We've never given up trying to solve the conundrum of what could replace passwords -- given that passwords are basically broken and, short of quantum-generated encryption, are unlikely to be fixed anytime soon.
We've looked at the pros and cons of biometrics. We've considered face recognition. Here comes the latest contender: identifying users by keystrokes. At first glance, this is a great idea and gives the Defense Advanced Research Projects Agency something to think about other than building a national cyberrange. (I wasn't aware that DARPA was one of the agencies involved in the NSTIC, or the National Strategy for Trusted Identities in Cyberspace, but if it can bring something to the party, why not?)
According to DARPA, reliance on passwords:
requires humans to do something that is inherently unnatural: create, remember, and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard.
The solution to trusted identities lies neither in passwords, nor in biometrics like thumbprints or iris recognition, but in behavioral traits -- what DARPA calls the "cognitive footprint." It's betting on the hypothesis that there are forms of physical behavior so distinctive that they can be used to identify individuals as efficiently as fingerprints.
Fairly obviously, the main behaviors in which we engage whenever we're online involve interaction with the keyboard and the mouse or trackpad. This holds out the hope that distinctive cognitive patterns might be found in the technology as it is already deployed and used. DARPA also plans to look at using multiple identifiers in developing a platform suitable for use on Department of Defense PCs and laptops.
Program manager Richard Guidorizzi paints a beguiling picture:
What I'd like to do is move to a world where you sit down at a console, you identify yourself, and you just start working, and the authentication happens in the background, invisible to you, while you continue to do your work without interruptions.
Imagine it: Your computer recognizes you. No password needed, and no more shuffling through the Post-Its on your desk trying to find where you wrote it down. But "imagine" is the operative word. DARPA plans to distribute research funding to find out if this can work.
Setting aside the possibility that the relevant behaviors simply can't be distinguished effectively enough in large populations, I can foresee other obstacles to this approach. For one thing, behavioral patterns surely change over time -- unlike, barring disfiguration, fingerprints. Aging, as well as a range of quite common infirmities, can alter the way we interact with our devices.
Furthermore, being recognized by a device only gets us halfway toward trusted identities. My PC is going to need to communicate the validity of the authentication over the network to the secure destinations I need to visit online. Many a slip, as they say.
Nevertheless, it's an imaginative strategy, and it's going to be interesting to follow.
— Kim Davis , Community Editor, Internet Evolution