He declined to name the companies DISA is working with but said if all goes well, the technology "will be available in the majority of handsets" in the United States.
The technology would offer an extra layer of security for smartphone users by ensuring that a thief - or someone who, say, picks up a phone left on a subway seat or park bench - doesn't get access to all the personal and professional information stored inside the device, Wallace said. If stolen phones are inoperable, there's less of a market for them. And more broadly, if consumer devices are better protected, national security improves: It gets tougher for hackers to steal information and intellectual property.
But the Pentagon's motivation is not just about securing consumers: If the tool is commercially available, the Pentagon can get the extra protection without paying an arm and a leg for specialized devices that only highly secured industries are using. In the past, Wallace said, the Pentagon has built super-secure smartphones but they've been too costly to deploy to anyone but a handful of top officials - costing more than US$4,500 (NZ$6,500) per unit.
Once the technology is fully vetted, DoD plans to use the technology for general purpose smartphones but not ones that access classified information, he said.
Wallace hopes the cutting-edge identity verification system will be like the Global Positioning System and the Internet itself - in that they are all tools that were initially developed for military use but ended up benefiting society at large.
"I'm not going to say that we're going to create something that's as broad and as grand as GPS or the Internet, but there's a history of the department working on things and those things ending up in consumer devices," Wallace told me.
Similar technology is being used to verify the identities of some employees in highly regulated industries, such as financial services and health care, but it isn't deployed commercially, Dawud Gordon, CEO of the company TwoSense, which is working on a separate but related DISA project, told me. Those industry tools build the sensing technology into software rather than into the smartphone's hardware, Gordon told me.
The DISA project relies on sensors that already exist inside smartphone computer chips and are used by gaming apps but not generally for security, Wallace told me.
DISA is working with a contractor to use those sensors to create a unique profile for how each smartphone user does various things, he said - including walking with the phone, typing on it and pulling it out of her pocket or purse. DISA then creates a "risk score" for the user that includes a weighted combination of all those factors, he said. If this score drops too low the person will be locked out of the phone.
If a person is locked out in error, she could regain access using a more standard log in, such as a password, Wallace told me.
Just because the capability exists in the phone's hardware doesn't mean people would have to use it to verify their identities, Wallace said. The smartphone provider could offer it as an option or organizations could use it to ensure employees don't leave unsecured devices in cabs or restaurants.
Because the sensors are on the phone's hardware, the information they collect won't be available to phone apps or other third parties, Wallace said, reducing privacy concerns. The only information that should leave the hardware side is when the phone user's risk score drops too low and she's locked out, he said.
Testing on DOD devices is expected to be finished within two months.
- Washington Post