Passthoughts, Not Passwords: Authentication Via Brainwaves

CowboyRobot writes "A new study by researchers from the U.C. Berkeley School of Information examined the brainwave signals of individuals performing specific actions to see if they can be consistently matched to the right individual. To measure the subjects' brainwaves, the team utilized the NeuroSky Mindset, a Bluetooth headset that records Electroencephalographic (EEG) activity. In the end, the team was able to match the brainwave signals with 99% accuracy (pdf). 'We are not trying to trace back from a brainwave signal to a specific person,' explains Prof. John Chuang, who led the team. 'That would be a much more difficult problem. Rather, our task is to determine if a presented brainwave signal matches the brainwave signals previously submitted by the user when they were setting up their pass-thought.'"

Walk by lockouts

[jbmartin6]

Great, now anyone walking by can lock out my account with failed auth attempts

Re:Walk by lockouts

[ByOhTek]

I'm more worried about them realizing I'm not human, from my brain waves. I don't want to go back to my homeworld! Also, how much testing did they do to ensure there aren't issues with emotional state or distraction? If I had a family even and was stuck listening to Beyonce or Katy Perry thanks to my sister's atrocious taste in "music"... Is having that crap stuck in my head going to prevent a login?

Re:

[Chrisq]

I'm more worried about them realizing I'm not human, from my brain waves. I don't want to go back to my homeworld!

Ask the captain for the brainwave spoofing kit

Re:

[ByOhTek]

Captain? What captain! Shit, I need to hide!

Re:

[KingBenny]

ah, you've finally arrived, it was getting lonely here among the natives
isn't this something like sending data over a wi-fi without passing it through an encrypted 'tunnel' so anyone in the vicinity with a homemade model built on schematics from when it was hacked about one day after release could just record the signal and gain instant access just as well?

Re:

[Yakasha]

I'm more worried about them realizing I'm not human, from my brain waves.

Not your fault you were born a nigger. You still suck ass, but that's not your fault. Now go be a gangsta or get some welfare or abandon your kids to a single mother with a shitty attitude.

I don't want to go back to my homeworld!

Yes it is actually called the Third World. It is the very best blacks could do without being governed by whites. History proves it, just look at Haiti. Didn't go to shit until after control was handed to the darkies. Ah well. No welfare for you if you go there.

w
t
f

Gary Busey?

Re:

[Anonymous Coward]

On the plus side, this method prevents drunk dialing/texting with no additional work - unlocking your phone with all them boozy thoughts will be impossible.

Re:

[skids]

The big plus side of this is that when Hans Gruber wants to get access to your system, he has to keep you alive, rather than cut off your hand and/or eyeball.

Re:

[Dunbal]

Unless your pass-thought was created while you were drunk, too. In which case the challenge will be exactly how many drinks did you have. Failed attempt - have another drink!

Never Work

[Greyfox]

I'm afraid that wouldn't work for several of my past managers. Heey-oh!

I don't need to know what you're thinking...

[dclozier]

I'll tell you what to think!
http://xkcd.com/538/ [xkcd.com] ;)

thoughtcrime is comeing

[Anonymous Coward]

thoughtcrime is comeing

Re:

[Anonymous Coward]

comeing

But spelling crimes are already here.

Re:

[Errol backfiring]

You unbellythinkful clod!

Re:

[Yakasha]

comeing

But spelling crimes are already here.

jerk [wordpress.com]

Talk about forgetting your password!

[__aaltlg1547]

"I thought my passthought. But maybe I didn't think it the right way. Let me try again..."

Just what we need, an even more complicated and harder to use apparatus with a reduced probability of correctly identifying the right user.

Since when is "works correctly 99% of the time" good enough for an authentication system?

Re:Talk about forgetting your password!

[ByOhTek]

Since when is "works correctly 99% of the time" good enough for an authentication system?

And how often do you mistype your password? I doubt many get their password right even 90% of the time unless they have rather bad passwords.

Also, there's false positive vs. false negative. False negatives aren't so bad (especially at 1%, when retries are possible). False positives are what are really of concern.

Re:Talk about forgetting your password!

[Immerman]

Indeed, though a 1% false-positive rate would still make for a really lousy attack vector for anyone with serious intent - you're unlikley to get past it for the first time when it matters, and unlike a password which stays compromised until changed which allows a leisurely preparatory attack, slipping through on a false positive probably won't reliably let you through a second time when it counts. Not something you'd want as the only layer of defense protecting your top secret documents, but a significant improvement over passwords. A huge advantage for most applications would be that it makes the security system immune to attack via social engineering, probably the single most successful attack vector in the world, as well as "security degredation by convenience" where people share around passwords for accounts with access to resources that are supposed to be restricted.

Might also be very viable as part of a multi-factor authentication system, the pass-thought is already a two-factor system (thought + brain), adding a third factor with higher reliability would likely push the security beyond almost everything currently in use.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Dunbal]

I think the concept you are missing is that at one point, user ID and password will eventually be merged into one.

Re:

[mjr167]

No, I think that is his point. And that it's a bad idea. If the user id is the password, you have the same problem you have with credit cards and SSNs. Acquiring a user's ID should not be enough to authenticate the user. The ID just identifies the user and can be used by people that need to refer to the user. You need something else to authenticate. Knowing my name shouldn't authenticate as me. Neither should having my fingers or my eyes.

The idea to use the biometrics to identify the user and the pas

Re:Talk about forgetting your password!

[David_Hart]

"I thought my passthought. But maybe I didn't think it the right way. Let me try again..."

Just what we need, an even more complicated and harder to use apparatus with a reduced probability of correctly identifying the right user.

Since when is "works correctly 99% of the time" good enough for an authentication system?

And what happens to the success rate if your brain chemistry and/or thought patterns change?

We know that changes take place in the brain during puberty, pregnancy, when in love, stress, medical conditions, etc. I'm curious if their testing included these scenarios. Granted, it would prevent drive-by tweeting if people would have to calm down before they could login... (grin)

Re:

[gnapster]

Granted, it would prevent drive-by tweeting if people would have to calm down before they could login... (grin)

I plan to set my passthought while browsing Reddit, so the only tweets I can send are drive-byes.

Re:

[Kongming]

I don't think that would be a concern, on account of the fact that they are probably relying mainly upon information that is not really "brain waves".

The headset supposedly uses both EEG (brain waves) and EMG (electrical activity from muscle firing). However, measuring the electrical activity of neurons (very small and very weak) with any kind of specificity by using electrodes placed on the other side of the skull and other protective tissue is... let us just call it "nontrivial". EMG signals are much st

Re:

[__aaltlg1547]

"I thought my passthought. But maybe I didn't think it the right way. Let me try again..."

Just what we need, an even more complicated and harder to use apparatus with a reduced probability of correctly identifying the right user.

Since when is "works correctly 99% of the time" good enough for an authentication system?

And what happens to the success rate if your brain chemistry and/or thought patterns change?

We know that changes take place in the brain during puberty, pregnancy, when in love, stress, medical conditions, etc. I'm curious if their testing included these scenarios. Granted, it would prevent drive-by tweeting if people would have to calm down before they could login... (grin)

Or when your frustration level continually elevates due to repeated authentication failures.

Re:

[mrbester]

That means I am as well *sob*

Why this is idiotic

[slashmydots]

So first we had passwords. Then they invented fingerprint readers so now everyone can log in with either a fingerprint or a password as a backup in case the fingerprint reader doesn't work. Obviously 2 ways of getting into a system is MUCH more secure. Same here. I bet this will be backed by a password.

Re:

[BlindMaster]

Furthermore, it requires an "action" to be performed. I hope that action is convenience to do in public, plus doing it quick.

However, I suppose this is the first step of "reading" data from the brain. By collecting enough data, we may actually understand individual (hint for Google). If we actually can understand living things by brainwave, it can replace password as a way to recognize people (I suppose this is how we "know" others by understanding their ways of doing things).

Re:

[gnapster]

This reminds me of the film Minority Report; retinas at-a-distance are quick and convenient in public. One of the concerns about eyeballs and fingers is that if someone wants to impersonate me is to forcibly take them. (xkcd #538 with knives, not wrenches.) Am I safe with brainwaves? Does that de-escalate it from knife back down to wrench?

Re:

[Immerman]

Even better - it's something that can't be taken (knife-proof) and also can't be given (resistant to rubber hoses, social engineering, and lax security practices). Since it depends on the way *your* brain manifests the thought, you personally have to be present in order to get past the system, which complicates many attack scenarios. And all in all I'd rather be kidnapped than have an eye/finger/etc stolen, if anything I suspect my chances of survival are moderately better, not to mention I come out of th

Re:

[JaredOfEuropa]

That depends. On the one hand, if you're kidnapped, your brain might react differently under duress and the system would reject your logon attempt (and hopefully the kidnappers know that!). On the other hand, somewhere in the authentication chain, your brain waves are converted into electronic signals and at that point they could be "skimmed" and replayed, so it doesn't replace 2 factor authentication.

Re:

[Immerman]

>skimmed and replayed
That completely depends on physical security of the input device. Trying to "replay" a brain pattern into something designed to read it directly from a brain will likely be at least as difficult as tricking any other biometric device, but certainly if you can bypass the scanner by using your own replay device it should be easy enough, which goes the same for any biometric scanner - a fake retinal scanner is no doubt likewise much easier to make than a fake eye.

Re:

[kaizendojo]

It would be very difficult to hack a brainwave interface with a brain dead head.

Re:

[kaizendojo]

Again, brain dead...

Re:

[Maxwell'sSilverLART]

Spoken like a true BOFH.

Who cares that they chop off the heads of our users, as long as they aren't getting into the system.

Because a computer is worth more than a human life.

Objection! Assumes facts not in evidence!

OP clearly said "users."

Re:Escalator to hell

[Errol backfiring]

But it might be quite easy with a live head. If you can intercept the signal, you can reproduce it. And intercepting a bluetooth signal should not be that hard. The problem is that it takes some "middle man hardware" to get the brainwaves into the computer. And middlemen can be a lot easier to fake. It is a bit like voice recognition: the voice may be personal and unique (or personal and unique enough), but recording a voice and playing it back is dead easy.

Re:

[radtea]

It is a bit like voice recognition: the voice may be personal and unique (or personal and unique enough), but recording a voice and playing it back is dead easy.

And yet people remain fascinated with these unchangable, non-repudiatable, easily spoofed means of biometric identification. I really don't get it.

Re:

[lister king of smeg]

well they could encrypt the data being transmitted by the wireless headset and have the key change over time to prevent record and playback attacks, or just hardwire it.

Re:

[andrewbaldwin]

It would be very difficult to hack a brainwave interface with a brain dead head.

perfect!
... keeps your system safe from managers :-)

Open Sesame?

[Anonymous Coward]

What If you make a happy thought of your girlfriend and then breakup with her? You can't form that joyful thought anymore, can you still unlock it afterwards?

Helpdesk Request #65398

[Rob Riggs]

Helpdesk,

I need help logging in. I have a migraine and can't get my passthought right. Can you send up two aspirin tablets.

Thanks

Think happy thoughts

[mwvdlee]

So now every time I want to gain access I have to think the same thing I thought when I first entered the passthought.
"Okay, no thinking of naked girls now, anything but naked girls. Betty White! Yes, Betty White completely dressed, dressed in sexy lingerie... oh god, not that either, that's horri*".
"thank you, passthough recorded".

Re:

[russotto]

The only way to block out bad Betty White images is with good Betty White images. [uab.edu]

Re:

[Culture20]

Yes, but they can't figure out what you were thinking, only the pattern it creates for the brain scan. It's like a salted and hashed passphrase from the perspective of the brain scanner You could even tell someone else what to think, but the hashing algorithm (your physical brain) is an extra secret they can't replicate. ..for the time being.

Re:

[lister king of smeg]

Yes, but they can't figure out what you were thinking, only the pattern it creates for the brain scan. It's like a salted and hashed passphrase from the perspective of the brain scanner You could even tell someone else what to think, but the hashing algorithm (your physical brain) is an extra secret they can't replicate. ..for the time being.

I would not be so sure about that, they are getting closer to being able to reconstruct an image from thought with fmri,
http://www.popsci.com/science/article/2011-09/mind-reading-tech-reconstructs-videos-brain-images [popsci.com]

Use concept is authentication for financial use

[girlinatrainingbra]

It would appear that the use-case for this technology is as an authentication system for access to financial institutions or accounts since it was presented at a conference on Financial Cryptography and Data Security. TFA points out that

The team's findings were presented at the 17th International Conference on Financial Cryptography and Data Security in Japan this week. In a paper, the team argues that the embedding of EEG sensors in wireless headsets and other consumer electronics makes authenticating u

Re:

[MrMickS]

How the hell do they expect me to do password resets now?

I'm sure that Dremel will come out with an attachment for that.

Re:

[Immerman]

Same way you should be doing it now - require them to be physically present with proof of identity. Or do you reset passwords in response to any random email/phone request that sounds like it came from the authorized account holder?

I'm thinking of a word.

[PPH]

Please try another thought password. "Tits" is not sufficiently secure.

Re:

[mark-t]

Brains change over time, but such change is ordinarily slow enough that if you are keeping the database of what the person's current brain waves look like up to date, then such normal evolution would not be a problem.

The only time it would be is on account of certain types of trauma, which can very abruptly and very quickly change a person's thought patterns.

Re:

[Errol backfiring]

You sure? If this proves "secure", say for a doomsday device to be activated only by the president, it would require the president to have his brainwaves recorded periodically. And each recording is an opportunity to breach the system. And if the shit really hits the fan, he might be too upset to authenticate (which, in this particular case, would be a good thing).

Whovians

[drachenfyre]

So now everyone who watches Doctor Who will set their passwords to "Crimson, Eleven, Delight, Petrichor".

At least it'll be easy to get into my wife's computer.....

Re:

[Immerman]

Only if you can control her brain to think it with.

Re:

[lister king of smeg]

i was thinking that exact same thing.

Sneakers rewrite?

[mortonda]

"My brain is my password. Verify me".

OTOH... Since that can't be recorded on a tape, it gets kinda messy.

Re:

[mark-t]

You can record their brainwaves, but how do you reproduce them to another device that records them?

Re:

[Servercide]

You don't reproduce them. You just record your interpretation of brainwave sequences. Then that interpretation can be passed on. Like the mp3 of the brainwave world. All you need is one way communication.

Re:

[mark-t]

Uhm.... if you're not reproducing them, how would you get into somebody's system that used this type of authentication? Sure, you can record their brainwaves while they are thinking whatever it is they need to think, but how on earth would that recording actually help *you* get into their system, which only records brainwaves?

Re:

[zlives]

assuming there is some sort of wireless receiver from the phone with EEG sensors (hopefully not BT) that sends the brain signal over... record replay!!?

Re:

[Servercide]

Well, to be useful in a computing environment you would have to convert the analog brainwaves into a digital format. Now, we can pretend that each and every manufacturer will have their own proprietary way of digitally converting these waves. Or, We can pretend that there will be an industry standardized format for converting analog brainwaves into a digital format (this is the more likely case IMO).

So, your Brainwave Pattern + Industry Standard Conversion = Valid Authentication Token. What is keeping me

Password reuse

[arielCo]

Who thought up this? Mordac the Preventer of Information Services?

Concentrate on a new passthought ...

Don't kill the Security guy. Don't kill the security guy.

Error: You cannot use any of your last 3 passthoughts.
Error: Your passthought is too common.

GRAAAAH!!

Error: Your passthought is too common.

Crimson Eleven Delight Petrichor

[wonkey_monkey]

Crimson Eleven Delight Petrichor

The brain changes

[degeneratemonkey]

It would be interesting to see the results of an experiment which brings the same subjects back in 5 or 10 years and asks them to think the same passthoughts. I highly doubt as much accuracy would be observed.

This is however an easy problem to solve: just change your passthought every few months.

Ohh Joy

[Servercide]

Another cool toy that will input your NTLM password for you....

Re:

[Servercide]

Also...what if you IQ is too low to generate an acceptable password?

what could possibly go wrong?

[kimvette]

Unless it works with migraines, cluster headaches, stress, anxiety, depression/grief, happiness, exhaustion, pain, and a slew of other conditions that affect brainwave patterns (heck, even caffeine can throw off brainwave patterns) this is too error prone to be reliably used.

Just remember....

[maroberts]

..to think in Russian....at least if unlocking Firefox.

In other news...

[Yakasha]

Apples shares plummeted 14% in after hours trading today as the company continues to battle their network security problems. Details are still forthcoming, but it appears their main campus is still closed, with the employees milling about in the parking lot. It is believed to be related to their roll-out of a new Electroencephalographic (EEG) based security system. One anonymous executive said, "Ya, looks like the 'think different' campaign really backfired."

On the up side

[Yakasha]

No more drug tests!

"Bob can't login must be high again..."

Already read that book....

[sgt_doom]

One title comes to mind, Brian Falkner's Brain Jack......

Not a word.

[RightSaidFred99]

I see a lot of people talking about thinking a word. That's so 1965.

Instead, you'd remember what your house looks like. Or think about the time your kid said something cute. Or imagine an impossible spring that actually becomes less resistant as you apply pressure.

Something like that, not "Durr, 'BoogieMan2008!'".