US Defense Information Systems Agency Urges Adoption of Behavioral Biometrics

by Tim Sloane 0

The US Defense Information Systems Agency intends to pilot a persistent behavioral biometric solution in the next year, providing at least one solid piece of evidence that Mercator’s forecast (Biometrics: A Market Forecast for Consumer Adoption) is coming to fruition:

“A U.S. Defense Department pilot project intends to develop a prototype system within the next year to authenticate the identity of mobile users through their so-called patterns of life, such as how fast they walk to work or locations they routinely visit. The project is designed to benefit warfighters who may not have time for fingerprints, facial recognition scans or other forms of traditional biometrics.

Defense Information Systems Agency (DISA) officials remain mum on many of the details because they expect to award a contract soon, but they allow that a prototype could be developed in as little as six months. “We’re looking to prototype a specific type of technology as we go forward here, and … we’re trying to do it in a fairly rapid fashion. So in the next 12 months, I think you’re going see that technology really evolve,” reports Jeremy Corey, DISA’s assured identity program manager and leader of the agency’s Cyber Development Innovation Cell.

The system is expected to authenticate mobile user identities while developing a trust score, which helps determine the user’s level of access.

“From an authentication and authorization standpoint, it provides a means of developing a trust score with a very high probability that you are who you say you are. From an authentication standpoint, it greatly aids us in our ability to identify users on the network,” explains Capt. Jeffrey Buss, USN, chief technology officer for DISA’s Cyber Development Directorate.

Analyzing patterns of life also will aid DISA’s cyber hunters in tracking threats, says Roger Greenwell, DISA’s chief of cybersecurity and authorizing official, Office of the Risk Management Executive. “It moves even beyond the concept of biometrics in many ways, when you think about how a person writes out something—how they hold a device, how they type, the speed at which an individual enters information. All of these things are essentially patterns of life that can then be used as indicators of who is actually using that device,” Greenwell offers.

Patterns-of-life authentication simply will make life a little easier because users will no longer have to enter a six- to eight-digit personal identification number up to 50 times per day, Corey says. Because the Defense Department will use apps already on a device, authentication will happen largely “in the background,” he notes. “Our industry partners have managed to pack in loads of sensors into mobile devices, from gyroscopes to accelerometers to proximity sensors and ambient light sensors,” Corey points out. “By coupling each of those sensors—or a group of those sensors—together, that could potentially establish a pattern of that particular user.”

Capt. Buss cites the Waze app as an example. “Waze now knows your average speed, and a lot of different things about you are being collected on that phone. Gait is another one we’ve talked a lot about—your stride, if you will—and how you walk,” he adds.


Officials have not yet determined the trust score process. “We’re still working through the details of what that trust is going to allow you to do, but we know with a high degree of certainty we can identify somebody using patterns of life and biometrics as well as location and some other means,” Corey says, indicating that biometrics still can complement patterns-of-life analysis.

DISA officials also emphasize the need for strong encryption to complement patterns-of-life authentication. “We’re talking about other elements or other authentication factors that may potentially supplement that [public key infrastructure] credential as that first initial step to where we may evolve in the future for authenticating users,” Capt. Buss states.”


The article goes on to identify some of the difficulties that the solution must address, some of which are unique to the military while others are much a much more general requirement, such as the need for a secure handset:

“The officials note that warfighters are intended to be the primary beneficiaries. “What we’re really trying to achieve here is to help the warfighter. He or she may wear gloves in the field. You can’t expect that they’re going to be able to authenticate and use a fingerprint on a device,” Corey elaborates. “Maybe they wear goggles. Are you going to expect the warfighter to remove their goggles to do facial recognition?”Tracking a person’s gait will be especially helpful in alleviating the need for fingerprints and facial recognition, Corey indicates. “This is where gait could be very exciting, to help determine whether or not it truly is the right person behind a device,” he says.

While they are not yet able to disclose details, the DISA officials confirm that they are interested in tracking a variety of patterns of life with just one system. “There is work out there that has researched whether or not keyboard cadence can generate a particular and unique pattern that we could tie to a single user,” Corey states. “That is an ongoing pilot that we are in now, and it’s measuring keyboard cadence as well as mouse track movements.”

Although many of the capabilities of interest already are easily available, integrating them all into one prototype still is challenging. “It’s not that the capability is not there, it’s integrating it and implementing it so that the Defense Department can use it. A lot is there—it’s just trying to transform it into something we can use,” he offers.

Officials must begin to integrate capabilities by examining the entire mobile device operating system—a system more complex than many desktops today, Corey says. “We have to … understand how the hardware bits of a mobile device are assembled so that we can establish some trustworthiness in the guts of that mobile device,” he states.”

The Mercator forecast may be a tad aggressive, as I can’t wait for passwords to die a rapid death. That said, this announcement of an impending pilot is a solid contribution that suggests the forecast may be too conservative. We will update the forecast annually so time will tell!

Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group

Read the full story here