In its quest to drop common access cards, the Defense Department is piloting an authentication system based on the nuances of users' typing.
The Pentagon could soon do away with authentication cards if a new approach takes off: using a person's typing behavior to verify their identity.
Within three to five seconds—12 to 25 keystrokes—a new product called Biotracker can collect enough data about a computer user to distinguish them from others in their organization. It can determine if a person logged into a network is who they claim to be, or whether a person's account may have been compromised, according to its developers.
The Silicon Valley outpost of Defense Department's Defense Innovation Unit Experimental, or DIUx, recently awarded a short-term contract to Canadian tech company Plurilock Security Solutions to pilot Biotracker in a combat support agency. Details about the contract are sparse, but Chief Executive Officer Ian Paterson told Nextgov the award was part of the Pentagon's call for new multifactor authentication processes.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
The pilot could hint at how Defense Department leadership plans to phase out common access cards, which millions of employees have used for more than a decade to verify their identities and gain entry to certain facilities or computers. In 2015, then-DOD Chief Information Officer Terry Halvorsen announced his intent to replace those cards with a newer technology over two years but shared only potential behavior-based authentication protocols.
“Frankly, CAC cards are not agile enough to do what we want,” Halvorsen said at an event in Washington last year. They're not easy to issue, he explained, and employees may eventually "still use them to get into a building or something" but not to access information systems.
Biotracker compiles detailed user profiles after about 20 minutes of typing on their corporate devices—mostly laptop or desktop computers connected to a particular network—and sends that information to authorities curious about who's using their networks. It analyzes details like cadence, rhythm and how long a user dwells on certain keys. Plurilock charges customers a per-seat licensing fee based on the number of employees in an organization.
The system uses a continuous authentication protocol by comparing a user's keystrokes to an established profile in real-time instead of relying on a one-time card swipe for identification. Someone could steal a card to sign into a system, or a legitimate card owner may forget to sign out and unintentionally expose the system to unauthorized people nearby. The constant analysis lets the system find anomalies in a logged-in user's behavior, potentially pointing to one of these scenarios, Paterson said.
Plurilock launched the product earlier this year and has seen some success in financial markets with customers like banks and hedge funds, Paterson told Nextgov. The company specializes in "preventing compromised accounts" to avoid blackmail and user impersonation.
The DIUx contract could help the company break into the federal space. Paterson said CIOs and chief information security officers from other civilian agencies have expressed interest in testing out Biotracker but there aren't yet concrete plans.