workable prototype of their new password-replacement system, it will be tested on desktops in a “Department of Defense office environment.”

Researchers assigned to the Active Authentication program will be working on innovative software approaches that will take forensic authorship technology to creative effective password-replacement tools. According to DARPA, researchers will take special care to ensure that the program does not violate privacy laws or to create the potential for misuse of personal data. While this technology is obviously not going to market for quite some time, it is something we will hear quite a lot of in the future.

Nobody likes entering passwords. Nobody likes remembering passwords. Nobody likes forgetting passwords. Creating a painless, easy, and secure password-replacement system will be a major cash cow for any firm that can effectively bring it to market.

[Image: Flickr user Wka, MSH*]

For more stories like this, follow @fastcompany on Twitter. Email Neal Ungerleider, the author of this article, here or find him on Twitter and Google+.

Add New Comment

1 Comments