DARPA Authentication May Render Passwords Obsolete

The Defense Advanced Research Projects Agency (DARPA) is developing software that can identify a user based on typing speed and style— a type of user authentication that may allow for more accessibility and security.

Richard Guidorizzi, a program manager at DARPA, imagines a world where you sit down and start working as “authentication happens in the background,” invisible to the user. Meaning, there will be no prompt for security; your computer will not ask for your password.

While other biometric security applications scan a fingerprint or an iris to authenticate an authorized user, these methods may hinder accessibility if the hardware is broken. By analyzing behavioral characteristics, your computer will authenticate you based on your interactions, which would require constant monitoring. Typing style, Guidorizzi says, would not be the only way to authenticate the user, but would be used in collaboration with other active authentication procedures.

Similar research and software are being developed at Carnegie Mellon, where Roy Maxion is studying user keystroke dynamics to identify test subjects. According to the New York Times, Maxion says that mimicking keystroke dynamics is physiologically improbable since the distinction between one user and another trying to mimic that user could be milliseconds. But at Pace University, software has been able to identify users based on keyboard pressure 99.5% of the time.

DARPA is working to develop a system that could authenticate a user quicker than the time hundreds of keystrokes would take. The active authentication program, Guidorizzi explains, is an attempt to find what biometric aspects of the user are unique. Guidorizzi says in an overview of the program that research is also being developed to track the pattern of mouse movement.

“The swirls of the way you move your mouse connect back to the way your eye tracks on the screen,” Guidorizzi said, “which is an existing biometric, which can track you.” According to Guidorizzi, this type of software is being looked into by marketing companies like Google to market to you more directly.

Passwords are easy to hack because they’re usually too simple or not well-protected because they’re usually based on personal information or are simplified to be remembered. People also choose common passwords, or base their passwords on words commonly found in a dictionary. While passphrases are more secure, the difference may be nominal if the passphrase is common or at least not random. Passwords containing 15 random characters pass the test for a “strong” password as defined by the Department of Defense, but Guidorizzi explains that humans aren’t built to remember random connections of characters. “As long as we’re using words inside of our passwords, we’re always going to be crackable,” he said.