Forgot your password?
typodupeerror
Security Science

Passthoughts, Not Passwords: Authentication Via Brainwaves 104

Posted by samzenpus
from the get-your-thinking-straight dept.
CowboyRobot writes "A new study by researchers from the U.C. Berkeley School of Information examined the brainwave signals of individuals performing specific actions to see if they can be consistently matched to the right individual. To measure the subjects' brainwaves, the team utilized the NeuroSky Mindset, a Bluetooth headset that records Electroencephalographic (EEG) activity. In the end, the team was able to match the brainwave signals with 99% accuracy (pdf). 'We are not trying to trace back from a brainwave signal to a specific person,' explains Prof. John Chuang, who led the team. 'That would be a much more difficult problem. Rather, our task is to determine if a presented brainwave signal matches the brainwave signals previously submitted by the user when they were setting up their pass-thought.'"
This discussion has been archived. No new comments can be posted.

Passthoughts, Not Passwords: Authentication Via Brainwaves

Comments Filter:
  • by jbmartin6 (1232050) on Monday April 15, 2013 @08:56AM (#43451175)
    Great, now anyone walking by can lock out my account with failed auth attempts
    • by ByOhTek (1181381) on Monday April 15, 2013 @09:01AM (#43451209) Journal
      I'm more worried about them realizing I'm not human, from my brain waves. I don't want to go back to my homeworld! Also, how much testing did they do to ensure there aren't issues with emotional state or distraction? If I had a family even and was stuck listening to Beyonce or Katy Perry thanks to my sister's atrocious taste in "music"... Is having that crap stuck in my head going to prevent a login?
      • by Chrisq (894406)

        I'm more worried about them realizing I'm not human, from my brain waves. I don't want to go back to my homeworld!

        Ask the captain for the brainwave spoofing kit

      • ah, you've finally arrived, it was getting lonely here among the natives
        isn't this something like sending data over a wi-fi without passing it through an encrypted 'tunnel' so anyone in the vicinity with a homemade model built on schematics from when it was hacked about one day after release could just record the signal and gain instant access just as well?
    • by Anonymous Coward

      On the plus side, this method prevents drunk dialing/texting with no additional work - unlocking your phone with all them boozy thoughts will be impossible.

      • by skids (119237)

        The big plus side of this is that when Hans Gruber wants to get access to your system, he has to keep you alive, rather than cut off your hand and/or eyeball.

      • by Dunbal (464142) *
        Unless your pass-thought was created while you were drunk, too. In which case the challenge will be exactly how many drinks did you have. Failed attempt - have another drink!
  • Never Work (Score:4, Funny)

    by Greyfox (87712) on Monday April 15, 2013 @08:56AM (#43451177) Homepage Journal
    I'm afraid that wouldn't work for several of my past managers. Heey-oh!
  • by dclozier (1002772) on Monday April 15, 2013 @08:58AM (#43451189)
    I'll tell you what to think!
    http://xkcd.com/538/ [xkcd.com] ;)
  • by Anonymous Coward

    thoughtcrime is comeing

  • by Shavano (2541114) on Monday April 15, 2013 @08:59AM (#43451199)

    "I thought my passthought. But maybe I didn't think it the right way. Let me try again..."

    Just what we need, an even more complicated and harder to use apparatus with a reduced probability of correctly identifying the right user.

    Since when is "works correctly 99% of the time" good enough for an authentication system?

    • by ByOhTek (1181381) on Monday April 15, 2013 @09:16AM (#43451339) Journal

      Since when is "works correctly 99% of the time" good enough for an authentication system?

      And how often do you mistype your password? I doubt many get their password right even 90% of the time unless they have rather bad passwords.

      Also, there's false positive vs. false negative. False negatives aren't so bad (especially at 1%, when retries are possible). False positives are what are really of concern.

      • by Immerman (2627577) on Monday April 15, 2013 @11:18AM (#43452327)

        Indeed, though a 1% false-positive rate would still make for a really lousy attack vector for anyone with serious intent - you're unlikley to get past it for the first time when it matters, and unlike a password which stays compromised until changed which allows a leisurely preparatory attack, slipping through on a false positive probably won't reliably let you through a second time when it counts. Not something you'd want as the only layer of defense protecting your top secret documents, but a significant improvement over passwords. A huge advantage for most applications would be that it makes the security system immune to attack via social engineering, probably the single most successful attack vector in the world, as well as "security degredation by convenience" where people share around passwords for accounts with access to resources that are supposed to be restricted.

        Might also be very viable as part of a multi-factor authentication system, the pass-thought is already a two-factor system (thought + brain), adding a third factor with higher reliability would likely push the security beyond almost everything currently in use.

    • by jouassou (1854178) on Monday April 15, 2013 @09:23AM (#43451385) Homepage

      Since when is "works correctly 99% of the time" good enough for an authentication system?

      It isn't. But it is an interesting proof-of-concept, which shows that using passthoughts as identification is actually possible.

      One interesting thought would be to combine passthoughts with other authentication technologies. Imagine walking up to a door that first performs face recognition and retina scans to determine who you appear to be. The system then accesses a database of passphrases associated with your user, displays a random one on a screen, and asks you to read it out loud. The system then uses a combination of voice recognition and brainwave scans to check if you're really who you appear to be.

      Although all these technologies currently have suboptimal success rates, they might yield good security if you combine them.

    • by David_Hart (1184661) on Monday April 15, 2013 @09:41AM (#43451487)

      "I thought my passthought. But maybe I didn't think it the right way. Let me try again..."

      Just what we need, an even more complicated and harder to use apparatus with a reduced probability of correctly identifying the right user.

      Since when is "works correctly 99% of the time" good enough for an authentication system?

      And what happens to the success rate if your brain chemistry and/or thought patterns change?

      We know that changes take place in the brain during puberty, pregnancy, when in love, stress, medical conditions, etc. I'm curious if their testing included these scenarios. Granted, it would prevent drive-by tweeting if people would have to calm down before they could login... (grin)

      • by gnapster (1401889)

        Granted, it would prevent drive-by tweeting if people would have to calm down before they could login... (grin)

        I plan to set my passthought while browsing Reddit, so the only tweets I can send are drive-byes.

      • by Kongming (448396)
        I don't think that would be a concern, on account of the fact that they are probably relying mainly upon information that is not really "brain waves".

        The headset supposedly uses both EEG (brain waves) and EMG (electrical activity from muscle firing). However, measuring the electrical activity of neurons (very small and very weak) with any kind of specificity by using electrodes placed on the other side of the skull and other protective tissue is... let us just call it "nontrivial". EMG signals are much st
      • by Shavano (2541114)

        "I thought my passthought. But maybe I didn't think it the right way. Let me try again..."

        Just what we need, an even more complicated and harder to use apparatus with a reduced probability of correctly identifying the right user.

        Since when is "works correctly 99% of the time" good enough for an authentication system?

        And what happens to the success rate if your brain chemistry and/or thought patterns change?

        We know that changes take place in the brain during puberty, pregnancy, when in love, stress, medical conditions, etc. I'm curious if their testing included these scenarios. Granted, it would prevent drive-by tweeting if people would have to calm down before they could login... (grin)

        Or when your frustration level continually elevates due to repeated authentication failures.

  • So first we had passwords. Then they invented fingerprint readers so now everyone can log in with either a fingerprint or a password as a backup in case the fingerprint reader doesn't work. Obviously 2 ways of getting into a system is MUCH more secure. Same here. I bet this will be backed by a password.
    • Furthermore, it requires an "action" to be performed. I hope that action is convenience to do in public, plus doing it quick.

      However, I suppose this is the first step of "reading" data from the brain. By collecting enough data, we may actually understand individual (hint for Google). If we actually can understand living things by brainwave, it can replace password as a way to recognize people (I suppose this is how we "know" others by understanding their ways of doing things).

      • by gnapster (1401889)
        This reminds me of the film Minority Report; retinas at-a-distance are quick and convenient in public. One of the concerns about eyeballs and fingers is that if someone wants to impersonate me is to forcibly take them. (xkcd #538 with knives, not wrenches.) Am I safe with brainwaves? Does that de-escalate it from knife back down to wrench?
        • by Immerman (2627577)

          Even better - it's something that can't be taken (knife-proof) and also can't be given (resistant to rubber hoses, social engineering, and lax security practices). Since it depends on the way *your* brain manifests the thought, you personally have to be present in order to get past the system, which complicates many attack scenarios. And all in all I'd rather be kidnapped than have an eye/finger/etc stolen, if anything I suspect my chances of survival are moderately better, not to mention I come out of th

          • That depends. On the one hand, if you're kidnapped, your brain might react differently under duress and the system would reject your logon attempt (and hopefully the kidnappers know that!). On the other hand, somewhere in the authentication chain, your brain waves are converted into electronic signals and at that point they could be "skimmed" and replayed, so it doesn't replace 2 factor authentication.
            • by Immerman (2627577)

              >skimmed and replayed
              That completely depends on physical security of the input device. Trying to "replay" a brain pattern into something designed to read it directly from a brain will likely be at least as difficult as tricking any other biometric device, but certainly if you can bypass the scanner by using your own replay device it should be easy enough, which goes the same for any biometric scanner - a fake retinal scanner is no doubt likewise much easier to make than a fake eye.

  • by Anonymous Coward

    What If you make a happy thought of your girlfriend and then breakup with her? You can't form that joyful thought anymore, can you still unlock it afterwards?

  • by Rob Riggs (6418) on Monday April 15, 2013 @09:12AM (#43451313) Homepage Journal

    Helpdesk,

    I need help logging in. I have a migraine and can't get my passthought right. Can you send up two aspirin tablets.

    Thanks

  • by mwvdlee (775178) on Monday April 15, 2013 @09:14AM (#43451321) Homepage

    So now every time I want to gain access I have to think the same thing I thought when I first entered the passthought.
    "Okay, no thinking of naked girls now, anything but naked girls. Betty White! Yes, Betty White completely dressed, dressed in sexy lingerie... oh god, not that either, that's horri*".
    "thank you, passthough recorded".

    • by russotto (537200)

      The only way to block out bad Betty White images is with good Betty White images. [uab.edu]

    • by Culture20 (968837)
      Yes, but they can't figure out what you were thinking, only the pattern it creates for the brain scan. It's like a salted and hashed passphrase from the perspective of the brain scanner You could even tell someone else what to think, but the hashing algorithm (your physical brain) is an extra secret they can't replicate. ..for the time being.
  • It would appear that the use-case for this technology is as an authentication system for access to financial institutions or accounts since it was presented at a conference on Financial Cryptography and Data Security. TFA points out that
    The team's findings were presented at the 17th International Conference on Financial Cryptography and Data Security in Japan this week. In a paper, the team argues that the embedding of EEG sensors in wireless headsets and other consumer electronics makes authenticating u
  • by PPH (736903) on Monday April 15, 2013 @09:20AM (#43451371)

    Please try another thought password. "Tits" is not sufficiently secure.

  • by drachenfyre (550754) on Monday April 15, 2013 @09:34AM (#43451453) Homepage

    So now everyone who watches Doctor Who will set their passwords to "Crimson, Eleven, Delight, Petrichor".

    At least it'll be easy to get into my wife's computer.....

  • "My brain is my password. Verify me".

    OTOH... Since that can't be recorded on a tape, it gets kinda messy.

  • by arielCo (995647) on Monday April 15, 2013 @09:56AM (#43451581)

    Who thought up this? Mordac the Preventer of Information Services?

    Concentrate on a new passthought ...

    Don't kill the Security guy. Don't kill the security guy.

    Error: You cannot use any of your last 3 passthoughts.
    Error: Your passthought is too common.

    GRAAAAH!!

    Error: Your passthought is too common.

  • Crimson Eleven Delight Petrichor
  • by degeneratemonkey (1405019) on Monday April 15, 2013 @10:03AM (#43451629)
    It would be interesting to see the results of an experiment which brings the same subjects back in 5 or 10 years and asks them to think the same passthoughts. I highly doubt as much accuracy would be observed.

    This is however an easy problem to solve: just change your passthought every few months.
  • Another cool toy that will input your NTLM password for you....
  • Unless it works with migraines, cluster headaches, stress, anxiety, depression/grief, happiness, exhaustion, pain, and a slew of other conditions that affect brainwave patterns (heck, even caffeine can throw off brainwave patterns) this is too error prone to be reliably used.

  • ..to think in Russian....at least if unlocking Firefox.
  • Apples shares plummeted 14% in after hours trading today as the company continues to battle their network security problems. Details are still forthcoming, but it appears their main campus is still closed, with the employees milling about in the parking lot. It is believed to be related to their roll-out of a new Electroencephalographic (EEG) based security system. One anonymous executive said, "Ya, looks like the 'think different' campaign really backfired."
  • No more drug tests!

    "Bob can't login must be high again..."

  • One title comes to mind, Brian Falkner's Brain Jack......
  • I see a lot of people talking about thinking a word. That's so 1965.

    Instead, you'd remember what your house looks like. Or think about the time your kid said something cute. Or imagine an impossible spring that actually becomes less resistant as you apply pressure.

    Something like that, not "Durr, 'BoogieMan2008!'".

"If I do not want others to quote me, I do not speak." -- Phil Wayne

Working...