Imagine a quick-fingered thief at a Capitol Hill happy hour, dipping into a government employee’s work bag, and walking away with a new phone.
That phone could contain more than just old vacation photos, contact information and the like. If it’s a government-issued device, it could also contain access to government emails and other sensitive information.
But later, as the pickpocket scrolls through the device for personal or financial information, apps stop working. Before long the phone unexpectedly powers off.
It knows something is not right.
No one has remotely accessed the phone to preemptively disable it. Instead, the device’s instruments and sensors have been watching the user’s unique physical and behavioral characteristics, like the way the impostor walks or types, and determined something is amiss.
The phone’s information is secure and the thief is out of luck.
That future may not be far off. The government is currently working on a prototype phone that would use biometrics — those unique physical and behavioral characteristics that can identify an individual — to constantly verify a user’s identity and quickly pick up on whether an unauthorized user is attempting to gain access.
Biometric identification is not entirely new to consumers. In 2013, Apple introduced Touch ID, which allowed owners to use fingerprint scanning to unlock their phone. Since then, fingerprint scanning has spread across the industry, and multiple phone manufacturers have made efforts, to varying success, to introduce facial recognition. And it is making traction in the government, as well.
But the Defense Information Systems Agency wants to take this a step further. A few steps further, actually.
What the Department of Defense wants, and what DISA is developing, is a persistent authentication method that can continuously monitor an individual and validate their identity through a set of biometrics.
“What we were looking for is that kind of continuous authentication to the device just sitting in the background and, you know, constantly identifying that user’s behavior, authenticating that behavior and comparing it against them,” explained Stephen Wallace, the systems innovation scientist for DISA’s Emerging Technologies Directorate.
“If I had a profile of that user, and another user were to stand in order to take control, we want to be able to detect the fact that that happened in an unobtrusive manner and shut that session down or create additional challenges to the user.”
The most widely used authentication method is the Common Access Card, but it falls short of that lofty goal.
“We’ve had the Common Access Card within the department for more than 15 years, and it’s served us well. It’s still a really strong method for authentication. But the reality is, it’s really just a point in time type of thing, right? I stick my Common Access Card in, I type in my PIN, I authenticate to the system or service, and away I go,” said Wallace.
DISA has had some success in translating the Common Access Card to the mobile world through its Purebred solution. Purebred uses the Common Access Card to essentially credential individual mobile devices, like a phone, so users can access more secure information and applications.
As of April, Purebred was providing over-the-air credentials to more than 100,000 DoD-issued commercial mobile devices.
The Common Access Card system is useful, but it is imperfect. Unauthorized users can gain access with someone else’s card if they know the PIN, or if someone leaves a station that’s logged in, someone else can hop onto that device. The Purebred solution helps extend that system to mobile devices, but it suffers from some of the same issues. Once a device is credentialed it can still be physically stolen and accessed if the user was logged in. It still doesn’t provide the constant user verification DISA wants.
Biometrics hold the promise to solve the problem. DISA’s Emerging Technologies Directorate is currently working on just such a solution, and they’ve already developed and tested a prototype phone.
“It all started about two years ago with a prototype that we did on the desktop, where we watched the users’ behavior, with the way that they interacted with the machine. So, we watched ... their dwell time with keys on the keyboard,” said Wallace. “It was really building a model of the behavior of how they interacted with the machine. So, we had a reasonable amount of success there. And then we decided to move from there, on to the mobile side of things.”
DISA has even learned how to use phones to identify unique gaits — the way an individual walks — by leveraging the device’s accelerometer and gyroscope. Wallace said the prototype can develop a unique profile of an individual’s gait after just 100 yards of walking while carrying the device.
The prototype can then adapt to slight changes in behavior — from a task as simple as switching which pocket the subject carried their phone in to if the subject started limping after stubbing their toe.
“Basically, in that particular prototype, it was constantly refreshing the model, but it would also maintain several models to ensure that as things changed, it was able to adapt,” said Wallace.
The prototype uses all that biometric information to create a profile of the user. It then compares ongoing behavior of the user against that profile to assess a risk score — essentially registering how confident it is that the user is who they’re supposed to be. The device will then allow different levels of access based on the risk score. If the device is confident that the user is who they say they are, it will allow full access to programs such as encrypted email. But the less confident the device is in the user’s identity, the more likely it will cut off access to more secure or sensitive programs and information.
The device is also programmed to apply contextual clues, such as GPS location, connection to trusted networks and other peripherals, to further verify the user’s identity.
According to Wallace, all the data that makes up that profile is stored locally. That means every time a user gets a new device, they have to re-enroll in the program and develop that profile all over again. Wallace added that as this technology matures it could eventually fit into a smaller or less obtrusive form factor, like a watch or other wearable.
Importantly, the goal for DISA was to design something that would be adopted commercially, he said.
“The partnership with the commercial world was really important to us, because we didn’t want to end up with a one-off, DoD type of outcome where we’re paying thousands of dollars per handset in some cases,” he said.
“We went this way because there is a side benefit commercially. It benefits us from a cost perspective, but we think that this type of this type of thing is beneficial in the commercial market, as well.”
Wallace said he hopes to see the technology available commercially within the 18 months to two years.