recommended reading

NSA Tests Out Smartphones that Recognize Handwriting Motion

Gajus/Shutterstock.com

The National Security Agency has tested the use of smartphone-swipe recognition technology, according to the tool’s manufacturer.

The mobile device feature, created by Lockheed Martin, verifies a user's identity based on the swiftness and shape of the individual’s finger strokes on a touch screen. The technology is but one incarnation of handwriting-motion recognition, sometimes called "dynamic signature" biometrics, that has roots in the Air Force. 

"Nobody else has the same strokes," said John Mears, senior fellow for Lockheed IT and Security Solutions. "People can forge your handwriting in two dimensions, but they couldn't forge it in three or four dimensions. Three is the pressure you put in, in addition to the two dimensions on the paper. The fourth dimension is time. The most advanced handwriting-type authentication tracks you in four dimensions."

The biometric factors measured by Lockheed's technology, dubbed "Mandrake," are speed, acceleration and the curve of an individual’s strokes. 

"We've done work with the NSA with that for secure gesture authentication as a technique for using smartphones," Mears said. "They are actually able to use it."

Nextgov has contacted NSA for comment.

Lockheed officials said they do not know how or if the agency has operationally deployed the Mandrake smartphone doodling-recognition tool. The company also is the architect of the FBI's recently completed $1 billion facial, fingerprint, palm print, retina scan and tattoo image biometric ID system. That project, called the Next Generation Identification system, could tie in voice and "gait matching" (how a person walks) in the future, the bureau has said.

Mandrake potentially might be useful for emergency responders who often do not have the time or capability to access an incident command website, Mears said.

"If you are going 100 miles down the road, you are not going to enter a complex 12-character password to authenticate yourself,” he said. “We have some customers who deal with radioactive material and they can't touch things" that small with gloves on -- "How do they authenticate?"

In 1978, the Air Force and contractor MITRE published some early test results on handwriting-motion ID verification. The use case back then involved gaining entry to restricted facilities, not locked-down smartphone apps. 

As part of a project to develop external physical security systems for the Pentagon, the Air Force acquired an "automatic handwriting verification system," according to a research abstract. The technique required two forms of identification.

"An individual desiring access into a controlled area arrives at the entry control point" and types in a 4-digit ID number "through a keyboard," the paper states. Then, the system prompts the user to further prove identity through handwriting. It matches the individual's scribbling in real time against a pre-enrolled “pressure versus time history of a signature,” the study states.  

Experiments were performed in a laboratory and in a weapons storage area at Pease Air Force Base in New Hampshire. Interestingly, the error rate was higher for females than for males. But, in general, it was determined the results should not be affected by "the sex or the handedness" of the person. At that time, the technology was too embryonic to operate under real world conditions, the research said.

Today, in retail, handwriting-gesture recognition is sometimes used to enhance customer service, by allowing sales staff to authorize sensitive transactions wherever convenient. 

For example, in 2012, Asian life insurance company AIA started using a Kofax-brand app on tablet computers that captures the image, speed and acceleration of a person’s strokes with a stylus. 

Broadly speaking, however, gesture recognition has not found its sweet spot in the ID management sector.

A 10-year biometrics market forecast released earlier this month by research firm Tractica found that the technology was not lucrative in any of the 194 countries analyzed.

"Research on signature dynamics . . . has been ongoing for nearly 50 years, but still there is no viable use case, and it was never mentioned during any of the interviews conducted for this report," the study concluded.​

(Image via Gajus/ Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download

When you download a report, your information may be shared with the underwriters of that document.