jump to navigation

Active Authentication With ‘Cognitive Fingerprints’ October 10, 2013

Posted by kristinamensch in Security.

User authentication is the most visible form of application and system security today. Most people, businesses, and governments use technology to carry out daily tasks and responsibilities and more sensitive data is stored and transmitted by these countless applications and systems than ever before. The desire to manage and monitor who has access to specific information is the cornerstone of user authentication systems. Current user authentication systems are generally comprised of something the user knows, something the user has, or something the user is. [4] User authentication typically occurs at application or system login and provides unrestricted access to the authenticated user profile and its associated data for the duration of the session. However, what typical user authentication schemes do not account for is the verification of the user beyond this initial login.

Active Authentication is a research program run by DARPA, the Defense Advanced Research Projects Agency, that seeks to increase application and system security by creating a set of software based authentications mechanisms to continuously authenticate the actual user against the user profile authorized at login. [3] The goal of this program is to mitigate the risk of unauthorized information access when user passwords have been compromised or computers have been left logged on and unattended. Active authentication is based on the idea that human users have a ‘cognitive fingerprint’ that uniquely identifies the way in which they interact with technology. [3] According to DARPA, an active authentication scheme will be comprised of a number of different software-based systems that will continuously gather and measure input about many facets of a user’s technological behavior, including: [2]

  • keystroke dynamics – detailed timing data of keystrokes when using a keyboard, can also include overall typing speed and speed specific to letter patterns [1]
  • mouse dynamics – data about mouse movement habits including speed, location, and distance [4]
  •  eye tracking and scanning – data measuring how eyes move across the device screen in different situations [4]
  • reading speed – data about how quickly screen content is read
  • written language – data about language usage patterns including search terms, language used in communications, and language preferences in information
  • preferred methods of communication – data about how the user communicates including email preferences, social networking, and instant messaging

Because humans have unique cognitive abilities the combination of data from these inputs can be combined to create an individual ‘cognitive fingerprint’ for each authorized user and allow the application or system to identify an imposter based on a comparison to the established profile. Research into cognitive identifiers and active authentication tools in its infancy and the effort to create a reliable software-based system for continuous user authentication is ongoing. Such a system would be an enormous advancement in application and system security, however there are aspects of the scheme that raise questions.

In my experience the first four behaviors mentioned above: keystroke and mouse dynamics, eye tracking and scanning, and reading speed, are not constant enough to be predictable. Keystroke and mouse dynamics can vary based on mood, stress level, fatigue and external distractions, and even injury. Eye tracking, scanning, and reading speed are likely to be dependent upon the specific task that is being carried out by the user. These simple emotional, physical, and task-based variations present an interesting question: How reliable is a sample used to create a user’s ‘cognitive fingerprint’? Creating a user profile that can account for these normal variations in human-computer interactions will likely require a large data sample obtained under many different circumstances. Considering that the ‘underlying goal [of authentication systems] has been to provide password security at a minimal inconvenience to the users of the system’ [5] collecting an accurate cognitive sample to create a solid user profile may be prohibitive for most applications and systems. In my opinion much more research needs to be conducted as to the feasibility of creating a reliable user profile using human technology interactions.

Turning to the remaining human-computer interactions, written language and communication preferences, I wonder how unique is a person’s ‘cognitive fingerprint’– especially when it comes to language and communication preferences? Is it possible for a person intent on stealing my user identity to monitor my language patterns and communication preferences and successfully model these behaviors? I believe that because language patterns and communication preferences are a public part of how we interact with other humans that it would be easy for a motivated individual to gain the necessary knowledge to pass as a different user with respect to these behaviors. Also, would unauthorized users have to interact with the system in a manner that would provide these language-based data points to the security system or would they simply access the information that they are looking for and quickly move on?

Overall, I think that the idea of continuously authenticating a user is a step forward in system security and I am interested to see if the systems and research that comes out of the Active Authentication project will be able to successfully provide this security and if any of my concerns are addressed. How reliable do you think that a continuous authentication system built around these parameters would be? Can you think of any other criteria that could be used in the active authentication scheme?
Works Cited
[1] Chang, J. Morris, et al. “Capturing Cognitive Fingerprints from Keystroke Dynamics.” IT Pro, July/August 2013: 24-28.
[2] Cooney, Michael. “DARPA set to develop super-secure “cognitive fingerprint”.” Network World. 01 17, 2012. http://www.networkworld.com/community/blog/darpa-set-develop-super-secure-cognitive-fingerprint (accessed 10 07, 2013).
[3] DARPA. Active Authentication. 01 2012. http://www.darpa.mil/Our_Work/I2O/Programs/Active_Authentication.aspx (accessed 10 07, 2013).
[4] Hamdy, Omar, and Issa Traore. “Cognitive-Based Biometrics Systems for Static User Authentication.” Fourth International Conference on Internet Monitoring and Protection (IEEE), 2009: 90-97.
[5] Morris, Robert, and Ken Thompson. “Password Security: A Case History.” Communications of the ACM 22, no. 11 (Nov 1979): 594-597.



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: