DARPA seeks to blend biometrics with passwords in DOD cyber security without new hardware

ARLINGTON, Va., 15 Jan. 2012. Information security experts at the U.S. Defense Advanced Research Projects Agency in Arlington, Va., are asking for industry's help in developing ways to blend biometrics into U.S. Department of Defense (DOD) cyber security systems without installing new hardware. The intent is no only to save time and money, but also to help bolster existing DOD computer security that relies primarily on requiring uses to type in long and complex passwords.

Cyber Security 15 Jan 2011

ARLINGTON, Va., 15 Jan. 2012.Military information security experts at the U.S. Defense Advanced Research Projects Agency in Arlington, Va., are asking for industry's help in developing ways to blend biometrics into U.S. Department of Defense (DOD) military cyber security systems without installing new hardware. The intent is no only to save time and money, but also to help bolster existing DOD computer security that relies primarily on requiring uses to type in long and complex passwords.

DARPA on Friday issued a broad agency announcement (DARPA-BAA-12-06) for the initial phase of the Active Authentication program to develop software-based biometric approaches to verify the identities of authorized DOD computer users not only at login, but also throughout the courses of the users' computer sessions.

The Active Authentication program seeks to change the DOD's current cyber security focus from user passwords and common access cards when validating identity on DOD computer systems. Instead, the program seeks to focus on software-based user biometrics that does not require installation of new cyber-security software.



DARPA is particularly interested in user biometrics such as eye tracking on the page; the speed with which the individual reads content; methods and structure of e-mail and other communications; keystrokes; how the user searches for and selects information; and how the user reads the material he selects. These observable traits, taken together, can create a cognitive footprint of the user.

Using this kind of cognitive footprint to verify the identity of DOD computer users would replace or augment using long, complex passwords and common access cards. Today's approaches, DARPA officials say, only verify's the user's identity at login, and have no way to verify the user originally authenticated is the user still in control of the keyboard. As a result, unauthorized users may improperly obtain extended access to information system resources if a password is compromised or if a user does not take adequate measures after initially authenticating at the console.

The Active Authentication program will be in three phases, and this solicitation pertains only to the first phase, which focuses on new ways of capturing the cognitive fingerprint by using biometrics that do not require the installation of additional hardware for information security.

Later, the program will focus developing a solution that integrates any available biometrics using new authentication suitable for deployment on a standard DOD desktop or laptop computer. Future solutions must be developed with open Application Programming Interfaces (APIs) so other software or hardware biometrics available in the future could be added.

Companies interested in participating should submit proposals no later than 6 March 2012. For questions or concerns contact Active Authentication program manager, DARPA's Richard Guidorizzi, by e-mail at ActiveAuthentication@darpa.mil.

More information is online at https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-BAA-12-06/listing.html.

More in Trusted Computing