Mobile device security evolved rapidly over the last few years to address the new challenges and requirements of a mobile workforce. User authentication has moved from simple four- to six-digit passcodes to fingerprint-based biometric authentication. Managing weak, lost, forgotten, and stolen passwords for enterprise desktops has been cumbersome and costly. This problem is further exacerbated on mobile devices that have small form factors and support myriad mobile apps, each requiring their own password. The need for secure and transparent user and device authentication is even more pressing as mobile device users increasingly store and access sensitive data through their mobile devices. Innovators have created the ability to enable users—through their unique behavioral patterns—to authenticate users to mobile devices and mobile devices to network resources.
The Defense Advance Research Project Agency (DARPA) Active Authentication Program and the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) Cyber Security Division (CSD) are collaborating actively to make enterprise-grade mobile security solutions commercially available to government agencies with high assurance needs as well as the broader community.
Researchers at Kryptowire—funded by DARPA and DHS S&T—have developed new behavior-based authentication and trust-based access control mechanisms to strengthen mobile user and device authentication. These new technologies are supported by a forthcoming Google application program interface and take advantage of the onboard sensors of mobile devices including touch, pressure, movement, and power to recognize users based on the way they interact with the device and mobile applications.
“Smartphones provide new challenges for authenticating users and devices, but the number of onboard sensors and the computational power of these devices also present new opportunities,” said Vincent Sritapan, DHS S&T Program Manager for Mobile Device Security. “Since passwords often are lost, stolen, and offered for sale in bulk, continuous authentication is a new line of defense that can support new trust-based access control models.”
Through this new model, a user’s phone or mobile application is embedded with a continuous authentication algorithm that creates a model of the user’s behavioral patterns (e.g., the pressure applied with touch, the way they hold the phone, etc.). The user can be granted access to sensitive information or resources using the level of trust established from this constant behavioral analysis. Moreover, this technology makes it possible to detect imposters seeking access to networks using stolen devices and user credentials. A proof of concept has been demonstrated successfully on more than 100 Android devices, but as the government workforce increasingly adopts other mobile technologies, CSD anticipates the technology will be transitioned to support Apple iOS devices as well.
“The collaboration between DARPA and DHS has allowed us to fund promising early-stage mobile security research. Having government agencies vet the technologies in a real operational environment by putting the technologies in the hands of practitioners enhances the likelihood the technology will move into the marketplace so it can address emerging security risks in both the private and government sectors,” added Sritapan.