DARPA Has a Simple Solution to Authentication: Reading Users' Minds

Don't worry about passwords, fingerprints, retina scans -- your brain is unique

Making You Your Own Password

MyDigitalSLR via Flickr

Having contributed in large part to the Internet's very existence, DARPA is now setting out to make its secure networks more secure. But rather than relying upon the conventional notion of a password--a complex string of letters and numerals that an individual must remember--the agency is looking to create a "cognitive fingerprint" for individuals that constantly authenticates that person for the duration of the time he or she has access to a network.

DARPA's approach relies on biometrics, but not the usual brand of biometrics we're used to seeing, like iris or fingerprint scans. DARPA wants to employ what it calls software-based biometrics--biometrics that don't require any extra equipment and can be deployed on any computer via a software package--to recognize individual humans.

That means identifying humans not by a physical characteristic, but via a blend of mental or behavioral traits that are inherent in the way the person interacts with the terminal and the network. These things could include analysis of patterns in a person's keystrokes, use of a computer's built-in camera to track eye-movement patterns, semantic analysis that evaluates how a user searches and selects information (how you structure search queries, for instance, or what verbs and predicates you tend to use), the structure and syntax of a user's sentences, the speed with which an individual tends to read content--the list goes on.

The idea is that the Active Authentication program, as the initiative is known, will replace passwords with a far stronger proof of identity--the user him- or herself. This overcomes some major shortcomings of the common password, not least of which being that passwords can be stolen and used by anyone. As long as the password fits, computers generally make no distinction between individuals using it. Passwords also generally authenticate entire sessions. If users are careless and don't log out, anyone can pick up the session where the intended user left off, gaining access to secure information.

Active Authentication makes the user his or her own unique authentication key, meaning that his or her identity is verified constantly throughout the time he or she spends accessing a given network. DARPA wants to teach every computer in the DoD environment how to use this "cognitive fingerprint," ensuring that regardless of where a user is logged in, the system knows--constantly--exactly who is who.