You are what you do - Identification based on behavior
Thinking about the desire for a password-less society. When it boils down to it there are a few major leagues of password security.
1. You need something physical that only the owner would possess
2. You need some sort of knowledge that only the owner would posses.
We are familiar with the first and second one. The first can be a simple lock and key. The second a username and password.
The third and less common and much more difficult to achieve is the password that isn’t a password, rather that which can verify that you are “acting” or doing something the same way that the authenticated party would. There are movies that use voice recording and match the voice signature against the authenticated parties known voice. I’ve read articles about detecting a distinct electrical signature that the owner gives off unique to himself. I’ve also heard of individual keystroke patterns much like handwriting recognition.
I had written about an idea that learned what websites you went, your purchase history, radio history, Netflix, etc.. essentially giving it as much as data as possible. All to use to train a model to use to authenticate yourself with predictive algorithms.
I like this idea, but it’s really complicated and will require significantly sophisticated models.
One additional factor that has not been mentioned is whether or not the authentication is occurring according to the account holder’s will or against their will. If an account owner is held at gun point or some of situation that would threaten their life or that of a loved one, they may give up credentials to access the sensitive information. For some things that is obviously okay and the “smart” thing to do. For other things, like matters of national security some may say that giving that information up is so damaging that they would not want to divulge this information even when their life is being threatened.
It is an unfortunate but real situation that certain types of data may have. A security mechanism would be ideal if it could prevent the account owner from authenticating even if they have “given up” and are trying to safe their life…the data may not be compromised no matter what and a safeguard must be in place.
We can utilize the human factor to add additional layers of security. Biometric data such as heart rate, the account holders posture, their walking gate, their speech patters, hand gestures. All of these charcteristics can be used to identify anxious and unusual behavior. If we are dealing with a case of torture certainly their will be tell tale signs.
This is obviously an extreme yet real case one that I used to help illustrate a point. In extreme scenarios even the best trained soldiers will react under pressure. I think that with a well calibrated “mechanism” using a multitude of sensor data a baseline can be established to identify a user. This could not only identify the user but also identify certain behaviors, moods and reactions of the user.
Let’s take facial recognition. Utilizing a few dozen positions on the user’s face measuring the distances and locations of certain parts of the face can yield a very accurate model to identify that individual in the future.
Now take that same facial recognition while the user is watching a comedy, and a tear jerking movie. We can establish a baseline for emotion for each individual response we want to associate. Utilizing heart rate, hand gestures, and the like once well trained a few quick images could reveal instantly who the user is.
Utilizing tools like Kinect and Leap motion adding in things like infrared and close images of the pupil and the face a great deal of information can be used to identify a user.
Imagine if you could watch a movie and the next time you do I can predict how you will react at each frame with a percent of certainty.
I am not suggesting that we understand merely the psyche of the user, but more about their innate responses and tendencies…these are not things that can easily be broken.
At least one thing we can take from this at a minimum is the ability to add in the “scared” factor, or rather unusual behavior we can protect many things. I want to use this to identify yourself and when I know it is you but you aren’t acting like yourself. Obviously certain traits will be more dominant than others.
We can take this just a layer on top of a standard multi-factor system that incorporates tests to help verify that the account holder is not under duress.
The completely other application for this is for convenience and AI facilitators. If we can get the pattern down to identify an account holder and then be able to detect variances in their behavior we can trigger different things in response to that. This goes well beyond security and much more into the realm of IoT and automation, but let’s explore it.
You come home and you walk in. Of course your car has pulled up and your home already knows that you are approaching with your Wifi connected phone. You are emitting your mac address and a public key alerting your house that you are approaching. Your door is unlocked with NFC automatically but really, Wifi with a unique signature ID can trigger that as well. You walk in and your home is already lit to your specifications and temperature control as well. Nest helps with some of this, as well as detecting ambient lights in conjunction with the room and the individuals involved. Depending on the activities different illuminations settings can be triggered. When a “reading” action is triggered lighting should accommodate your preference. Okay…I’m leading up to it…now when you get to your computer it is unlocked because you are using it. My vision of the ultimate in security and convenience is really one solution. Tracking your behavior, your adjustments, your actions, your reactions. Learning from them to better identify you and make your life more secure.
Your house knows it is you because it knows your stride, your face, your smile, and the way you hum. All of these sort of things that your girlfriend may pick up on can be incorporated into the ultimate system which help to “get to know you to protect you”.