Pentagon developing Identity Authentication system based on behavioral biometrics, risk scores

The U.S. Department of Defense is buying in on behavioral biometrics in a big way, with a new initiative to launch Identity Authentication hardware for smartphones, tied to a risk score algorithm, within the next two years.

Details on the program, which is being developed by an unnamed private company with funding from the Defense Information Systems Agency, were revealed by Nextgov. Steve Wallace, technical director at DISA, revealed the hardware will sense factors such as hand pressure, wrist tension, and gait while walking to verify that a user is who they claim to be.

These behavioral biometrics will then be linked to a risk assessment score, which will enable services, applications, and even secure facilities to determine their own thresholds for access.

Within the OWI Identity Building Blocks, behavioral biometrics fall under the process of Identity Authentication, which is defined as the process of determining that one is transacting with the same entity iteratively over time.

Behavioral biometrics require a system to learn a user’s behavior so that patterns can be identified, allowing for “silent” and potentially continuous Authentication while a user accesses a device. Systems will track a number of attributes, but create a unique profile based on behaviors that are most unique to the specific user when compared to population averages. The system also learns over time, theoretically becoming more secure as it understands the nuances of user behavior.

The department hopes that companies will begin embedding the hardware in future smartphones once the program has been finalized. Doing so could allow for devices to be authorized for government or corporate use with a behavioral biometric security standard.

Developed as a potential replacement for the Common Access Card, or CAC, the Pentagon’s system would go beyond secure building access and potentially control the user’s ability to access a device, use applications, or view certain files.

Wallace said DISA has worked closely with various businesses, particularly in the financial market, to develop a system that could have more universal appeal in the private sector.

Behavioral biometrics are different from traditional biometrics, like a fingerprint scan or facial recognition, because they rely on subtle behaviors that may be imperceptible or unable to be mimicked by humans. Wallace said current commercial biometric systems are too easily spoofed for the government’s stringent security standards,

OWI Insight: The U.S. government investing in behavioral biometrics as a form of Authentication should be noteworthy to anyone in the identity space, as it could signal future market trends toward embracing such technology. Still, there are major hurdles for the project to overcome, including willingness by smartphone manufacturers to embed the system in their devices, particularly amid the consumerization of workplace and government hardware. But if the Pentagon can successfully build a trustworthy behavioral biometrics system tied to an accurate risk score, it could change the game for Identity Authentication via mobile devices.