A year after then-chief information officer Terry Halvorsen first publicly floated the idea of killingDoDs Common Access Card in favor of a collection of more flexible authentication technologies, the Pentagon is beginning to test drive at least one of the potential replacements for the CAC.

Last week, the Defense Innovation Unit-Experimental reached an agreement with Plurilock Technologies, a Victoria, British Columbia-based firm that holds several patents on behavior-based authentication (or, behaviour-based, to our friends to the north).

The company claims that after spending about 20 minutes monitoring and analyzing the specific patterns people engage in when using their computers particularly their habits when pressing keys on their keyboards and their mouse movement techniques its software can build a reliabledigital fingerprint for any user that can be used later on to sound an alarm when an impostor is logged onto a system using someone elses credentials.

Human behavior has a degree of variability its organic, Plurilocks CEO, Ian Paterson said in an interview. A person may have had coffee in the morning, they may be tired at the end of the day, but they still retain unique characteristics, and thats what we track.

Sponsored Content: Register for our free webinar to learn how DHS, Department of Transportation, FirstNet and FEMA are implementing their emergency communications strategies.

The aforementioned CIO, Terry Halvorsen, said last June that DoD would eliminate the CAC within two years. The replacement, he continued to emphasize in subsequent public statements, would not be a single technology, but a collection of 10 or more different authentication factors that give the department a higher degree of identity assurance than it currently haswithout tying users to a single piece of plastic with an embedded microchip.

The evaluation thats now underway with Plurilocks system appears to be consistent with that game plan. Paterson said the test deployment thats now beginninginside one of DoDs combat support agencies (the company declined to say which one) will monitor users behavior only after theyve logged into a computer by some other means.

If the system detects something unusual, it can be configured to do a number of things, from delivering immediate alerts to security administrators, to locking the users terminal, to simply asking a user to authenticate themselves again. And depending on how they re-authenticate, it can take a series of steps that rely on other factors to provide higher degrees of identity assurance.

Paterson argued that sort of continuous monitoring of users behavior is the only realway to know whether the person sitting behind a computer screen is truly who they claim to be.

For some of our large clients in the financial sector, theyve told us it only takes one oops for someone to walk away and leave their terminal unlocked, he said. It doesnt take much imagination to think that if somebodys going through a divorce, if theres been money changing hands, it becomes a liability for that business. Because were sitting in the background continuously, the second an intruder would sit down and start trying to interact with that desktop, we would be able to stop them in real time.

Worried about the Trump administration's proposed cuts to federal retirement? Find out what these 100 members of Congress have to say about it.

Excerpt from:
In quest to replace Common Access Card, DoD starts testing behavior-based authentication - FederalNewsRadio.com