Endpoint

4/12/2013
04:31 PM
50%
50%

Researchers Analyze Brainwaves To Authenticate Users

Passwords may not need to be made of numbers and letters after all

It sounds like something straight out of science fiction: brainwaves taking the place of passwords in the name of authentication. But a new study by researchers from the U.C. Berkeley School of Information is turning fiction into reality.

The study (PDF) examined the brainwave signals of individuals performing specific actions to see whether they can be consistently matched to the right individual. To do this, the researchers recruited 15 college students to participate, asking them to allow their brainwaves to be recorded as they performed a series of repeatable tasks. Three were tasks everyone was asked to do, while four were ones where the users had individual secrets.

In the tasks where participants could choose a personal secret, they were asked to imagine performing a repetitive motion from a sport of their choice, singing a song of their choice, watching a series of on-screen images and silently counting the objects that match a color of their choice, or choose their own thought and focus on it for 10 seconds.

To measure the subjects' brainwaves, the team used the NeuroSky Mindset, a Bluetooth headset that records Electroencephalographic (EEG) activity. In the end, the team was able to match the brainwave signals with 99 percent accuracy.

"We are not trying to trace back from a brainwave signal to a specific person," explains Prof. John Chuang, who led the team. "That would be a much more difficult problem. Rather, our task is to determine if a presented brainwave signal matches the brainwave signals previously submitted by the user when they were setting up their pass-thought."

"In this case," he continues, "our experimental study found that we can with high accuracy make the determination whether a presented brainwave signal belongs to a user or not due to patterns in the brainwaves that are different for different individuals. We also found that it was not necessary to have users perform different mental tasks in order to achieve our level of authentication accuracy. Having our experimental subjects perform different mental tasks allows us to study whether certain types of tasks were preferred by users because of their enjoyability or ease of execution."

The team's findings were presented at the 17th International Conference on Financial Cryptography and Data Security in Japan this week. In a paper, the team argues that the embedding of EEG sensors in wireless headsets and other consumer electronics makes authenticating users based on their brainwave signals a realistic possibility.

"Obviously, using brainwaves for authentication [has been] the stuff of science-fiction for a very long time," Chuang says. "There [have] been a number of previous research studies looking at brainwave authentication, but they employ multichannel EEG technology in clinical settings. When the NeuroSky single-channel technology became available on the market, we decided to study whether brainwave authentication is feasible with these inexpensive consumer-grade devices in everyday [nonclinical] settings."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nannasin28
50%
50%
nannasin28,
User Rank: Apprentice
4/16/2013 | 2:57:06 AM
re: Researchers Analyze Brainwaves To Authenticate Users
Passwords and Trade secrets can and are obtained this way.-- 4N25
femtobeam
50%
50%
femtobeam,
User Rank: Apprentice
4/15/2013 | 4:54:14 PM
re: Researchers Analyze Brainwaves To Authenticate Users
Headsets are not necessary to read brainwave potentials. The sensitivity of sensors that can differentiate between brainwave potentials was first publicly demonstrated by Brainfingers- software.

It is now possible to interface with the brain via interactive hybrid networks, whether by internal or external sensors. The authors of the paper did not go into details about the big missing factor, the fact that this is not just about "reading" information from the brain for authentication, but also "writing" information to the brain from any source with access. Time stamping, Network re-routing, changing information on the fly, are all still possible during the transmission of brain waves. So are man in the middle attacks. Security and assurance of brainwaves as identity requires full network evaluation with these possibilities in mind. Falsifying brainwaves is possible, even in the subliminal domain, due to the speed of communications in relationship to the speed of brain action.

It is an infallible method of truthful information in that the subliminal mind does not lie, however, it is also possible to input subliminal messages that can be misinterpreted. Passwords and Trade secrets can and are obtained this way. Pain can be recorded from one individual and sent to the brain of another. Remote rape is already under scrutiny in Europe. This has implications far beyond the subject of this article.

The key to identity assurance is in time stamping and comparisons of multiple sources of information.

"We must have a physical off switch to protect individual human rights"

"It is all in the speed of light"

"In the future, we may all die from hearsay!" Robin L. Ore
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.