How All-Knowing Smartphones Could Become the Pentagon’s Employee Access Cards

Andrey Suslov/Shutterstock.com

An algorithm will track how employees use their phones, how they walk and even where they go to constantly verify users’ identity.

A New York-based company and the Defense Department have created an artificial intelligence algorithm to be embedded in smartphones that knows the device owner so well it can tell its user by the way they talk, type and even walk.

TWOSENSE.AI has been working with the department to build a software-as-a-service product to replace the common access card, used to verify defense employees’ identities when logging in to the department’s networks, the company said in a release issued Thursday.

Using constant monitoring of the user’s behavior—including how they walk, carry the device, type and navigate on it and even how they commute to work and spend their free time—and the system will automatically and continuously verify the user’s identity, enabling them to seamlessly work on secure networks without having to plug in a card each time.

As the system tracks these metrics, it continuously updates a trust score based on the level of confidence the algorithm has that the correct person is using the device.

The score “is checked to ensure it meets the desired threshold,” Jeremy Corey, chief of the Defense Information Systems Agency’s Cyber Innovation Division, said at the AFCEA Defense Cyber Operations Symposium in May. “This threshold is predetermined by the organization we are piloting our prototype with. This could be configured by the application owner, so long as it is within the authorizing official's accepted level of risk.”

DISA awarded the $2.4 million contract in October through the Army’s other transaction authority, which allows certain agencies to sign contracts for advanced research without abiding by the Federal Acquisition Regulation.

“Both DISA and TWOSENSE.AI believe that continuous authentication is the cornerstone of securing identity,” said Dr. Dawud Gordon, CEO of TWOSENSE.AI. “Behavior-based authentication is invisible to the user, therefore it can be used continuously without creating any extra work.”

Last year, Steve Wallace, a technical director at DISA, told Nextgov the vendor would deliver some 75 prototypes. Once the testing phases are finished, the technology will be embedded in certain smartphones at the manufacturing level before being acquired by the Defense Department, Wallace said.

Wallace declined last year to name the vendor or smartphones being used. However, the announcement Thursday from TWOSENSE.AI notes the project is working through “existing partnerships” between DISA, Qualcomm and Samsung.

The National Institute of Standards and Technology is also working on a similar solution to identity verification for civilian agencies, Nextgov reported in November.