DOD Tests Replacement for CAC Card

Plurilock's behavior-based authentication technology could help the Pentagon build a digital fingerprint for users of its IT systems.

Former Defense Department CIO Terry Halvorsen heralded the end of the Common Access Card more than a year ago, and testing of new ways for DOD personnel to access IT systems began about six months ago. In late June, one of the companies that might provide more flexible authentication methods announced it is working with an arm of the DOD to test its technology.

Plurilock Security Solutions, an artificial intelligence authentication technology company based in Victoria, British Columbia, said it is working with the Pentagon’s Defense Innovation Unit Experimental (DIUx), to test its BioTracker technology.

DiUX, which identifies emerging commercial technologies for the DOD and helps speed their adoption, “is evaluating Plurilock’s technology as part of its effort to overhaul current authentication methods that rely on passwords and the common access card and build an integrated family of authenticators,” GCN reports.

Plurilock focuses on behavior-based authentication methods.  Federal News Radio reports:

The company claims that after spending about 20 minutes monitoring and analyzing the specific patterns people engage in when using their computers — particularly their habits when pressing keys on their keyboards and their mouse movement techniques — its software can build a reliable digital fingerprint for any user that can be used later on to sound an alarm when an impostor is logged onto a system using someone else’s credentials.  

Plurilock CEO Ian Paterson told Federal News Radio that the test deployment that has just started at one of DOD’s combat support agencies “will monitor users’ behavior only after they’ve logged into a computer by some other means. If the system detects something unusual, it can be configured to do a number of things, from delivering immediate alerts to security administrators, to locking the user’s terminal, to simply asking a user to authenticate themselves again.”

Depending on how users “re-authenticate,” the systems “can take a series of steps that rely on other factors to provide higher degrees of identity assurance.” 

Jul 06 2017