DISA Moves Beyond Conventional Biometrics
Officials are creating a prototype that will verify mobile user identity based on life patterns.
A U.S. Defense Department pilot project intends to develop a prototype system within the next year to authenticate the identity of mobile users through their so-called patterns of life, such as how fast they walk to work or locations they routinely visit. The project is designed to benefit warfighters who may not have time for fingerprints, facial recognition scans or other forms of traditional biometrics.
Defense Information Systems Agency (DISA) officials remain mum on many of the details because they expect to award a contract soon, but they allow that a prototype could be developed in as little as six months. “We’re looking to prototype a specific type of technology as we go forward here, and ... we’re trying to do it in a fairly rapid fashion. So in the next 12 months, I think you’re going see that technology really evolve,” reports Jeremy Corey, DISA’s assured identity program manager and leader of the agency’s Cyber Development Innovation Cell.
The system is expected to authenticate mobile user identities while developing a trust score, which helps determine the user’s level of access.
“From an authentication and authorization standpoint, it provides a means of developing a trust score with a very high probability that you are who you say you are. From an authentication standpoint, it greatly aids us in our ability to identify users on the network,” explains Capt. Jeffrey Buss, USN, chief technology officer for DISA’s Cyber Development Directorate.
Analyzing patterns of life also will aid DISA’s cyber hunters in tracking threats, says Roger Greenwell, DISA’s chief of cybersecurity and authorizing official, Office of the Risk Management Executive. “It moves even beyond the concept of biometrics in many ways, when you think about how a person writes out something—how they hold a device, how they type, the speed at which an individual enters information. All of these things are essentially patterns of life that can then be used as indicators of who is actually using that device,” Greenwell offers.
Patterns-of-life authentication simply will make life a little easier because users will no longer have to enter a six- to eight-digit personal identification number up to 50 times per day, Corey says. Because the Defense Department will use apps already on a device, authentication will happen largely “in the background,” he notes. “Our industry partners have managed to pack in loads of sensors into mobile devices, from gyroscopes to accelerometers to proximity sensors and ambient light sensors,” Corey points out. “By coupling each of those sensors—or a group of those sensors—together, that could potentially establish a pattern of that particular user.”
Capt. Buss cites the Waze app as an example. “Waze now knows your average speed, and a lot of different things about you are being collected on that phone. Gait is another one we’ve talked a lot about—your stride, if you will—and how you walk,” he adds.
Officials have not yet determined the trust score process. “We’re still working through the details of what that trust is going to allow you to do, but we know with a high degree of certainty we can identify somebody using patterns of life and biometrics as well as location and some other means,” Corey says, indicating that biometrics still can complement patterns-of-life analysis.
DISA officials also emphasize the need for strong encryption to complement patterns-of-life authentication. “We’re talking about other elements or other authentication factors that may potentially supplement that [public key infrastructure] credential as that first initial step to where we may evolve in the future for authenticating users,” Capt. Buss states.
The Defense Department has invested heavily in public key infrastructure and will not be moving away from it in the near future, Corey adds. “It’s really how we can better utilize these biometrics and these patterns of life and ... maybe supplementing that public key infrastructure credential or using that credential to access resources on the Department of Defense Information Network [DODIN],” he says.
Capt. Buss offers the phrase “asymmetric cryptography” to describe the agency’s attempt to replace the common access card and “get a handheld in the warfighter’s hands.” (See “Cracking the Code on Identity Management.”)
He also stresses the importance of software-defined networking to help shape the cryptography and prevent warfighters from needing to “have five different devices” in the field.
The agency could use industry’s help in “trying to figure out how to establish that trust, identity, authentication and authorization,” which the captain says would be “very helpful for us.”
The officials note that warfighters are intended to be the primary beneficiaries. “What we’re really trying to achieve here is to help the warfighter. He or she may wear gloves in the field. You can’t expect that they’re going to be able to authenticate and use a fingerprint on a device,” Corey elaborates. “Maybe they wear goggles. Are you going to expect the warfighter to remove their goggles to do facial recognition?”
Tracking a person’s gait will be especially helpful in alleviating the need for fingerprints and facial recognition, Corey indicates. “This is where gait could be very exciting, to help determine whether or not it truly is the right person behind a device,” he says.
While they are not yet able to disclose details, the DISA officials confirm that they are interested in tracking a variety of patterns of life with just one system. “There is work out there that has researched whether or not keyboard cadence can generate a particular and unique pattern that we could tie to a single user,” Corey states. “That is an ongoing pilot that we are in now, and it’s measuring keyboard cadence as well as mouse track movements.”
Although many of the capabilities of interest already are easily available, integrating them all into one prototype still is challenging. “It’s not that the capability is not there, it’s integrating it and implementing it so that the Defense Department can use it. A lot is there—it’s just trying to transform it into something we can use,” he offers.
Officials must begin to integrate capabilities by examining the entire mobile device operating system—a system more complex than many desktops today, Corey says. “We have to ... understand how the hardware bits of a mobile device are assembled so that we can establish some trustworthiness in the guts of that mobile device,” he states.