DARPA Active Authentication

So this week was quite interesting for us, and reminded me of the very early start on the path to commercializing behavioral biometrics and furthermore the Continuous Authentication (should’ve trademarked it). You may have seen the story on CBS News on Saturday where they talked about killing the password using active authentication. A big part of the story was about how the Defense Advanced Research Project Agency (or DARPA for short) funds a lot of the research in the active authentication space. DARPA is a part of the U.S. Department of Defense and is responsible for development of emerging technologies for the military or, as they put it, “to make pivotal investments in breakthrough technologies for national security”. Many of their projects lead to breakthroughs for commercial use, for instance, they’ve been a part of projects ranging from Transit (predecessor to GPS) and ARPANET (predecessor to the internet) to Douglas Engelbart’s first computer mouse “The Mother of All Demos”.

DARPA has a special place in my heart, or rather BAA 12-06 Active Authentication which started out as an industry day request from DARPA on Nov 9 2011. From a cold and dark Sweden, we discovered that the US Department of Defense wanted to put our technology under the magnifying glass. This was exhilarating news indeed! We contacted them directly and discussed some of the barriers, such as the fact that BehavioSec was a Swedish company, and how this project was mainly designed to discover if active authentication through behavioral biometrics was possible.

After evaluating, and quite frankly, getting impressed by our commercialized software, these obstacles were quickly removed by DARPA and we were granted permission to participate in their Active Authentication program. The core technology was solid but DARPA saw opportunity to strengthen it further and for us to advice other research peers. Looking back at it, it is quite an accomplishment that our team was able to be the first Swedish company to ever have worked directly with DARPA. Now, many paid projects later, it’s easy to see how the DARPA-projects provided us with some very early critical funding as well as guidance that allowed our team to go on and develop the commercial products that we deliver today to banks and e-commerce.

As highlighted in the CBS video, there were many universities included in the first project active authentication which started on the desktop or traditional government workstation. DARPA was very keen on the ability to verify the end user continuously during a work day, rather than having to authenticate the user constantly throughout the day. It was both for convenience and security, since the defense department had set out to eliminate passwords and reducing costs associated with lost or stolen password. Our technology was very well suited for this, since it didn’t introduce errors or manipulations of the user interface yet was able to successfully verify the end users on their workstations. At BehavioSec, we do not look at what you’re doing, just how you’re doing it. During the DARPA-project where we conducted advanced research on workstations we tracked the user throughout the workday, no matter the application used. In fact, switching between applications, that falls into the space of Behavioral Analytics instead of our normal focus on Behavioral Biometrics, was one of the factors we looked at in order to improve the verification accuracy.

Using these various input signals of how a person used their workstation we were able to determine, in real time, if the person was who they claimed to be. By looking at the behavioral score from a continuous trust-perspective we’d determine between acceptable behavior and inconsistent behavior. If the trust-factor went to low we’d flag the user as an impostor. By breaking down all of the user’s interaction with the desktop to micro-interactions we were able to expand everyday use into large quantities of data.

Our result from that project was highly successful. Whilst the correct user could work through a regular workday without being falsely rejected the incorrect user would be detected within 10 seconds using keyboard (6 interactions, roughly 3 keys) or just less than 3.5 minutes using mouse (86 interactions).

Whilst I’m always passionate about our work with banks and financial institutions there are few things I’ve done that I find as cool as the stuff we’ve done with DARPA. Consider how much computers and mobile phones have evolved in the last couple of years and, how futuristic DARPA-projects are, and you might be able to grasp how cool our work with DARPA has been and what might lie ahead. I’ll probably write about that futuristic stuff soon enough, but for now, let us rejoice in just how far we’d come over six years ago.

This is a part of a series about continuous (active) authentication a field that we pioneered.