Seven ways DARPA is trying to kill the password

From analysing the way you walk to your heartbeat, these futuristic authentication systems could be here soon

A seemingly constant stream of data breaches and this week's news that Russian hackers have amassed a database of 1.2 billion Internet credentials has many people asking: Isn't it time we dumped the user name and password?

A lot of the best technology of today exploits biometric factors such as retina patterns, fingerprints and voice analysis, but beyond that a number of researchers are looking to tap into the way we think, walk and breathe to differentiate between us and an intruder.

Helping to lead the research is DARPA, the U.S. military's Defense Advanced Research Projects Agency. Its active authentication project is funding research at a number of institutions working on desktop and mobile technologies that work not just for the initial login but continuously while the user is accessing a device. The array of sensors already found in mobile phones makes some of the ideas particularly interesting.

The technologies exploit data that's already available inside devices, but utilize it in new ways, said Richard Guidorizzi, program manager of the project at DARPA.

"Except during lab testing, we did not need to create new devices to attach to your phone and drain your battery. They were able to use what was already there with a great deal of success," he said.

So, when might they be available? The project is still going on, but it seems to be attracting interest.

"Some of my [teams] are already being approached by some of the largest companies in the world to incorporate their technology into their products, including smartphones and Web-based technologies," said Guidorizzi.

Micro hand movements

A project underway at the New York Institute of Technology aims to analyze micro movements and oscillations in your hand as you hold a smartphone to determine the identity of the user. It is looking at touch-burst activity, which happens when a user performs a series of touch strokes and gestures, and the pause between those touches and gestures while the user is consuming content.

Activity-based analysis

SRI International in Silicon Valley is trying to exploit the accelerometers and gyro sensors already inside smartphones to extract unique and distinguishing characteristics of the way a user walks and stands.

Your stride length, the way you balance your body, the speed you walk all are individual to you. Additional sensors can help to determine physical characteristics, such as arm length, and the user's physical situation, such as proximity to others and whether the user is sitting, standing, picking something up, texting or talking on the phone.


The differences in how we use language could be enough to tell us apart. Drexel University is trying to extract author fingerprints from the large volumes of text we typically enter into our PCs and smartphones and then use that to spot when someone else might be at the keyboard.

This could be the words used, individual grammar quirks, sentence construction and even the errors individuals are prone to making again and again. The technology can be tied together with another keyboard-based authentication method -- the analysis of the way a user types, such as their keyboard speed and pauses between letters -- to make an even more secure authentication system.

Microwave Heartbeats

NASA's Jet Propulsion Laboratory is trying to detect the individual features of your heartbeat from a phone. Microwave signals emitted by the phone are reflected back by your body, collected by sensors in the phone and amplified to detect your heart rhythm. This might have the added bonus of being able to alert you to see a doctor should a subtle change in your heartbeat happen.

System anomalies

The last thing anyone wants to see on a PC is an error message, but this particular type of annoyance might turn out to have a role to play in security.

By throwing up random error messages and analysing how users respond to them, the Southwest Research Institute is hoping to identify individuals and spot intruders. So next time your PC tells you it's out of memory and asks if you want to report the issue, think carefully. It could be testing you.

Biometric analysis

Perhaps most familiar to people through fingerprint sensors, biometric analysis seeks to exploit a wide range of personal characteristics. Li Creative Technologies is developing a voice-based system that can be used to unlock a mobile device.

You'll be prompted to say a passphrase, and the software doesn't just monitor if the phrase was correct but whether you were the one saying it. A second function continuously monitors what's being said around the device to detect if another user has picked up the phone and is attempting to access it.

Visual fingerprinting

The University of Maryland is using visual streams to make sure you're the one using your PC or phone. On the desktop it looks at things like the way you organise windows and resize them, your work patterns and limitations in mouse movements.

On the phone the system pulls in three video streams: an image of you from the front-facing camera, an image of your surroundings (or shoes or pants) captured with the rear-facing camera, and your screen activity from the display. Researchers hope that taken together, these three streams will be distinct enough to authenticate an individual user and keep them authenticated while using the device.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Defense Advanced Research Projects AgencysecurityAccess control and authentication

More about AdvancedCreativeDefense Advanced Research Projects AgencyIDGNASASRI InternationalTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Martyn Williams

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts