Modern field guide to security and privacy

How the Pentagon plans to replace the password

The password is one of the weakest forms of security. DARPA, the Pentagon’s research arm, wants to solve this problem by turning people and their behavior into passwords through its Active Authentication program.

Pawel Kopczynski/Reuters
The Pentagon's advanced research wing is working on a project to replace the use of passwords with personal behavioral patterns.

No matter how strong it is, the password is one of the weakest forms of security.

Punching the correct code into a computer can't verify your identity. It simply shows that someone remembered – or stole – the right combination of letters and numbers.

The Pentagon’s research arm wants to solve the password problem, which plagues even the US military, by turning people and their behavior and thought processes into passwords. After all, it's hard to hack the brain.

“The human mind is the most complicated computer in existence,” said Richard Guidorizzi, who until recently was the director of the Active Authentication program at the Pentagon's Defense Advanced Research Projects Agency (DARPA).

How it could work

A soldier would insert his Common Access Card, used by the military as a form of ID, to log in to his computer on the military network.

As he uses the computer, sensors and cameras on the device would monitor his physical traits and behavior – from eye movements to mouse movements, typing rhythms to web browsing habits. The system would incorporate all that data into a composite profile.

Every time he logs on, the system would use the stored profile to determine whether the person at the keyboard is actually the soldier who is supposed to be using that computer. If the user’s patterns of behavior deviate too much, it would raise red flags to the system operator or automatically shut down the soldier’s computer.

The new biometrics

Altogether, 10 teams of researchers at universities and companies are working on different ways to verify people’s identities as part of the Active Authentication program, which is so far limited to desktop computers but will eventually expand to mobile phones. Those research partners are coming up with entirely new ways for verifying identity, including how a person constructs sentences and chooses words.

The New York Institute of Technology is working on a way to use people’s linguistic patterns as they type as a way to identify them – for instance, how person revises sentences and how long they take before correcting typing mistakes, and the amount of time they pause before beginning a new sentence.

Data from this program alone, according to DARPA, would take one minute to verify a person’s identity with 92 percent accuracy. That’s because these types of behavioral biometrics, Guidorizzi says, are virtually impossible for another person to emulate.

For example, Dan Kaufman, director of DARPA’s Information Innovation Office, has an iPhone. So does his son. “His son can instant message 10 times faster than him on the same iPhone,” Guidorizzi says. “Because his son knows the iPhone well enough he deliberately causes typos to get it to fill out the full word, whereas Dan after makes a typo [he deletes it] and actually types the word out.”

In this case, if Mr. Kaufman’s son started using his father’s iPhone, the Active Authentication system would pick up the typo-riddled deviations. “It starts raising a flag to the centralized platform, saying, ‘Hey, wait a second, my confidence this is who it claims to be is lower,’ ” Guidorizzi says. “If we actually get this running, it could tell the difference between you and malware running computer, and shut down [its] access.”

Researchers at Iowa State University are exploring ways to use people’s keystrokes and mouse movements to verify their identities. Essentially, this biometric measures cognitive processing time. The length of time it takes for a user to point to an object on the computer screen and actually click it, the program says, is an indication of how much time an individual needs to process his thoughts before making a decision. This Iowa State program, according to DARPA, takes less than half a minute to verify a person’s identity – with 93 percent accuracy.

Other researchers on the project at the Naval Research Laboratory are working on way verify identity by gather information from people’s Internet browsing habits. Metrics include the types of pages visited, how long a user spends on a page, and how often a user returns to them. Because the webpages users visit can vary so much each day, it takes the lab four hours to verify identity with only 82 percent certainty. For a full list of DARPA’s performers, see the Active Authentication powerpoint it provided to Passcode. (Since the time of the Passcode interview, Angelos Keromytis replaced Guidorizzi as the program director.)

Keeping this deeply personal data accurate, and secure

Of course, people’s behavior changes over time. That’s one reason why the program collects all the various data streams and decide whether, in the aggregate, users are close enough to their usual behavior.

That score – not the biometric data – is passed along to the main server, where an administrator can decide whether the score good enough to allow the computer to keep running or not. This would also prevent constant lockouts as a person changes behavior.

It also leaves virtually nothing of value for a hacker to intercept as the numerical scores travel to the central database, Guidorizzi says. “I’m not trying to create the next database to be hacked that has everybody’s biometric in the world,” he says. “We’re not even storing your personal information, all we’re doing is reading it and developing a profile score and saying, ‘OK, this is in the range.’ ”

Active Authentication is already gaining traction in the military, but it’s in the very early stages.

The Army’s center for research and development of advanced cyber operations – its Intelligence and Information Warfare Directorate – is building a platform to use a version of the Active Authentication system he describes.

And Guidorizzi has larger ambitions for the technology, even beyond computers and mobile devices. Take the Pentagon, for instance, which requires swiping a badge to enter.  “My dream case is when you walk down the big corridors at the Pentagon, hundreds of people a minute who all have badges, [the system] can tell how they’re walking, pick up their face.”

What do you think it should be used for? Write us at or tweet us @CSMPasscode.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to How the Pentagon plans to replace the password
Read this article in
QR Code to Subscription page
Start your subscription today