Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/12/2013
04:31 PM
50%
50%

Researchers Analyze Brainwaves To Authenticate Users

Passwords may not need to be made of numbers and letters after all

It sounds like something straight out of science fiction: brainwaves taking the place of passwords in the name of authentication. But a new study by researchers from the U.C. Berkeley School of Information is turning fiction into reality.

The study (PDF) examined the brainwave signals of individuals performing specific actions to see whether they can be consistently matched to the right individual. To do this, the researchers recruited 15 college students to participate, asking them to allow their brainwaves to be recorded as they performed a series of repeatable tasks. Three were tasks everyone was asked to do, while four were ones where the users had individual secrets.

In the tasks where participants could choose a personal secret, they were asked to imagine performing a repetitive motion from a sport of their choice, singing a song of their choice, watching a series of on-screen images and silently counting the objects that match a color of their choice, or choose their own thought and focus on it for 10 seconds.

To measure the subjects' brainwaves, the team used the NeuroSky Mindset, a Bluetooth headset that records Electroencephalographic (EEG) activity. In the end, the team was able to match the brainwave signals with 99 percent accuracy.

"We are not trying to trace back from a brainwave signal to a specific person," explains Prof. John Chuang, who led the team. "That would be a much more difficult problem. Rather, our task is to determine if a presented brainwave signal matches the brainwave signals previously submitted by the user when they were setting up their pass-thought."

"In this case," he continues, "our experimental study found that we can with high accuracy make the determination whether a presented brainwave signal belongs to a user or not due to patterns in the brainwaves that are different for different individuals. We also found that it was not necessary to have users perform different mental tasks in order to achieve our level of authentication accuracy. Having our experimental subjects perform different mental tasks allows us to study whether certain types of tasks were preferred by users because of their enjoyability or ease of execution."

The team's findings were presented at the 17th International Conference on Financial Cryptography and Data Security in Japan this week. In a paper, the team argues that the embedding of EEG sensors in wireless headsets and other consumer electronics makes authenticating users based on their brainwave signals a realistic possibility.

"Obviously, using brainwaves for authentication [has been] the stuff of science-fiction for a very long time," Chuang says. "There [have] been a number of previous research studies looking at brainwave authentication, but they employ multichannel EEG technology in clinical settings. When the NeuroSky single-channel technology became available on the market, we decided to study whether brainwave authentication is feasible with these inexpensive consumer-grade devices in everyday [nonclinical] settings."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nannasin28
50%
50%
nannasin28,
User Rank: Apprentice
4/16/2013 | 2:57:06 AM
re: Researchers Analyze Brainwaves To Authenticate Users
Passwords and Trade secrets can and are obtained this way.-- 4N25
femtobeam
50%
50%
femtobeam,
User Rank: Apprentice
4/15/2013 | 4:54:14 PM
re: Researchers Analyze Brainwaves To Authenticate Users
Headsets are not necessary to read brainwave potentials. The sensitivity of sensors that can differentiate between brainwave potentials was first publicly demonstrated by Brainfingers- software.

It is now possible to interface with the brain via interactive hybrid networks, whether by internal or external sensors. The authors of the paper did not go into details about the big missing factor, the fact that this is not just about "reading" information from the brain for authentication, but also "writing" information to the brain from any source with access. Time stamping, Network re-routing, changing information on the fly, are all still possible during the transmission of brain waves. So are man in the middle attacks. Security and assurance of brainwaves as identity requires full network evaluation with these possibilities in mind. Falsifying brainwaves is possible, even in the subliminal domain, due to the speed of communications in relationship to the speed of brain action.

It is an infallible method of truthful information in that the subliminal mind does not lie, however, it is also possible to input subliminal messages that can be misinterpreted. Passwords and Trade secrets can and are obtained this way. Pain can be recorded from one individual and sent to the brain of another. Remote rape is already under scrutiny in Europe. This has implications far beyond the subject of this article.

The key to identity assurance is in time stamping and comparisons of multiple sources of information.

"We must have a physical off switch to protect individual human rights"

"It is all in the speed of light"

"In the future, we may all die from hearsay!" Robin L. Ore
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-5285
PUBLISHED: 2019-11-15
Null pointer dereference vulnerability exists in K11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime in NSS before 3.26, which causes the TLS/SSL server using NSS to crash.
CVE-2009-5047
PUBLISHED: 2019-11-15
Jetty 6.x before 6.1.22 suffers from an escape sequence injection vulnerability from two different vectors: 1) "Cookie Dump Servlet" and 2) Http Content-Length header. 1) A POST request to the form at "/test/cookie/" with the "Age" parameter set to a string throws a &qu...
CVE-2013-4584
PUBLISHED: 2019-11-15
Perdition before 2.2 may have weak security when handling outbound connections, caused by an error in the STARTTLS IMAP and POP server. ssl_outgoing_ciphers not being applied to STARTTLS connections
CVE-2013-7087
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has WWPack corrupt heap memory
CVE-2013-7088
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has buffer overflow in the libclamav component