Artificial intelligence (AI) seems almost tailor-made for automating mundane office tasks and identifying seizure types, but it might be equally well-suited to security — including biometric security. That’s what startup TwoSense is banking on, and it’s got a government contract to show for it.
The Brooklyn, New York-based company, which was cofounded by Dawud Gordon, John Tanios, and Ulf Blanke in 2014 and has raised $850,000 to date, today announced that it was awarded a $2.42 million contract in October 2018 by the U.S. Department of Defense’s (DoD) Defense Information Systems Agency (DISA). While the particulars remain under wraps, TwoSense revealed that the project is aimed at replacing the DoD’s physical ID cards — the Common Access Card (CAC) — with both traditional and AI-driven biometric authentication, as part of DISA’s wide-ranging Assured Identity Initiative.
“Both DISA and TwoSense believe that continuous authentication is the cornerstone of securing identity,” said Gordon, who serves as CEO. “Behavior-based authentication is invisible to the user; therefore, it can be used continuously without creating any extra work.”
TwoSense’s productized AI can authenticate a person from their movements, interactions, and mannerisms, as measured through both smartphones and workstation PCs. (One of the techniques in its system-as-a-service arsenal is ballistocardiography, which graphically represents the muscle movements caused by blood as it’s ejected into vessels by the heart.) TwoSenses’ systems also take into account gait, in addition to things like on-body phone location, hand pressure, proximity, and typing cadence.
Machine learning algorithms running in TwoSenses’ cloud learn the behavior of each user — how they walk, interact with their phones, commute to work, and (a bit creepily) where they spend their time. It’s sort of like Google’s On-Body Detection, an Android feature that prevents a phone’s lock function from activating when it’s on-person or in-hand — albeit more sophisticated.
A few employees might object to that granularity of observation. But from employers’ perspective, says TwoSense, it’s an attractive alternative to PINs, passwords, and SMS-based forms of two-factor authentications. The company’s biometric approach is continuous, shrinking hackers’ windows of opportunity and eliminating attack vectors. And employees, for their part, are spared the inconvenience of having to fish for an ID card or check their phone for texted two-factor codes — in exchange for a bit of privacy, of course.
TwoSense has a point. Security experts have pointed to weaknesses in SMS-based 2FA, citing the risk of interception by attackers who manage to spoof phone numbers. It’s one of the reasons 28 percent of people have never used two-factor authentication on any device or service, according to a Sophos survey — which is really worrisome, considering that three out of four people use duplicate passwords and 21 percent of people use codes that are over 10 years old.
To be clear, behavioral biometric authentication isn’t a new idea. Startups like Israel-based BioCatch, which recently raised $30 million, and Simility, which was acquired by PayPal in June, leverage AI and hundreds of parameters — such as the way a user moves their cursor and holds their phone — to build a profile for what constitutes “normal” behavior, and subsequently to perform authentication and catch fraudsters in the act.
But TwoSense is betting its particular solution will hasten DISA’s move away from other authentication solutions, like Purebred, a prototypical platform that relies on DoD mobile devices to provide one-time passwords. Last year, the agency said it was piloting AI-driven mobile and desktop systems that, like TwoSense, can identify users by behavioral features such as gait, and prevent and respond to the misuse of credentials.
“Keeping our overall objective in mind, we know that CAC as a form factor doesn’t perform well in the mobile environment,” Jeremy Corey, chief of the agency’s of Cyber Innovation Division, said during a presentation at the 2018 Armed Forces Communications and Electronics Association’s Defensive Cyber Operations Symposium in Baltimore last May. “We want to ensure that we retain the equivalent assurances of the secure elements that are on the card as we begin to potentially use mobile devices for authentication and access. We aim to achieve sufficient authentication assurance to facilitate a single platform for use in day-to-day operations, and potentially provide a capability to utilize one device for multiple networks.”