Pentagon testing technology that could let your phone recognize you based on how you move or walk
By JOSEPH MARKS | The Washington Post | Published: February 26, 2019
Within 18 months, your phone may be able to identify you based on the gait of your walk, the tension in your hand or the way your thumb moves across the touch screen.
That's the Pentagon's plan: It's in the final phase of testing technology that will reduce smartphone users' reliance on difficult-to-remember passwords or an endless stream of text message verification codes, an official said.
It's working with computer chipmakers and smartphone developers to make the technology commercially available as early as 2020, said Steven Wallace, a systems innovation scientist at the Pentagon's Defense Information Systems Agency, or DISA. It's currently testing the system on 50 phones at the Defense Department.
"Our goal from the very start was not to have something that was focused solely on the DOD," Wallace said. "Our focus from the start was something usable at the commercial level."
Tech companies haven't made any firm commitments to adopt the identification system but appear eager to integrate the technology into smartphones within the next year or two, Wallace said.
He declined to name the companies DISA is working with but said if all goes well, the technology "will be available in the majority of handsets" in the United States.
The technology would offer an extra layer of security for smartphone users by ensuring that a thief — or someone who, say, picks up a phone left on a subway seat or park bench — doesn't get access to all the personal and professional information stored inside the device, Wallace said. If stolen phones are inoperable, there's less of a market for them. And more broadly, if consumer devices are better protected, national security improves: It gets tougher for hackers to steal information and intellectual property.
But the Pentagon's motivation is not just about securing consumers: If the tool is commercially available, the Pentagon can get the extra protection without paying an arm and a leg for specialized devices that only highly secured industries are using. In the past, Wallace said, the Pentagon has built super-secure smartphones but they've been too costly to deploy to anyone but a handful of top officials — costing more than $4,500 per unit.
Once the technology is fully vetted, DOD plans to use the technology for general purpose smartphones but not ones that access classified information, he said.
Wallace hopes the cutting-edge identity verification system will be like the Global Positioning System and the Internet itself — in that they are all tools that were initially developed for military use but ended up benefiting society at large.
"I'm not going to say that we're going to create something that's as broad and as grand as GPS or the Internet, but there's a history of the department working on things and those things ending up in consumer devices," Wallace told me.
Similar technology is being used to verify the identities of some employees in highly regulated industries, such as financial services and health care, but it isn't deployed commercially, Dawud Gordon, CEO of the company TwoSense, which is working on a separate but related DISA project, told me. Those industry tools build the sensing technology into software rather than into the smartphone's hardware, Gordon told me.
The DISA project relies on sensors that already exist inside smartphone computer chips and are used by gaming apps but not generally for security, Wallace told me.
DISA is working with a contractor to use those sensors to create a unique profile for how each smartphone user does various things, he said — including walking with the phone, typing on it and pulling it out of her pocket or purse. DISA then creates a "risk score" for the user that includes a weighted combination of all those factors, he said. If this score drops too low the person will be locked out of the phone.
If a person is locked out in error, she could regain access using a more standard log in, such as a password, Wallace told me.
Just because the capability exists in the phone's hardware doesn't mean people would have to use it to verify their identities, Wallace said. The smartphone provider could offer it as an option or organizations could use it to ensure employees don't leave unsecured devices in cabs or restaurants.
Because the sensors are on the phone's hardware, the information they collect won't be available to phone apps or other third parties, Wallace said, reducing privacy concerns. The only information that should leave the hardware side is when the phone user's risk score drops too low and she's locked out, he said.
Testing on DOD devices is expected to be finished within two months.