In quest to replace Common Access Card, DoD starts testing behavior-based authentication

A year after then-chief information officer Terry Halvorsen first publicly floated the idea of killing DoD’s Common Access Card in favor of a collection of more flexible authentication technologies, the Pentagon is beginning to test drive at least one of the potential replacements for the CAC.

Last week, the Defense Innovation Unit-Experimental reached an agreement with Plurilock Technologies, a Victoria, British Columbia-based firm that holds several patents on behavior-based authentication (or, “behaviour-based,” to our friends to the north).

The company claims that after spending about 20 minutes monitoring and analyzing the specific patterns people engage in when using their computers — particularly their habits when pressing keys on their keyboards and their mouse movement techniques — its software can build a reliable digital fingerprint for any user that can be used later on to sound an alarm when an impostor is logged onto a system using someone else’s credentials.

“Human behavior has a degree of variability — it’s organic,” Plurilock’s CEO, Ian Paterson said in an interview. “A person may have had coffee in the morning, they may be tired at the end of the day, but they still retain unique characteristics, and that’s what we track.”

Download our free ebook to find out how agency CIOs and CHCOs implementing the president's reorganization executive order.

Advertisement

The aforementioned CIO, Terry Halvorsen, said last June that DoD would eliminate the CAC within two years. The replacement, he continued to emphasize in subsequent public statements, would not be a single technology, but a collection of 10 or more different authentication “factors” that give the department a higher degree of identity assurance than it currently has without tying users to a single piece of plastic with an embedded microchip.

The evaluation that’s now underway with Plurilock’s system appears to be consistent with that game plan. Paterson said the test deployment that’s now beginning inside one of DoD’s combat support agencies (the company declined to say which one) will monitor users’ behavior only after they’ve logged into a computer by some other means.

DoD Reporter Jared Serbu discusses this story on Federal Drive with Tom Temin

If the system detects something unusual, it can be configured to do a number of things, from delivering immediate alerts to security administrators, to locking the user’s terminal, to simply asking a user to authenticate themselves again. And depending on how they “re-authenticate,” it can take a series of steps that rely on other factors to provide higher degrees of identity assurance.

Paterson argued that sort of continuous monitoring of users’ behavior is the only real way to know whether the person sitting behind a computer screen is truly who they claim to be.

“For some of our large clients in the financial sector, they’ve told us it only takes one ‘oops’ for someone to walk away and leave their terminal unlocked,” he said. “It doesn’t take much imagination to think that if somebody’s going through a divorce, if there’s been money changing hands, it becomes a liability for that business. Because we’re sitting in the background continuously, the second an intruder would sit down and start trying to interact with that desktop, we would be able to stop them in real time.”

Trump wants higher buyouts in defense bill.

Return to the DoD Reporter’s Notebook