Futuristic Security Schemes Could Kill Passwords
CREDIT: U.S. Air Force
Today's world requires countless passwords to do everything from accessing personal gadgets to paying off credit cards online, but security can be compromised if someone forgets to log out or turn off the "remember password" function. Now the U.S. military wants to eliminate clunky passwords by creating a security system that actively recognizes individuals based on computer keystrokes, language patterns or even typing speed.
A computer user could come back after a coffee break and begin typing again without pausing to remember a long, complex string of password characters. That's because the security software envisioned by the Pentagon's DARPA might simply recognize the person based on factors such as their typing speed or Google search patterns — or lock them out of the patterns that reflect an unauthorized user.
The system would avoid using iris scanners or fingerprint identifiers if those required extra hardware or sensors, according to DARPA's recent request for research proposals. Instead, its focus on the behavior of each individual reflects an interest in each person's "cognitive fingerprint" left behind by how the mind processes information.
Such a system is intended first for the Department of Defense's computers and laptops, but it's not hard to imagine a similar idea spreading to commercial computers if it proves successful. Technology giant IBM has also predicted the possible end of passwords within the next five years.
Still, not everyone agrees that passwords have become dinosaurs of the Internet age. If anything, passwords still represent the best solution for almost 2 billion people after more than 20 years of looking for possible replacements, according to Cormac Herley at Microsoft Research in Redmond, Wash., and Paul van Oorschot at Carleton University in Canada.
The researchers argue for the need to find out where passwords work well and where they fail to provide security, so that efforts such as DARPA's can find better focus in the insecure areas. Their suggestions are detailed in an online paper scheduled to appear in IEEE Security & Privacy Magazine in early 2012.
"More than seven years after Bill Gates declared 'the password is dead,' not only have we failed to get rid of them, but they continue to multiply as an almost universal means of Internet authentication, protecting hundreds of millions of accounts on some large sites," Herley and Oorschot said.