• A senior airman removes his gas mask during a readiness drill. Because traditional biometric authentication techniques such as fingerprints and facial scans are not always practical for warfighters, Defense Information Systems Agency (DISA) officials are developing a prototypical system to track gait patterns and frequently visited locations.
     A senior airman removes his gas mask during a readiness drill. Because traditional biometric authentication techniques such as fingerprints and facial scans are not always practical for warfighters, Defense Information Systems Agency (DISA) officials are developing a prototypical system to track gait patterns and frequently visited locations.
  • Within months, DISA officials intend to provide a prototype system capable of identifying users through patterns of life, which may be described as a more advanced form of biometrics.
     Within months, DISA officials intend to provide a prototype system capable of identifying users through patterns of life, which may be described as a more advanced form of biometrics.

DISA Moves Beyond Conventional Biometrics

August 1, 2017
By George I. Seffers
E-mail About the Author

Officials are creating a prototype that will verify mobile user identity based on life patterns.


A U.S. Defense Department pilot project intends to develop a prototype system within the next year to authenticate the identity of mobile users through their so-called patterns of life, such as how fast they walk to work or locations they routinely visit. The project is designed to benefit warfighters who may not have time for fingerprints, facial recognition scans or other forms of traditional biometrics.

Defense Information Systems Agency (DISA) officials remain mum on many of the details because they expect to award a contract soon, but they allow that a prototype could be developed in as little as six months. “We’re looking to prototype a specific type of technology as we go forward here, and ... we’re trying to do it in a fairly rapid fashion. So in the next 12 months, I think you’re going see that technology really evolve,” reports Jeremy Corey, DISA’s assured identity program manager and leader of the agency’s Cyber Development Innovation Cell.

The system is expected to authenticate mobile user identities while developing a trust score, which helps determine the user’s level of access.

“From an authentication and authorization standpoint, it provides a means of developing a trust score with a very high probability that you are who you say you are. From an authentication standpoint, it greatly aids us in our ability to identify users on the network,” explains Capt. Jeffrey Buss, USN, chief technology officer for DISA’s Cyber Development Directorate.

Analyzing patterns of life also will aid DISA’s cyber hunters in tracking threats, says Roger Greenwell, DISA’s chief of cybersecurity and authorizing official, Office of the Risk Management Executive. “It moves even beyond the concept of biometrics in many ways, when you think about how a person writes out something—how they hold a device, how they type, the speed at which an individual enters information. All of these things are essentially patterns of life that can then be used as indicators of who is actually using that device,” Greenwell offers.

Patterns-of-life authentication simply will make life a little easier because users will no longer have to enter a six- to eight-digit personal identification number up to 50 times per day, Corey says. Because the Defense Department will use apps already on a device, authentication will happen largely “in the background,” he notes. “Our industry partners have managed to pack in loads of sensors into mobile devices, from gyroscopes to accelerometers to proximity sensors and ambient light sensors,” Corey points out. “By coupling each of those sensors—or a group of those sensors—together, that could potentially establish a pattern of that particular user.”

Capt. Buss cites the Waze app as an example. “Waze now knows your average speed, and a lot of different things about you are being collected on that phone. Gait is another one we’ve talked a lot about—your stride, if you will—and how you walk,” he adds.

Officials have not yet determined the trust score process. “We’re still working through the details of what that trust is going to allow you to do, but we know with a high degree of certainty we can identify somebody using patterns of life and biometrics as well as location and some other means,” Corey says, indicating that biometrics still can complement patterns-of-life analysis.

DISA officials also emphasize the need for strong encryption to complement patterns-of-life authentication. “We’re talking about other elements or other authentication factors that may potentially supplement that [public key infrastructure] credential as that first initial step to where we may evolve in the future for authenticating users,” Capt. Buss states.

The Defense Department has invested heavily in public key infrastructure and will not be moving away from it in the near future, Corey adds. “It’s really how we can better utilize these biometrics and these patterns of life and ... maybe supplementing that public key infrastructure credential or using that credential to access resources on the Department of Defense Information Network [DODIN],” he says.

Capt. Buss offers the phrase “asymmetric cryptography” to describe the agency’s attempt to replace the common access card and “get a handheld in the warfighter’s hands.” (See “Cracking the Code on Identity Management.”)

He also stresses the importance of software-defined networking to help shape the cryptography and prevent warfighters from needing to “have five different devices” in the field.

The agency could use industry’s help in “trying to figure out how to establish that trust, identity, authentication and authorization,” which the captain says would be “very helpful for us.”

The officials note that warfighters are intended to be the primary beneficiaries. “What we’re really trying to achieve here is to help the warfighter. He or she may wear gloves in the field. You can’t expect that they’re going to be able to authenticate and use a fingerprint on a device,” Corey elaborates. “Maybe they wear goggles. Are you going to expect the warfighter to remove their goggles to do facial recognition?”

Tracking a person’s gait will be especially helpful in alleviating the need for fingerprints and facial recognition, Corey indicates. “This is where gait could be very exciting, to help determine whether or not it truly is the right person behind a device,” he says.

While they are not yet able to disclose details, the DISA officials confirm that they are interested in tracking a variety of patterns of life with just one system. “There is work out there that has researched whether or not keyboard cadence can generate a particular and unique pattern that we could tie to a single user,” Corey states. “That is an ongoing pilot that we are in now, and it’s measuring keyboard cadence as well as mouse track movements.”

Although many of the capabilities of interest already are easily available, integrating them all into one prototype still is challenging. “It’s not that the capability is not there, it’s integrating it and implementing it so that the Defense Department can use it. A lot is there—it’s just trying to transform it into something we can use,” he offers.

Officials must begin to integrate capabilities by examining the entire mobile device operating system—a system more complex than many desktops today, Corey says. “We have to ... understand how the hardware bits of a mobile device are assembled so that we can establish some trustworthiness in the guts of that mobile device,” he states.

Departments: 

Share Your Thoughts:

Gait and life patterns are much more easy to replicate than a fingerprint or retina. Sprained ankles cut/broken fingers (an injury or whatever of any kind and which is more prevalent among the warfighter) change life patterns plus we are encouraged to NOT be predictable in the first place like taking different routes and doing things differently. We should focus more on the 'life patterns' of our adversary than ourselves. They may not be trying to mix things up. We have always been good at protecting ourselves from ourselves and locking ourself out from ourself. We need to focus on protecting ourselves from them not ourself.

This is my introduction to this new technology. I do not use a mobile device (private nor work)

Reference article located at https://www.afcea.org/content/disa-moves-beyond-conventional-biometrics

The article speaks about "Tracking a person’s gait will be especially helpful in alleviating the need for fingerprints and facial recognition" and the main intent is for the warfighter to use this technology. Question: What happens when a warfighter is injured because his or her gait will then possibly change?
The article also speaks about "how they hold a device, how they type, the speed at which an individual enters information. All of these things are essentially patterns of life that can then be used as indicators of who is actually using that device,”
Question: Again, if the warfighter is injured or even highly stressed due to combat will those patterns be the same? I imagine they will vary.
Are those types of things I mentioned above being considered in the technology and is there a backup method of authentication if those things are unable to authenticate the warfighter? If the technology doesn't adapt to the warfighter's changing gait or patterns of life and they can't authenticate in combat this will add stress to an already stressful situation.
Thank you for your time. As a DISA employee and former combat soldier, I appreciate the great work and technological advances in support of our Warfighters!

There are numerous concerns that must be addressed for this concept to become reality.

First, privacy concerns. To be 100% effective, the mobile device will have to be with the individual 24/7, and the individual will have to consent to be monitored during that time. Given the ability for mobile devices to be hacked and/or act as passive listening devices, how can the individual be reassured that they are not constantly under surveillance? Many people refuse to buy vehicles with OnStar or the Amazon Alexis for the same reason: it intrudes upon personal privacy.

Second, the cost. This effort will require that each service-member and civilian be issued a ~$600 phone, not to mention the upkeep, antivirus protection, etc. While that cost can be somewhat ameliorated through eliminating the office tech refresh and rolling those funds into this program, the Common Access Cards are already on a shoestring budget. How can we justify this cost in the current fiscal environment our government is in?

Thirdly, there is security. Most warfighters and civilians have a need to access classified information in vaults and SCIFs. Will this also replace SIPR tokens? If so, how do we manage security requirements in allowing an unclassified electronic device into a controlled area?

Finally, there are identify issues. The recent OPM hack highlights the vulnerability to identity theft we all are subject to as government employees. What guarantees are there that these devices won't be hacked, that the individual's identity won't be stolen, and the entire network compromised? An accidental vulnerability exposed by a phishing attack now has the potential to completely wreck an individual's entire career, since they would now lack access to facilities, workspace, or even proving who they are.

In short, while this effort looks very "cool" and "cutting edge," I see too many second- and third-order effects that call into question the wisdom of moving forward. Privacy, cost, and security are all issues that paint this effort in an unfavorable light, in my opinion.

Share Your Thoughts: