Everyday, over and over, you have to identify yourself. Power up, enter a password. Log in, password. Swipe, password. To gain access to your very own personal information stored in the haze of computer servers that is the cloud, you need permission. Who goes there? the machine asks. %j478!$Y, comes the reply. Never mind the buffoonery of trying to keep all those secrets straight, isn’t there something strange or, dare it be said, alienating about codifying yourself? Besides, if our machines are so smart, how come they don’t know who we are?
DARPA, the Department of Defense’s famed no-idea-is-too-wacky research division, is working on this problem. As part of its Active Authentication cybersecurity program, researchers are mining the distinctive patterns hidden in the way you use technology—the characteristic rhythms in your typing, the speed with which you swipe and tap on your phone—for digital fingerprints that define your online identity without you even realizing it.
DARPA’s research is part of the burgeoning field of biometrics, or the science of identifying people based on physical or behavioral traits. The work zeros in on the muscle memories we subconsciously create while performing repetitive tasks such as using a computer keyboard. Our typing patterns are consistent, predictable and nearly impossible to imitate, according to studies by Charles Tappert, a computer scientist at Pace University, who is not involved in the DARPA work. “We can track how long each particular key on the keyboard is pressed by a user on average, which is called the ‘dwell time,’ and the average transition time between any two particular keys,” Tappert says. Keystroke analy- sis goes all the way back to World War II, when U.S. intelligence tracked enemy troop movements through the distinctive styles their telegraph operators used to key in Morse code , but today’s technology can measure typing patterns down to the millisecond and achieve greater than 99 percent identification accuracy.
BehavioSec, a Swedish firm working with DARPA, has already begun licensing such digital identification technology to European banks for password “hardening” systems in mobile apps, which compare the speed and pressure used to type in a PIN with previous data to ensure it’s being entered by the correct user.
DARPA envisions such data collection and analysis perpetually running in the background of government computers and mobile devices. “You’re going to find yourself entering your password less and less often in the future,” says Neil Costigan, director of BehavioSec. “Most of the time, the system won’t need it to be able to tell it’s you.”
Beyond taps and keystrokes, researchers also plan to use the accelerometers and gyroscopes in our smartphones to determine our gait, and they anticipate analyzing which apps we tend to open at certain times of day and in certain locations—all to paint ever more nuanced pictures of our behavior, whether we like it or not.
“It raises questions,” says Jeramie Scott of the Electronic Privacy Information Center. “Where will all this data get stored? Who’ll have access? Especially once it goes beyond government use and into the private sector, there are privacy issues that come up.”
Biometrics should be able to enhance security and convenience without jeopardizing privacy. We created these machines. The least they could do is recognize us.