The DARPA program, instigated in January this year, is called ‘active authentication.’ The current approach, it says, “requires humans to do something that is inherently difficult: create, remember, and manage long, complex passwords.” It is because of this difficulty that user passwords tend to be too weak and poorly managed – with, for example, users employing the same password on multiple accounts.
But even where passwords are strong and well-managed, they can be by-passed. Since they are used only once to provide the initial access, if the user’s session can then be hijacked, no further authentication is required. Later this month, for example, researchers Juliano Rizzo and Thai Duong will unveil a new attack (dubbed CRIME) that can hijack browser sessions after the users’ authentication.
DARPA’s active authentication seeks to solve these problems by making user authentication simple (to the user, that is) and continuous. The basic premise is the use of the behavioral biometric known as the user’s cognitive fingerprint. “Just as when you touch something with your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a ‘cognitive fingerprint’.”
The user’s cognitive fingerprint, once captured, can then be used on a continuous basis to ensure that the current user is the authorized user; and Southwest Research Institute (SwRI) has taken up the challenge. It has started a nine-month project, supported by DARPA, to research the use of covert gaming to capture that cognitive fingerprint. “It will deploy covert games, mimicking ordinary human computer interactions,” explained SwRI’s Jenifer Wheeler. “Authenticated users are likely to unknowingly develop strategies for playing the games, even if the games are imperceptible. While legitimate users will unconsciously learn how to overcome the anomalies, impostors who have never seen the anomalies will respond differently, triggering an alert within the authentication system,” she said.
SwRI, with its strengths in behavioral modeling, educational software development and learning science, has teamed with Sentier Strategic Resources LLC, with its strengths in cognitive psychology and human-subjects testing. The project will have four major phases: developing a behavioral persona; developing the game-like interactions that can authenticate users with minimal disruption; developing prototype user and assessment models; and finally testing the system on volunteers.