Secure computers, without passwords

Updated: 2012-03-25 07:45

By Randall Stross (The New York Times)

  Comments() Print Mail Large Medium  Small 分享按钮 0

Imagine sitting down at your work keyboard, typing in your user name and starting work right away - no password needed.

That's a vision that the Defense Advanced Research Projects Agency, part of the United States Defense Department, wants to turn into a reality. It will distribute research funds to develop software that determines, just by the way you type, that you are indeed the person you say you are.

Darpa's purpose is to sponsor "revolutionary, high-payoff research" for military use. But technology developed under Darpa's auspices - the Internet itself being only one among many achievements traceable to its initiatives - eventually tends to find its way into the civilian world.

Passwords like "6tFcVbNhTfCvBn" meet the Defense Department's definition of "strong," says Richard Guidorizzi, a program manager at Darpa. "The problem is, they don't meet human requirements," he says. "Humans aren't built to understand random connections of characters."

Mr. Guidorizzi made those comments in a talk titled "Beyond Passwords," presented last November at a Darpa symposium in Arlington, Virginia. Humans use patterns to make passwords manageable, he said. He displayed five handwritten passwords, each a slight variation of "Jane123" - and all of them easily cracked.

"What I'd like to do," Mr. Guidorizzi said, "is move to a world where you sit down at a console, you identify yourself, and you just start working, and the authentication happens in the background, invisible to you, while you continue to do your work without interruptions."

Secure computers, without passwords

No biometric sensors, like thumbprint or iris scanners, would be used. Instead, he is seeking technology that relies solely on an individual's distinct behavioral characteristics, which he calls the cognitive fingerprint.

Academic experts are trying several approaches to determine users' identities solely through their computer behavior.

Roy Maxion, a research professor of computer science at Carnegie Mellon University in Pittsburgh, oversees research on "keystroke dynamics," including the length of time a user holds down a given key and moves from one particular key to another.

Motions that we've performed countless times, Professor Maxion says, are governed by motor control, not deliberate thought. "That is why successfully mimicking keystroke dynamics is physiologically improbable," he says.

He says that there is some evidence that a user's emotional state affects typing rhythms. But just as people can recognize a familiar song even if it is mangled by inept musicians, so, too, he hypothesizes, could software recognize one's distinct "core rhythm," which would be "perceptible even through the noise of emotion, fatigue or intoxication."

Research overseen by Salvatore J. Stolfo, professor of computer science at Columbia University in New York, has led to the development of software that uses a simple means of detecting an intruder: placing decoy documents on the computer. "For example, we have the user place a document with a juicy name like 'CreditCards.doc' on the P.C.," Professor Stolfo says. "He or she knows it's there only as a lure. But an intruder would be enticed to open it. Bingo!"

When a decoy file is opened, the system software checks to see whether the person has conducted file searches on the computer that fit the expected search pattern. If there is no close match, the system sets off an alarm and asks the user to confirm his or her identity, Professor Stolfo says. He compares the process to what consumers periodically experience when they receive a call from a credit card company's fraud-prevention department.

Professor Maxion has worked on another behavioral biometric for user verification: mouse dynamics. He explains that "everyone has an idiosyncratic way of using a mouse, such as the speed with which you move the cursor across the screen; the path - straight line, convex or concave arc; and the presence or absence of jitter."

A password-free security system would fit users' needs nicely - and would ask absolutely nothing from the ever-fallible human mind.

The New York Times