We've never given up trying to solve the conundrum of what could replace passwords -- given that passwords are basically broken and, short of quantum-generated encryption, are unlikely to be fixed anytime soon.
We've looked at the pros and cons of biometrics. We've considered face recognition. Here comes the latest contender: identifying users by keystrokes. At first glance, this is a great idea and gives the Defense Advanced Research Projects Agency something to think about other than building a national cyberrange. (I wasn't aware that DARPA was one of the agencies involved in the NSTIC, or the National Strategy for Trusted Identities in Cyberspace, but if it can bring something to the party, why not?)
requires humans to do something that is inherently unnatural: create, remember, and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard.
The solution to trusted identities lies neither in passwords, nor in biometrics like thumbprints or iris recognition, but in behavioral traits -- what DARPA calls the "cognitive footprint." It's betting on the hypothesis that there are forms of physical behavior so distinctive that they can be used to identify individuals as efficiently as fingerprints.
Fairly obviously, the main behaviors in which we engage whenever we're online involve interaction with the keyboard and the mouse or trackpad. This holds out the hope that distinctive cognitive patterns might be found in the technology as it is already deployed and used. DARPA also plans to look at using multiple identifiers in developing a platform suitable for use on Department of Defense PCs and laptops.
Program manager Richard Guidorizzi paints a beguiling picture:
What I'd like to do is move to a world where you sit down at a console, you identify yourself, and you just start working, and the authentication happens in the background, invisible to you, while you continue to do your work without interruptions.
Imagine it: Your computer recognizes you. No password needed, and no more shuffling through the Post-Its on your desk trying to find where you wrote it down. But "imagine" is the operative word. DARPA plans to distribute research funding to find out if this can work.
Setting aside the possibility that the relevant behaviors simply can't be distinguished effectively enough in large populations, I can foresee other obstacles to this approach. For one thing, behavioral patterns surely change over time -- unlike, barring disfiguration, fingerprints. Aging, as well as a range of quite common infirmities, can alter the way we interact with our devices.
Furthermore, being recognized by a device only gets us halfway toward trusted identities. My PC is going to need to communicate the validity of the authentication over the network to the secure destinations I need to visit online. Many a slip, as they say.
Nevertheless, it's an imaginative strategy, and it's going to be interesting to follow.
Kim, the idea is great- I guess every comment starts with it- but then goes "but"
The idea is great but...
My "but" would be connected with the extention of that kind of cognitive surveillance- it sounds like a new digital panopticum that can bring to further inability to stay anonymous in the society- if computer can define - is it you or not by your on line activity- in the future, you can be defined by any activity- for example- you shop on-line and then you decide to do something that is not very typical for you- will the sytem let you use your credit card, etc.
Ultimately at the end od the day the data from keystrokes has to be converted back into Bits and Bytes(1s and 0s) and if you can break into a host computer(which hosts this information);it is relatively easy to get at that data;also about many links in the chain when you send data to and fro(you will continue to get all those oppurtunities to break into and access the data you want).
As far as Fingerprints go,the technology & infrastructure already exists just needs to be refined.I don't think companies should spend time and money on something which could be little more than wishful thinking at this stage.
As for DARPA and the funding they are going to distribute.
How much was US Govt debt the last time I checked???
I think that's why the idea of the device simply recognizing the user is so attractive. Passwords, tokens, even the intriguing magnetic card idea, all introduce elements which can be lost or stolen or hacked.
As I said, if DARPA comes up with something no better than fingerprinting, the "cognitive footprint" idea will seem like hot air - although it does have the advantage that it wouldn't require a roll-out of sensors.
There's never going to be a point of perfect security. Too many security measures kills productivity and worse if they're a major nusiance users will just work around them anyway.
It may be frustrating, but "good enough" is probably a better solution than "great".
Maybe less secure as a way of locking out unauthorized behaviour, but what if it worked in reverse? What if the cognitive footprint was used to identify the rather standard behaviour of a crook?
Our behaviours change over time, but crooks basically are after the same things, aren't they? For example, in Canada Rogers' (one of our major IP's) automatically detects when computers are displaying the behaviour of a compromised machine and shuts off its Internet connection after sending a notification email.
If the cognitive footprint is used in conjuction with other security measures, it should provide a strong level of security that should help even when passwords are weak.
but once again, the data the program would collect, to ID the user, would still be subject to cracking by an attacker, much the same way others have mentioned the same situation with fingerprint data, etc. Although having the physical ability to tie ID to a basic individual is nice, the following solution is no worse than requiring a keyboard.
Granted, it would be a big file, but that is no real challenge to the crimimals. The best third factor solution I've seen along similar lines is Magneprint. The card is swiped like a credit card, and the unique pattern of magnetic nano particles is stored in a central very secure data base. Everytime you swipe the card, each swipe is unique because of the angle, depth, lenght, and speed of the stroke. These stoichiometric calculations can be analysed and never reproduced by the criminals - even if they replay it; that would be an obvious recording and immediately rejected by the server, and a reswipe command sent. In fact, as the particles wear they change in a predictable manner that is only possible to be known by the ID servers. Criminals would have to crack the data-base at the central server to get the pattern data, but they still wouldn't be able to reproduce it, because nano patterns are very difficult to reproduce unless you are a high tech manufacturer - it would be a next to impossible effort, that even the Chinese could not crack.
After all - the mathematical stoichiometry science would have to be reproduced; which would involve chaos theory, and probably impossible by today's methods to reproduce. The same thing could probably be done with a sensor pen for a signature, quite frankly, but it would be harder to tie it back to the individual, as the subtle changes in writing and pressure don't lend themselves to mathmatics as a known set pattern does. Finger printing doesn't lend itself to enough subtle changes on a flat surface either. If a 3D pattern of the print were stored and the user habits for touching the authetication device were similarly analysed, it may be close to my favorite solution, but it would require a very high resolution, and probably high expense - not an economical one. I don't like finger printing, because I feel that is too deep an intrusion on one's privacy, and it has been proven that the basic patterns can be reproduced and used against the original user.
Of course, to adopt Magneprint would make necessary the carrying of a card with you, but that isn't any worse that some USB second factor solutions that are being used - and way better in my best estimation. I have no affiliation with MagnePrint or any other person or company. I really like the KISS principal, (relatively speaking), for the user/client, and if married to PassWindow, would make an excellent banking solution that would be even harder to crack.
Then again, a solution that only required the individual show up, by using physical characteristics is enchanting. If having just anouther seperate object for a solution is not ideal for this discussion, then I digress. I still feel some day, facial recognition and iris recognition technology could become cheap enough to be combined and apply similar geometry, and be just as impossible to replay - Some day.
I think DARPA is very open to a multiple platform including passwords and tokens as well as biometrics, but we're still stuck with the real password problem: make them tough enough to be worth using and you have to record them somewhere.
There has been a fair bit of reasearch on keystroke patterns and it is actually a very good biometric method. However, my understanding is that it works best for the same thing (like a password). So it would be good as a second factor for password authentication. The way you enter your password is very consistent and very unique. How this could be stretched to more continuous identity verification however is interesting but may be just that; a stretch.
The big vulnerability that comes to my mind immediately with this is that basically every keystroke will be logged and therefore a poor implementation could quickly become a malicious keylogger. I'm always curious to see what DARPA is working on though and who knows where this might end up. Cool stuff, thanks Kim.
I think it would be very hard to mimic one individual's keystrokes.
It seems to me that there are at least two problems with fingerprints. One is that the system would need to be based on an existing database, or would need to build a very big new one. The second is precisely the database: if data which tells you that fingerprint X belongs to Y is held on a database - and where else? - it could be hacked. And you can tell people to change their passwords after a hacking incident easier than you can tell them to change their fingerprints.
DARPA isn't even close to outlining the technology it would use, but I am assuming recognition will be based on something you do to the device (in real time), not on the kind of token-individual matching which would need to be stored on a database. My behavior is not a "thing" like my fingerprint or face or password. (If not, then I take your point.)
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
When David E. Sanger of The New York Times broke the news that the United States was responsible for the Stuxnet malware exploit against Iran's nuclear program, Senator John McCain accused the administration of deliberately leaking the story to enhance President Obama's national security record.
The Gamma Group's business of supplying surveillance technology exclusively for use by government agencies may be legitimate. But not when it poses as the popular, free, open-source web browser Firefox.
Yesterday's hack of the official Associated Press Twitter feed demonstrated the enormous risk attached to the platform's lazy, single factor approach to security.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
Ontario's information privacy commissioner explains the unintended consequences of facial recognition technology and how biometric encryption can make it safer.
David Vladeck, Director of the Bureau of Consumer Protection of the Federal Trade Commission, discusses the state of "Do Not Track" and the problem with consumer behavior tracking online.
The US government is funding controversial projects to collect daily Internet activity, including Web searches, Twitter messages, Facebook and blog posts, and the digital location trails generated by billions of cellphones. Its goal is to map these interactions to predict social behavior, such as protests.
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
Our online communications and privacy are being threatened by governments and corporations. Eben Moglen believes it's time for a People's Internet, made possible by "Freedom Boxes."
WikiLeaks' founder says that Facebook is an instrument for government spying. Whether that's true or not, we're sharing too much, and we’re on the edge of compromising the notion of identity, and with it of privacy and commercial protection.
Deep Packet Inspection to intercept behavioral data has never been a popular idea, but recent comments by the FTC and ISPs suggest that the players are dodging the most critical issue of all, which is whether DPI use should be considered wiretapping.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Ushering in a new era of cognitive computing systems, IBM announced today the IBM Watson Engagement Advisor, a technology breakthrough that allows brands to crunch big data in record time to transform the way they engage clients in key functions such as customer service, marketing, and sales.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
