Endpoint
4/12/2013
04:31 PM
Connect Directly
RSS
E-Mail
50%
50%

Researchers Analyze Brainwaves To Authenticate Users

Passwords may not need to be made of numbers and letters after all

It sounds like something straight out of science fiction: brainwaves taking the place of passwords in the name of authentication. But a new study by researchers from the U.C. Berkeley School of Information is turning fiction into reality.

The study (PDF) examined the brainwave signals of individuals performing specific actions to see whether they can be consistently matched to the right individual. To do this, the researchers recruited 15 college students to participate, asking them to allow their brainwaves to be recorded as they performed a series of repeatable tasks. Three were tasks everyone was asked to do, while four were ones where the users had individual secrets.

In the tasks where participants could choose a personal secret, they were asked to imagine performing a repetitive motion from a sport of their choice, singing a song of their choice, watching a series of on-screen images and silently counting the objects that match a color of their choice, or choose their own thought and focus on it for 10 seconds.

To measure the subjects' brainwaves, the team used the NeuroSky Mindset, a Bluetooth headset that records Electroencephalographic (EEG) activity. In the end, the team was able to match the brainwave signals with 99 percent accuracy.

"We are not trying to trace back from a brainwave signal to a specific person," explains Prof. John Chuang, who led the team. "That would be a much more difficult problem. Rather, our task is to determine if a presented brainwave signal matches the brainwave signals previously submitted by the user when they were setting up their pass-thought."

"In this case," he continues, "our experimental study found that we can with high accuracy make the determination whether a presented brainwave signal belongs to a user or not due to patterns in the brainwaves that are different for different individuals. We also found that it was not necessary to have users perform different mental tasks in order to achieve our level of authentication accuracy. Having our experimental subjects perform different mental tasks allows us to study whether certain types of tasks were preferred by users because of their enjoyability or ease of execution."

The team's findings were presented at the 17th International Conference on Financial Cryptography and Data Security in Japan this week. In a paper, the team argues that the embedding of EEG sensors in wireless headsets and other consumer electronics makes authenticating users based on their brainwave signals a realistic possibility.

"Obviously, using brainwaves for authentication [has been] the stuff of science-fiction for a very long time," Chuang says. "There [have] been a number of previous research studies looking at brainwave authentication, but they employ multichannel EEG technology in clinical settings. When the NeuroSky single-channel technology became available on the market, we decided to study whether brainwave authentication is feasible with these inexpensive consumer-grade devices in everyday [nonclinical] settings."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nannasin28
50%
50%
nannasin28,
User Rank: Apprentice
4/16/2013 | 2:57:06 AM
re: Researchers Analyze Brainwaves To Authenticate Users
Passwords and Trade secrets can and are obtained this way.-- 4N25
femtobeam
50%
50%
femtobeam,
User Rank: Apprentice
4/15/2013 | 4:54:14 PM
re: Researchers Analyze Brainwaves To Authenticate Users
Headsets are not necessary to read brainwave potentials. The sensitivity of sensors that can differentiate between brainwave potentials was first publicly demonstrated by Brainfingers- software.

It is now possible to interface with the brain via interactive hybrid networks, whether by internal or external sensors. The authors of the paper did not go into details about the big missing factor, the fact that this is not just about "reading" information from the brain for authentication, but also "writing" information to the brain from any source with access. Time stamping, Network re-routing, changing information on the fly, are all still possible during the transmission of brain waves. So are man in the middle attacks. Security and assurance of brainwaves as identity requires full network evaluation with these possibilities in mind. Falsifying brainwaves is possible, even in the subliminal domain, due to the speed of communications in relationship to the speed of brain action.

It is an infallible method of truthful information in that the subliminal mind does not lie, however, it is also possible to input subliminal messages that can be misinterpreted. Passwords and Trade secrets can and are obtained this way. Pain can be recorded from one individual and sent to the brain of another. Remote rape is already under scrutiny in Europe. This has implications far beyond the subject of this article.

The key to identity assurance is in time stamping and comparisons of multiple sources of information.

"We must have a physical off switch to protect individual human rights"

"It is all in the speed of light"

"In the future, we may all die from hearsay!" Robin L. Ore
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5142
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1.09 and earlier, as used in Mimbo Pro 2.3.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the src parameter.

CVE-2010-5302
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb before 1.15 as of 20100908 (r88), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING.

CVE-2010-5303
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in the displayError function in timthumb.php in TimThumb before 1.15 (r85), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to $errorString.

CVE-2014-0965
Published: 2014-08-21
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted SOAP response.

CVE-2014-3022
Published: 2014-08-21
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted URL that triggers an error condition.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.