Endpoint
4/12/2013
04:31 PM
Connect Directly
RSS
E-Mail
50%
50%

Researchers Analyze Brainwaves To Authenticate Users

Passwords may not need to be made of numbers and letters after all

It sounds like something straight out of science fiction: brainwaves taking the place of passwords in the name of authentication. But a new study by researchers from the U.C. Berkeley School of Information is turning fiction into reality.

The study (PDF) examined the brainwave signals of individuals performing specific actions to see whether they can be consistently matched to the right individual. To do this, the researchers recruited 15 college students to participate, asking them to allow their brainwaves to be recorded as they performed a series of repeatable tasks. Three were tasks everyone was asked to do, while four were ones where the users had individual secrets.

In the tasks where participants could choose a personal secret, they were asked to imagine performing a repetitive motion from a sport of their choice, singing a song of their choice, watching a series of on-screen images and silently counting the objects that match a color of their choice, or choose their own thought and focus on it for 10 seconds.

To measure the subjects' brainwaves, the team used the NeuroSky Mindset, a Bluetooth headset that records Electroencephalographic (EEG) activity. In the end, the team was able to match the brainwave signals with 99 percent accuracy.

"We are not trying to trace back from a brainwave signal to a specific person," explains Prof. John Chuang, who led the team. "That would be a much more difficult problem. Rather, our task is to determine if a presented brainwave signal matches the brainwave signals previously submitted by the user when they were setting up their pass-thought."

"In this case," he continues, "our experimental study found that we can with high accuracy make the determination whether a presented brainwave signal belongs to a user or not due to patterns in the brainwaves that are different for different individuals. We also found that it was not necessary to have users perform different mental tasks in order to achieve our level of authentication accuracy. Having our experimental subjects perform different mental tasks allows us to study whether certain types of tasks were preferred by users because of their enjoyability or ease of execution."

The team's findings were presented at the 17th International Conference on Financial Cryptography and Data Security in Japan this week. In a paper, the team argues that the embedding of EEG sensors in wireless headsets and other consumer electronics makes authenticating users based on their brainwave signals a realistic possibility.

"Obviously, using brainwaves for authentication [has been] the stuff of science-fiction for a very long time," Chuang says. "There [have] been a number of previous research studies looking at brainwave authentication, but they employ multichannel EEG technology in clinical settings. When the NeuroSky single-channel technology became available on the market, we decided to study whether brainwave authentication is feasible with these inexpensive consumer-grade devices in everyday [nonclinical] settings."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nannasin28
50%
50%
nannasin28,
User Rank: Apprentice
4/16/2013 | 2:57:06 AM
re: Researchers Analyze Brainwaves To Authenticate Users
Passwords and Trade secrets can and are obtained this way.-á-á 4N25
femtobeam
50%
50%
femtobeam,
User Rank: Apprentice
4/15/2013 | 4:54:14 PM
re: Researchers Analyze Brainwaves To Authenticate Users
Headsets are not necessary to read brainwave potentials. The sensitivity of sensors that can differentiate between brainwave potentials was first publicly demonstrated by Brainfingers-¬ software.

It is now possible to interface with the brain via interactive hybrid networks, whether by internal or external sensors. The authors of the paper did not go into details about the big missing factor, the fact that this is not just about "reading" information from the brain for authentication, but also "writing" information to the brain from any source with access. Time stamping, Network re-routing, changing information on the fly, are all still possible during the transmission of brain waves. So are man in the middle attacks. Security and assurance of brainwaves as identity requires full network evaluation with these possibilities in mind. Falsifying brainwaves is possible, even in the subliminal domain, due to the speed of communications in relationship to the speed of brain action.

It is an infallible method of truthful information in that the subliminal mind does not lie, however, it is also possible to input subliminal messages that can be misinterpreted. Passwords and Trade secrets can and are obtained this way. Pain can be recorded from one individual and sent to the brain of another. Remote rape is already under scrutiny in Europe. This has implications far beyond the subject of this article.

The key to identity assurance is in time stamping and comparisons of multiple sources of information.

"We must have a physical off switch to protect individual human rights"

"It is all in the speed of light"

"In the future, we may all die from hearsay!" Robin L. Ore
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4725
Published: 2014-07-27
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

CVE-2014-4726
Published: 2014-07-27
Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors.

CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.