Amid an ongoing search for technologies that might eventually replace the Defense Department’s ubiquitous Common Access Card (CAC), Pentagon researchers have landed on one technology they consider promising, but that’s not widely-used outside the military: verifying users’ identities based on the particular ways in which they walk.
Defense officials have long made clear that they’d like to use multiple different identifying factors, including biometrics, to replace the CAC. But identifying users based on their gait — via the sensors in the smartphones they’re already carrying around — is one of the ideas the Defense Information Systems Agency is seriously considering as one of four pilot programs that are currently underway.
Insight by Splunk: Explore how data is the glue that will hold JADC2 together by downloading this exclusive ebook
Jeremy Corey, DISA’s chief of cyber innovations and assured identity, said the practicality of “gait-based” identity verification won’t be proved out until more testing is completed in the coming months. But almost all modern mobile devices contain highly-accurate accelerometers and other sensors that deliver precise measurements of how they’re oriented from one millisecond to another.
It’s the same technology that lets players use their phones as steering wheels within race car gaming apps. But for military users, leveraging the same sensors for identity verification has an obvious appeal.
“Warfighters in the field may have gloves on, they may have goggles on. They can’t do a fingerprint or show their face to authenticate,” Corey said. “So we said, ‘Let’s experiment with gait to make a determination about whether it’s enough to identify a user.’”
The prototype is meant to answer several questions, including whether a mobile device can accurately measure whether someone is walking or not. If the answer is yes, the next question is whether it can also record enough detail about a particular person’s unique pacing rhythms and movements to reliably distinguish them from anyone else. And since those computational tasks are expected to use a fair amount of processing power, there are also questions about what the ongoing series of measurements will do to a phone’s battery life.
DISA has already built a prototype version of a mobile app to test the idea of using a phone’s onboard sensors to measure someone’s gait, and the early results show that the software can train itself to recognize the unique characteristics of someone’s strides after they’ve walked about 500 meters.
But Corey said there are still a few variables that need to be accounted for in the ongoing tests.
“The trick is whether you’re doing things like stopping by the watercooler to talk to somebody,” he said during a presentation at AFCEA’s annual Defensive Cyber Operations Summit in Baltimore. “Or, if a female decides to wear heels versus flats, that also alters her gait. If I decide to put a backpack on, that alters my gait. So we’re trying to understand if we could have multiple patterns that match to one profile, depending on those kinds of things.”
The gait recognition program is just one of four tests DISA has underway to prove out some combination of technologies that might eventually replace the common access card and PIN code DoD users employ to log onto networks today.
But agency officials say one thing they have in common is that they’re trying to take advantage of the data provided by sensors and chipsets that are already on board most mobile devices, rather than layering on government-unique hardware or software.
And in theory, gait recognition wouldn’t work in isolation.
Instead, an algorithm would combine that data with other information that modern mobile devices are already capable of collecting — including face recognition and voice recognition — along with location data and “trusted peripherals,” to come up with a continuously-updated score that reflects DoD’s level of confidence in whether or not a user is who they claim to be.
If the score fell below a certain threshold, they would be asked to supply an extra form of verification, like a fingerprint, in order to stay logged in.
As of now, DISA officials believe the subsystems that are already resident on mobile devices are capable of not just collecting personal biometric data, but also safeguarding it to government standards.
“One of the main goals of this was to ensure that we’re protecting and securing any information that’s harvested on the device, so we’re utilizing much of the same policy that we have today, and it’s relying on the secure elements that are within these mobile devices,” Corey said. “This is where we store our derived credentials today. We leverage these, whether it’s hardware or software, for biometric information. Where does the device store your fingerprint today? It’s native to the device provider, whether it’s iOS or Android.”
The experiments DISA is running are an extension of the work the agency has already done to eliminate the need for CACs when users are logging into DoD networks via government-owned mobile devices.
Under the Purebred program, users are able to install a “derived” version of the public key infrastructure (PKI) certificates that already exists on their smartcards directly to their mobile devices, and securely store them there. The system had 32,000 users as of May.
But the signup process — including the installation of those derived certificates — still involves a fair amount of manual work on the part of the user, including an in-person or phone conversation with one of the 1,500 “trusted agents” DoD has authorized to enroll new mobile devices in Purebred. Part of that conversation includes a manual verification of the mobile device’s serial number.
Corey said there, too, DISA is trying to take advantage of modern devices’ built-in security features to streamline the process.
“As part of our 18-month prototype, we aim to enhance Purebred-issued credentials with hardware attestation,” he said. “This is a mechanism to provide cryptographically-signed and encrypted data that describes the security state of the device that’s bound to receive these credentials, a token that will assert various information about the device — whether it’s hardware and firmware versions, operating system, unique device IDs, hashed verification keys of boot state — and a trusted location.”
Similarly, DISA wants to use other on-board security features to separate trusted apps and data from those that are less trustworthy. Those features are part of a security architecture called TrustZone, a component of the ARM-based chips that form the computational backbone of almost all modern mobile devices.
“At the heart of it is a concept of secure and non-secure worlds that are hardware-separated, with a secure monitor that allows data to pass in between,” Corey said. “Less-secure software is blocked directly from accessing those trusted resources, but there’s also a trusted execution environment. That’s where we’d have certain things like our algorithms for fusing these identification factors together.”