The Pentagon has a project that aims to verify identity via smartphone

A Pentagon-funded project that aims to add tech to verify identity and ultimately to assign a “risk score” to you could be included in new smartphones within two years.

The Pentagon has a project that aims to verify identity via smartphone
Turinboy (Creative Commons BY or BY-SA)

If a project funded by the Defense Department goes well, then new technology to verify identity and ultimately to assign a “risk score” to you could be new smartphones within two years.

The identity verification tech will be embedded in the hardware of smartphones. Steve Wallace, technical director at the Defense Information Systems Agency (DISA), told Nextgov that the tech “will analyze a variety of identifiers that are unique to an individual, such as the hand pressure and wrist tension when the person holds a smartphone and the person’s peculiar gait while walking.”

Organizations that use the tool can combine those identifiers to give the phone holder a “risk score,” Wallace said. If the risk score is low enough, the organization can presume the person is who she says she is and grant her access to sensitive files on the phone or on a connected computer or grant her access to a secure facility. If the score’s too high, she’ll be locked out.

A GPS tracker, not the type used by mapping and exercise apps, may also be built into the chips in order to “store encrypted information about a person’s movements,” Wallace said. “The verification tool would analyze historical information about a person’s locations and major, recent anomalies would raise the person’s risk score.”

Wallace did not say which private company is developing the tech with DISA funding, but the unnamed company is supposed to hand over 75 or so prototypes to DISA in the fall. After working out the bugs, “major companies will begin embedding the necessary tools inside the computer chips that power smartphones.”

The point of the project is to allow the Pentagon to move away from using common access cards to verify identity. Unlike common access cards, the new hardware tool “will be able to continuously gather and verify that identifying information.”

Although gait recognition is a biometric identifier, the verification tool won’t include the usual biometric suspects such as fingerprints or iris scans because “existing commercial applications of biometric information are too easy to spoof.” If that changes, then the Pentagon may allow common biometric data in the tool.

Wallace opted not to say which smartphone and chipmakers will participate in the project, yet he did suggest the capability will be available “in the vast majority of mobile devices” within two years. While it will be up to organizations to decide whether or not to use this new form of identity verification, Wallace said, “We foresee it being used quite widely.”

What happens when hand pressure and gait changes?

Barring hand or wrist injuries that could result in a change to hand pressure and wrist tension when holding a phone, I’m curious how much “risk” will be assigned to changes in a person’s normal grip on their phone. Maybe hands-free and/or speaker phone would be the way to go if the call involves stress or aggravation? I don’t know about you, but sometimes I want to throw the phone after being on hold for a very long time and continuing to hear, “Your call is very important to us. All representatives are currently busy. Please stay on the line and your call will be answered in the order it was received.”

Gait too can change if a person is injured or ill, which could change the “risk score.” It will be interesting to learn what all unique identifiers will be harvested and analyzed and then to see if security researchers can blow holes in this new identity verification plan.

NEW! Download the Winter 2018 issue of Security Smart