Imagine sitting down at your work keyboard, typing in your user name and starting work right away – no password needed. That's a vision that the Defence Advanced Research Projects Agency, part of the defence department, wants to turn into a reality. It will distribute research funds to develop software that determines, just by the way you type, that you are indeed the person you say you are.
Darpa's purpose is to sponsor "revolutionary, high-payoff research" for military use. But technology developed under Darpa's auspices – the internet itself being only one among many achievements traceable to its initiatives- eventually tends to find its way into the civilian world. Passwords like "6tFcVbNh^TfCvBn" meet the defence department's definition of "strong," says Richard Guidorizzi , a program manager at Darpa . "The problem is, they don't meet human requirements," he says. "Humans aren't built to understand random connections of characters."
Guidorizzi made those comments in a talk titled "Beyond Passwords," presented last November at a Darpa symposium in Arlington, Virginia. Humans use patterns to make passwords manageable, he said. He displayed five handwritten passwords, each a slight variation of "Jane123" – and all of them easily cracked.
"What I'd like to do," Guidorizzi said, "is move to a world where you sit down at a console, you identify yourself, and you just start working, and the authentication happens in the background, invisible to you, while you continue to do your work without interruptions."
No biometric sensors, like thumbprint or iris scanners, would be used. Instead, he is seeking technology that relies solely on an individual's distinct behavioural characteristics, which he calls the cognitive fingerprint. Experts are trying several approaches to determine users' identities solely through their computer behaviour.
Roy Maxion, a research professor of computer science at Carnegie Mellon University, oversees research on "keystroke dynamics," including the length of time a user holds down a given key and moves from one particular key to another. Motions that we've performed countless times, professor Maxion says, are governed by motor control, not deliberate thought. "That is why successfully mimicking keystroke dynamics is physiologically improbable," he says.
He gives this example: A computer user holds down a key for an average of 100 milliseconds. Suppose that a fraudster is trying to mimic a person who is slightly faster than average – typically holding the key down for 90 milliseconds.
"Then the spoofer is in the dubious position of having to consciously shorten a key-press action by 10 milliseconds," professor Maxion says. Having such control doesn't seem realistic , he says, when one considers that "a voluntary eye-blink takes 275 milliseconds."
He says that there is some evidence that a user's emotional state affects typing rhythms. But just as people can recognize a familiar song even if it is mangled, so, too, he hypothesizes, could software recognize one's distinct "core rhythm," which would be "perceptible even through noise of emotion, fatigue or intoxication."