This week, Pentagon CIO Terry Halvorsen announced a two-year plan for the US Department of Defense to replace some functions of the Common Access Card with biometric authentication systems such as iris scans and behavioral analytics. They will focus on using these technologies for network access, along with creating ways to standardize this access among the US’s allies, particularly the “Five Eyes” nations – Australia, Britain, Canada and New Zealand.
The Common Access Card, or CAC, is a smart card that has been in use since 2006. It’s issued to US military staff and contractors, enabling secure access to everything from network systems to mess halls.
But when it comes to network access, the DoD’s announcement that it will improve and implement tiered, risk-based authentication is part of a move away from binary security procedures, toward something more agile. Older security systems needed to be one-size-fits-all, but there are very different security and user experience needs between a mess hall and sensitive database, and the technology is available to meet these.
As Halvorsen points out, “It is really hard to issue a CAC card when people are dropping mortar shells on you and you need to get into your system. It just doesn’t work.”
“It’s validating for us to see that behavioral biometrics technology is valued for its strength as part of a broader approach to authentication that is built around balancing security risks and user needs,” says Dr Neil Costigan, CEO of BehavioSec. “Physical tokens and cards have value across some areas. But when you’re in the field, where there can be immediate physical risks, a bad user experience is tantamount to a security problem.”
Halvorsen also said that one of the biggest challenges is making sure that allied officers serving with the US military can access networks, especially among these Five Eyes nations.
Lt Col. James Brindle, speaking on behalf of the Defense Department, added that this need for a consistent approach to credentialing among allies needs to include “device-agnostic agility; the ability to identify a user even if a device is lost.”
In 2012, DARPA began investigating Active Authentication. Dr Costigan has been principal investigator for two DARPA research projects as part of this program, in 2012 and 2014, looking at the application of behavioral biometric technologies for these types of security and user needs.
Because behavioral analytics are not necessarily device-dependent, this means that for high-security access controls, it has advantages over a card or physical token which can be lost or stolen, or authentication methods that involve storage only on individual devices.
“It’s not about replacing everything with behavioral analytics,” says Costigan. “It’s about providing the right access controls, especially when the speed of getting from information to action is a matter of national security.”