Can the federal government kill the password?

Imagine a world with no passwords, where Internet users are freed from memorizing jumbles of characters and numbers that are usually either too simple to crack by today’s sophisticated attackers or too complex to remember by the people who need to use them.

In the commercial space, companies like Yahoo! are offering users a way in to their mobile email without one. White House Cybersecurity Coordinator Michael Daniel once said he’d “really love to kill the password dead as a primary security method — because it’s terrible.” 

In the next breath, however, Daniel hit on the central password paradox: “when we think about replacing it, it  has to be replaced with something that’s actually easy for people to use.”

To that end, Northrop Grumman will be working to develop advanced biometric solutions to enhance mobile security and virtually eliminate the password while keeping users connected on the go via a contract from the Department of Homeland Security (DHS) Science and Technology Directorate. 

This is not your  “standard” biometrics like fingerprint or facial recognition, nor is it a simple password or a PIN. The Northrop Grumman’s solution will combine modeling techniques with behavioral characteristics gathered by sensors on a device — such as how a user picks up and handles a device, a highly secure and irreproducible function — to authenticate user identity. 

"As the government moves to a more mobile business model, this new technology mitigates risk so users can take advantage of the newest mobile applications in a trusted state," said Shawn Purvis, vice president and general manager of Northrop Grumman’s cyber division. "From the warfighter to the civil servant, we are integrating solutions to optimize ease and performance while layering our defense-in-depth approach to protect everything from the perimeter to the data." 

The $1.7 million Mobile Technology Security (MTS) research and development (R&D) award leverages a research projects from two of Northrop’s university research partners.

The project is chiefly based on threat behavior modeling originally developed through its Cybersecurity Research Consortium partner Carnegie Mellon University's (CMU) cybersecurity institute, CyLab.

At CyLab, researchers investigated how sensors on a device track and capture user behavior and compare that data against a user profile automatically derived through machine-learning techniques.

(This technology was commercially spun off into a company called Zense, now a teammate on this project.)

Enhancing this feature is another project on mobile challenge response techniques that the company sponsored at Iowa State University through the Security and Software Engineering Research Center (S² ERC), an NSF-sponsored Industry/University Cooperative Research Center. To prove a user is who they say they are, the device simply generates a curve on the display that the user must then trace on the touch screen. As the user swipes across the screen, unique pressure points are calibrated that cannot be replicated across users, thus ensuring another level of security and authenticity. If a user is not able to authenticate, the device will lock or, in extreme situations, be wiped automatically.

“This project is an example of how we are working with our academic research partners to integrate next-generation technologies in an innovative way to address a national security imperative,” Ms. Purvis said.

Northrop Grumman's Cybersecurity Research Consortium includes Carnegie Mellon University, Massachusetts Institute of Technology, Purdue University and the University of Southern California. Formed in 2009, the consortium aims to advance research and develop solutions to counter the complex cyber threats that face our economy, our freedom of information, and our national security.

Northrop Grumman is a leading global security company providing innovative systems, products and solutions in unmanned systems, cyber, C4ISR, and logistics and modernization to government and commercial customers worldwide. Please visit www.northropgrumman.com for more information.