DARPA Wants To Get Rid of Password Protection 205
coondoggie writes "Researchers from the Defense Advanced Research Projects Agency will next week detail a new program it hopes will develop technology to dramatically change computer system security authorization. The program, called Active Authentication, looks to develop technology that goes way beyond today's use of hard to remember password protection and determine identity through 'use of software applications that can determine identity through the activities the user normally performs,' DARPA said."
Google and Facebook already do this, no ? (Score:2, Interesting)
Authenticate based on "activities the user normally perform" ?
Aren't Google, Facebook and advertisers already tracking our every move ? And figuring out when people come back to visit a site ?
I'm sure you can identify people that way, but can it really be secure ?
Re:"Active" Authentication? (Score:4, Interesting)
Sounds worryingly Microsoft-ish.
Not that it's a problem in this case, since this system is doomed to fail before it even begins.
So many things wrong with this idea. I'd hate for my to change a little and all of a sudden I'm locked out.
I guess you'd be able to replace one Office Space drone with another ("I usually come in about 15 minutes late, i use the side door that way lumberg can't see me, then i just kinda space out for about an hour.")
TFS doesn't make sense. (Score:4, Interesting)
System authentication takes place, necessarily, BEFORE any activity can take place. Therefore, there's no way in this physical universe you can run an authentication based upon a users' activity to unlock the platform he would need access to to actually *do* anything.
My first thought on this, however, is old hat: fingerprint recognition (easily defeated with a boxcutter and a Kleenex), facial recognition (the jury's out on this one, I have a Windows 7 box and FR authentication just plain doesn't work), voice sampling (decent quality analogue playback? Help me out here, how easy is it to defeat a voice sampler?), retinal scanning... there are several methods of passwordless authentication, which can be made more secure (and quite possibly safer) with random combination of two or three of them. I'll tell you how old hat: Star Trek II. Kirk authenticates himself for access to Project Genesis report with voice sampling and retinal scan. That was a plot device used in a movie in what, 1982? Yeah, a bit before HD webcams and commercially available low power LED lasers. Way before MP3. If DARPA are trying any of this on for patents, they'll fall over on prior art.
Re:Obligatory XKCD (Score:4, Interesting)
You are missing the point of the comic. It explicitly measures the entropy [wikimedia.org] of the two password selection schemes. The selection scheme itself is not secret; the point is that if there are about 2048 (2^11) "common" words, then there are 2^44 passwords made out of 4 common words, which is a lot more than the estimated ~2^28 possibilities for the more common password scheme.
What the comic doesn't take into account is methods of discovering the password other than brute force. If the password is known to be 4 common words, and you somehow discover a few letters of the password (eg looking over someone's shoulder) and have a rough idea of the placement of those letters within the password, it suddenly becomes a whole lot easier to guess what the remaining letters are, as opposed to a random password where knowing a few letters in the password doesn't help in determining what the other letters are. Using something like the acoustic keystroke logger posted on Slashdot the other day becomes a whole lot easier too as the search space is diminished because the words are common dictionary words.
And when you exhibit abnormal behavior?? (Score:5, Interesting)
"Normal" behavior is a baseline, not a universal.
What about when you have a cold? Your voice is messed up, your brain is foggy, you become clumsy which means your behaviors change, you take medicines which make you groggy and thus different, and so on.
What about when you start taking a prescription (or other) drug that messes with your mind and/or with your reflexes, and/or with your nervous system?
What about when you're in a bad mood? What about when you've just experienced a life-changing event and everything about you seems different? What about if you get food poisoning, get hit by a bus, get burned in a fire, get a brain tumor, or are just having a bad friggin' day?
How many people are "normal" every day of their life? 0.00000000%, right?
Re:Google and Facebook already do this, no ? (Score:4, Interesting)
When we recently traveled I logged into Facebook on my phone. At home I log in from many different devices at many different places in the city. None of this rings alarms. As I was traveling Facebook didn't blink an eye when I suddenly logged in from Europe.
My girlfriend on the other hand was not so mobile. She last logged in from Australia. When she sat down at a kiosk in Dubai and logged in Facebook refused her login and made her play a guessing game. It showed pictures of her friends and asked her to match the faces to the names.
I was actually quite impressed with not only the way in which Facebook didn't simply accept the login but also posed a quiz that worked quite well at identifying if you are who you say you are.
Forget passwords. We use keys today. (Score:2, Interesting)
We know passwords don't work, so change the concept to keys. People understand keys. They know they aren't expected to remember them so they keep them safe on keyrings and a standard (preferably cross platform) OS service should be a keyring manager.
A password: twulriem
A short key: XiuPE&(K-8Ln:5;&S_?H'a/3
So instead of password fields, use key block fields. Expect that people will save the key in a key manager.
BQ)`0h9!*{yatTvqo,S
jNgf&_{W}ii'8UL/g
\pEaz{p?5N)lmU(&}(
%zLvcR[5r}6Kvmg-uk
6*f@2vo4D%`uOY?]SZ
M%=P_F1d3Oz:g+3{|v]
54lT55|DYunE"V{1pm]+o
$lfWsGFbWS7Fr`L?
IeL)Ot1H$V$F7'0xzVb
~_q][7?gfz[WaQ%?Q)
w*JMg%MPe;Fi]\W{5
[J~NTZ)(Iu$q191bSm
@7|h-]6q@$|Dguy(Kb
6'\2F`I6sWO5$c%%
\|Tu:(VMH?T['8;5GVYI
U8KS@lKV[&(i$VR$f&