By Allure Security on Mar 16, 2016 12:14:00 PM
While there’s some debate over whether privacy is a more modern concept or fundamental to human existence, we know that folks were keeping things under lock and key since ancient Mesopotamia, which means we have been locking our diaries, secrets, treasures, and gym clothes for at least 6,000 years.
As more of our lives migrated online – whether work or social – it became necessary to create some sort of “digital lock” to keep data private and restricted to the owners of that data.
The first computer password was developed in 1961 at the Massachusetts Institute of Technology, for the Compatible Time-Sharing System (CTSS). CTSS was designed to accommodate multiple users at once, with the same core processor powering separate consoles. As such, each researcher needed a personal point-of-entry into the system.
“The key problem was that we were setting up multiple terminals, which were to be used by multiple persons but with each person having his own private set of files,” Fernando Corbató, the head of the CTSS program, told Wired. “Putting a password on for each individual user as a lock seemed like a very straightforward solution.”
- Early security researcher
Since then, especially now that we live in a world where the average person has 19 passwords, passwords seems less straightforward and even less natural. “The current standard method for validating a user’s identity for authentication,” writes Dr. Angelos Keromytis of DARPA (and co-founder of Allure), “requires humans to do something that is inherently unnatural: create, remember, and manage long, complex passwords.”
Researchers have thought hard about the ways in which they could authenticate someone’s identity: by something the user knows, like a password; by something the user physically possesses, like a key or a security token; or by something the user is, either a physical characteristic like a fingerprint or a behavioral characteristics like voice pitch, called a biometric.
Our team of researchers have been thinking about what makes us unique since the mid 1990's when founder and CEO Salvatore Stolfo wrote his first proposal to study behavior as a way to uniquely identify people. Stolfo's later work on modeling patterns in credit card transactions has become the industry standard for identifying fraudulent activity.
Some two decades later we expanded our research as part of the DARPA Active Authentication program, which is concerned with the failure of passwords from the human angle. “Humans aren’t built to remember random connections of strings” Says Richard Guidorizzi, Program Manager of DARPA’s Beyond Passwords program. The problem is that we’re focusing on something else than the user...I’d like to move to a world where you sit down at a console, identify yourself, and start working, and the authentication happens in the background while you continue doing your work without interruptions.”
This area of research has exploded in recent years as scientists look for ways we can chuck cumbersome passwords in favor of seamless and continuous authentication that is tied to something unmistakably unique to you. Here are a few of the biometrics researchers have studied that could become the new password.
1. YOUR NOSE
Researchers at the University of Bath believe they can identify someone based on the shape of their nose in a photograph. They’ve developed a system called PhotoFace which takes a 3-D image of a subject’s nose then uses computer software to analyze it according to six main nose shapes: Roman, Greek, Nubian, Hawk, Snub, and Turn-up.
While focusing on someone’s nose may seem a little silly, Dr Adrian Evans makes some good arguments as to why we should take it seriously. ”There’s no one magic biometric - irises are a powerful biometric, but can be difficult to capture accurately and can easily be obscured by eyelids or glasses. Noses, however, are much easier to photograph and are harder to conceal, so a system that recognizes noses would work better with an uncooperative subject or for covert surveillance.” Noses also have the benefit of not changing much by facial expression.
Bonus Trivia: in Eden Warwick's Nasology, where these types of nose classifications come from, she creates a phrenology of noses, associating them with character traits. For instance: “the cognitive, or wide-nostrilled nose...indicates a cognitive mind, having strong powers of thought...It is our own faults, therefore, if we throw away the talents bestowed upon us, and suffer our minds to degenerate into inanity and our Noses into sharpness”
2. YOUR EAR
The shape of one’s ear may be a more reliable measurement than one’s fingerprint.
Ears are actually unique to each and every person, so much so that they are comparable in uniqueness to the fingerprint. What makes the ear so unique? One’s ears are fully formed at birth and age gracefully over time, making them an ideal body part to confirm identity. Fingerprints can change due to the development of calluses from repeated labor which can make them less reliable.
This was the thought processes behind the a shape-finding algorithm called “image ray transformation” which boasts 99.6 percent accuracy, according to the work of Alastair Cummings, Mark Nixon and John Carter of the University of Southampton’s School of Electronics and Computer Science.
“The rays fly around the image and get caught in tubular things. The helix, or outer edge, of an ear is a wonderful tube that rays keep hitting,” said Cummings. “There are dozens of ways of doing ear biometrics, but this is a very good one.”
Using the ear is not about replacing existing biometrics such as fingerprints. Rather, it’s about supplementing them, especially when it comes to catching crooks.
“It’s easy to say, ‘Hey there’s fingerprints, faces and irises, why do we need more?’ For some applications that’s a valid question,” he said. “But when you’re doing surveillance, where a person isn’t being cooperative for obvious reasons, you want anything you can get. If you have images of ears, it’s dumb to throw that away.”
Bonus Trivia: Ears can be used for more than just an ID badge. The breakdown of the cartilage breaks down and causes drooping at .22 millimeters per year. This elongation-to-age ratio is so exacting, it can be used by forensic scientists to determine the approximate age of a person.
3. YOUR BUTTOCKS
Little attention has been paid to the security possibilities of the buttocks, except by a group of researchers at the Advanced Institute of Industrial Technology who have developed a car seat that can identify drivers when sitting down.
The driver’s seat is fitted with 360 sensors that measure pressure according to a scale of zero to 256. Each reading is plotted to create a 3-D image used as a personal identifier. If someone who sits in the seat isn’t recognized against this 3-D image, the car won’t move.
According to its makers, the system was able to identify drivers with 98% accuracy during experiments.
Bonus Trivia: The shape of your posterior might be able to do more than identify you, according to rumpology it can reveal who you are as a person. Similar to palm reading, rumpology focuses on the meanings of different characteristics of the posterior, with the left and right buttock corresponding to a person’s past and future and "The crack of your behind corresponds to the division of the two hemispheres of the brain." Who is that quote from? None other than Jackie Stallone, Sly’s mom, who invented (or possibly revived) the practice. According to Wikipedia, Jackie Stallone will perform buttock readings using e-mailed digital photographs, and has claimed to predict the outcome of Presidential elections and Oscar awards by reading the bottoms of her two pet Doberman Pinschers.
4. YOUR WALK
The way a bare foot strikes the ground as one walks is as characteristic and individual to one’s identity as dental records.
This is “foot pressure identification” just one aspect of gait analysis, which can also focus on the way one walks (step length, step width, walking speed, cycle time) and the actual way one’s body moves while walking (joint rotation of the hip, knee and ankle, mean joint angles of the hip/knee/ankle, and thigh/trunk/foot angles).
Attempting to identify someone by their gait comes from the shortcomings of other biometric authentication techniques. Iris scans, face recognition, and fingerprints require both high quality images and cooperative subjects. All it takes to recognize someone’s gait is low-quality video footage. “Imagine a bank robber who has covered his fingers and face,” says Martin Hoffman, a researcher at Technical University of Munich studying gait analysis, “but can be identified by the way he walks out of the bank.”
Gait can also be tracked by the accelerometer and GPS on a smartphone and used as a form of authentication.
Bonus Trivia: This technology isn’t just used to identify people in a video, it can ID the people holding the camera as well. Two researchers at the Hebrew University of Jerusalem have developed a way to identify first-person filmmakers based on the wobble of their cameras, which is especially useful in a world where GoPros, Google Glass, and police body cameras are more and more common. As Shmuel Peleg, one of the researchers, puts it, “The fact that their face isn’t seen doesn’t mean that they are anonymous."
5. YOUR BEHAVIOR
Not all biometrics have to be visibly observable, however. We can't yet peer inside your head from your computer screen, but we can capture your "cognitive fingerprint" from how you use your device, which essentially creates a pattern of how you think. Physical biometrics are vulnerable to error, especially when a person's physical attributes change due to injury or other reasons like aging or modification.
What changes less often is how you think and behave. Behavior has predictable patterns. Credit card companies learned this with financial transactions--that although what you buy changes from month to month, you tend to shop for the same things at the same stores, and spend within certain financial amounts in certain geographic locations. When something looks wonky, they freeze your card.
The way you operate a device creates a pattern, too. You log into the same applications, organize files according to your personal logic, and access the network or file system in roughly the same way every day. Your behavior may be consistent, but it's also totally unique to you. Our research at Allure has found that we can identify a person based on how they interact with their machine with 95% accuracy, which means we also know when an intruder is poking around your system.
What’s unique about this is that unlike other physical biometrics, it’s nearly impossible to spoof or confuse by having some kind of physical change (e.g. can you be identified by your gait if you twist your ankle). It’s also one of the few formats that’s actually designed for use specifically on devices, not just a biometric ported there.
Allure has spent years researching how to use user behavior on a device as a form of continuous authentication. If you’d like to learn more about how this could protect your device or your network, we’d love to tell you.