Imagine sitting down at your work keyboard, typing in your user name and starting work right away - no password needed.
That's a vision that the
Defense Advanced Research Projects Agency, part of the Defense Department, wants to turn into a reality. It will distribute research funds to develop software that determines, just by the way you type, that you are indeed the person you say you are.
Darpa's purpose is to sponsor "revolutionary, high-payoff research" for military use. But technology developed under Darpa's auspices - the Internet itself being only one among many achievements traceable to its initiatives- eventually tends to find its way into the civilian world.
Passwords like "6tFcVbNh-TfCvBn" meet the Defense Department's definition of "strong," says
Richard Guidorizzi, a program manager at Darpa. "The problem is, they don't meet human requirements," he says. "Humans aren't built to understand random connections of characters."
Mr. Guidorizzi made those comments in a
talk titled "Beyond Passwords," presented last November at a Darpa symposium in Arlington, Va. Humans use patterns to make passwords manageable, he said. He displayed five handwritten passwords, each a slight variation of "Jane123" - and all of them easily cracked.
"What I'd like to do," Mr. Guidorizzi said, "is move to a world where you sit down at a console, you identify yourself, and you just start working, and the authentication happens in the background, invisible to you, while you continue to do your work without interruptions."
No biometric sensors, like thumbprint or iris scanners, would be used. Instead, he is seeking technology that relies solely on an individual's distinct behavioral characteristics, which he calls the cognitive fingerprint.
Academic experts are trying several approaches to determine users' identities solely through their computer behavior.
Roy Maxion, a research professor of computer science at Carnegie Mellon University, oversees research on "keystroke dynamics," including the length of time a user holds down a given key and moves from one particular key to another.
Motions that we've performed countless times, Professor Maxion says, are governed by motor control, not deliberate thought. "That is why successfully mimicking keystroke dynamics is physiologically improbable," he says.
He gives this example: A computer user holds down a key for an average of 100 milliseconds. Suppose that a fraudster is trying to mimic a person who is slightly faster than average - typically holding the key down for 90 milliseconds. "Then the spoofer is in the dubious position of having to consciously shorten a key-press action by 10 milliseconds," Professor Maxion says. Having such control doesn't seem realistic, he says, when one considers that "a voluntary eye-blink takes 275 milliseconds."
He says that there is some evidence that a user's emotional state affects typing rhythms. But just as people can recognize a familiar song even if it is mangled by inept musicians, so, too, he hypothesizes, could software recognize one's distinct "core rhythm," which would be "perceptible even through the noise of emotion, fatigue or intoxication." He adds that the notion of core rhythm has not been experimentally confirmed.
Charles C. Tappert, a professor of computer science at Pace University, has also conducted research on the keystroke biometric, verifying identities by looking at the way students type their answers to questions on online tests. His research group has developed software that analyzes the distinctive pattern of keyboard pressure; it accurately confirms the claimed identity of a test taker in 99.5 percent of cases, he says.
The situations that Darpa has in mind would require a system that quickly authenticates the user, without waiting to collect data on hundreds of keystrokes. But Professor Tappert says that an intruder's movement within an internal network would show telltale irregularities and that his software would be able to detect them.
Research overseen by
Salvatore J. Stolfo, professor of computer science at Columbia University, has led to the development of software that uses a simple means of detecting an intruder: placing decoy documents on the computer. "For example, we have the user place a document with a juicy name like 'CreditCards.doc' on the P.C.," Professor Stolfo says. "He or she knows it's there only as a lure. But an intruder would be enticed to open it. Bingo!"
When a decoy file is opened, the system software checks to see whether the person has conducted file searches on the computer that fit the expected search pattern. If there is no close match, the system sets off an alarm and asks the user to confirm his or her identity, Professor Stolfo says. He compares the process to what consumers periodically experience when they receive a call from a credit card company's fraud-prevention department.
Continuos monitoring of a user's behavior is an essential element of Darpa's requirements. Because of the conventional password-based systems used today, the agency says, there is now no way "to verify that the user originally authenticated is the user still in control of the keyboard."
Research done by Professor Maxion of Carnegie Mellon suggests that just a few key taps may be needed for continuous authentication. Test subjects were invited to mimic the keystroke timing of another person they were observing, and were permitted to practice that person's 10-character password 100 times. He said no one succeeded in mimicking the target.
Professor Maxion has worked on another behavioral biometric for user verification: mouse dynamics. He explains that "everyone has an idiosyncratic way of using a mouse, such as the speed with which you move the cursor across the screen; the path - straight line, convex or concave arc; and the presence or absence of jitter."
A password-free security system would fit users' needs nicely - and would ask absolutely nothing from the ever-fallible human mind.