Police Tech & Gear
with Tim Dees
How to use speech for your dual-authentication login
Two-factor authentication soon required for access to criminal information databases
Few cops get through their workday without accessing a computer, either in their car, at the office, or even on a tablet or smartphone. The databases available through these instruments is invaluable, but it also has to be protected with passwords and other safeguards. At some future date, your password may be supplemented by scanning your face, or your voice.
Information technology (IT) professionals in law enforcement agencies have an especially difficult job. They guard access to highly sensitive information that many people in the private sector would like to get, and who will go to considerable trouble to access if there is some way to do it. The legitimate users of this information are the working cops. Cops understand the need for security, but they tend to be highly lax about it when it interferes with their personal convenience. Locked doors get propped open; guns are dropped into unlocked desk drawers while their owner is working inside the station.
Password-related Security Gaps
Cops are similarly careless about passwords. When the Arizona Department of Public Safety internal network was penetrated by invaders and its contents published to the world, it was revealed that many of the network passwords were easily-guessed variants of the users’ badge numbers, duty stations, or character strings like “12345” or “qwerty.”
If the IT manager forces the users to use complex, random passwords, they will write them down on desk blotters or Post-It notes next to their computers — cops can sometimes be their own worst enemies when it comes to computer security.
For this reason and others, the U.S. Department of Justice will soon require two-factor authentication on computers that have access to criminal history information.
One-factor authentication is what we have now — a password, a card key, a flash drive, some token that admits you to the restricted information.
Two-factor authentication is “something you know, plus something you have.” The “know” portion is a password, typically, but the “have” portion can be that flash drive or card key, or your face or voice.
Off-the-shelf Biometric Technologies
One vendor currently in talks with some major public safety computer hardware providers is KeyLemon, which has as its core business facial and voice recognition technologies.
Biometric authentication tokens have a big advantage over RFID chips, NFC transponders, card keys, or flash drives: you can’t lose them. You can misplace or have stolen any piece of hardware your agency gives you to access your computer, but you’ll always have your face or your voice with you.
Up until relatively recently, face and voice recognition systems were anything but foolproof. Some face recognition systems could be fooled by showing the camera a photo of the person with the enrolled face. Spy movies have long used the trope of recording the voice of their victim in a narrative that included all the words they needed to access the secret vault, but mixed in with other words. The spy then edits and rearranges the recording to get the passphrase he wants, and plays it for the unsuspecting computer.
KeyLemon’s technology works with the cameras and microphones built in to most current laptop computers, normally used for Skype and video-conferencing. Users “enroll” in the system by having the camera record a series of still photos (the process is similar to recording video) and reading from a short script into the microphone. During subsequent authentications, the system monitors for blinking and slight movement that a photo can’t reproduce.
Patrol cars often operate in high-noise environments, and in all lighting conditions. This poses a challenge for this type of technology, as the software has to recognize a face or a voice that may be presented in a very different context than when it was enrolled.
Anthony Gioeli of KeyLemon is confident they can overcome that disadvantage, saying “KeyLemon’s face recognition algorithms were developed to compensate for the difficult background conditions encountered in patrol vehicles, potentially enhancing officer safety by helping to keep their hands free and attention undivided even in the most dynamic environments.”
When the user goes to access the computer protected with KeyLemon’s software, he is prompted to look into the camera or speak a phrase three to five seconds long into the microphone, plus enter a user name and password.
The system can run as a stand-alone application, resident on the user’s computer, or in a client-server configuration, which requires a data connection from the user’s computer to the server. Which of these any agency will use will depend on how their network is set up and whether a data connection is available.
The system is available for purchase or lease. If purchased, pricing will be in the neighborhood of $50 to $60 per device. Leasing will require the client-server configuration, and will run around $1 per user per month. KeyLemon says that some computer vendors may offer their software as a pre-installed option, ready to go when the computer arrives at the agency that purchased it.