Logging In With a Touch or a Phrase (Anything but a Password)

The technology arm of the Defense Department is looking for ways to use cues like a person’s typing quirks to indiscriminately verify identity — in case, say, a soldier’s laptop ends up in enemy hands on the battlefield. In a more ordinary example, Google recently began nudging users to consider a two-step log-in system, combining a password with a code sent to their phones. Google’s latest Android software can unlock a phone when it recognizes the owner’s face or — not so safe — when it is tricked by someone holding up a photograph of the owner’s face.

The touch-screen approach of Professor Memon in Brooklyn works because, as it happens, each person makes the same gesture uniquely. Their fingers are different, they move at different speeds, they have what he calls a different “flair.” He wants logging in to be easy; otherwise, he said, some people find biometric measures like an iris scan to be “creepy.”

User has been authorized in the beginning of a session

But even if a user has been authorized in the beginning of a session, what if someone else gains access to her computer an hour later? Darpa, the Defense Department’s research research arm, has invited security researchers to develop ways to verify a user every instant, based on the way the individual uses the machine — “for instance, how the user handles the mouse and how the user crafts written language in an e-mail or document,” it explains on its Web site.

Many companies use a smart card or a security “dongle” — a small piece of hardware that plugs into the computer and functions as a key — as that second step of verification to allow access to internal networks. Today, biometrics — an individual’s in a class by itself physical traits — are emerging as an alternative.

At least a half-dozen banks in the United States ask their clients to verify who they are by reciting a two-second phrase to a computer over the phone, to boot to punching in their PINs. It could be as simple as “at my bank,” and a million clients could recite the very same phrase and however sound unparalleled, according to Nuance Communications, a company based in Burlington, Mass., that makes the innovation.

As mobile phones become bodily appendages for people worldwide, they too are emerging as instruments to verify identity. Google introduced its two-step process before this year. It sends a six-digit code to an application on a Google user’s cellphone to be entered, along with a password, when signing onto a Google account on a computer or tablet. The code can as well be sent as a text message for those who don’t have smartphones, or it can be conveyed through a phone call.

The extra step is not mandatory

The extra step is not mandatory, and the company will not say how widely it has been adopted. However as vulnerable as passwords are to theft and compromise, Google says, it is increasingly important for a user’s identity to be verified through another channel — a cellphone, in such a case.