Slashdot Mirror
Passthoughts, Not Passwords: Authentication Via Brainwaves
CowboyRobot writes "A new study by researchers from the U.C. Berkeley School of Information examined the brainwave signals of individuals performing specific actions to see if they can be consistently matched to the right individual. To measure the subjects' brainwaves, the team utilized the NeuroSky Mindset, a Bluetooth headset that records Electroencephalographic (EEG) activity. In the end, the team was able to match the brainwave signals with 99% accuracy (pdf). 'We are not trying to trace back from a brainwave signal to a specific person,' explains Prof. John Chuang, who led the team. 'That would be a much more difficult problem. Rather, our task is to determine if a presented brainwave signal matches the brainwave signals previously submitted by the user when they were setting up their pass-thought.'"
Great, now anyone walking by can lock out my account with failed auth attempts
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
I'm afraid that wouldn't work for several of my past managers. Heey-oh!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I'll tell you what to think! ;)
http://xkcd.com/538/
thoughtcrime is comeing
"I thought my passthought. But maybe I didn't think it the right way. Let me try again..."
Just what we need, an even more complicated and harder to use apparatus with a reduced probability of correctly identifying the right user.
Since when is "works correctly 99% of the time" good enough for an authentication system?
You must think in Russian...you cannot think in English and transpose...you must think in Russian.
So first we had passwords. Then they invented fingerprint readers so now everyone can log in with either a fingerprint or a password as a backup in case the fingerprint reader doesn't work. Obviously 2 ways of getting into a system is MUCH more secure. Same here. I bet this will be backed by a password.
1. To by-pass fingerprint auth: chop off hand of victim
2. To by-pass retina auth: pluck out eye
3. To by-pass brainwave auth: chop off head
As for item 3, wasn't this already written somewjhere in some american classic sci-fi, maybe Heinlein?
Or do they both change over time? For example, will the thought of the word anal be the same before and after having anal sex for the first time? I doubt it, my thoughts changed pretty dramatic.
What If you make a happy thought of your girlfriend and then breakup with her? You can't form that joyful thought anymore, can you still unlock it afterwards?
Would be to be kidnapped and ordered at gunpoint to open your account so it could be hacked. That's an area of concern for these biometric schemes.
Helpdesk,
I need help logging in. I have a migraine and can't get my passthought right. Can you send up two aspirin tablets.
Thanks
the growth in cynicism and rebellion has not been without cause
So now every time I want to gain access I have to think the same thing I thought when I first entered the passthought.
"Okay, no thinking of naked girls now, anything but naked girls. Betty White! Yes, Betty White completely dressed, dressed in sexy lingerie... oh god, not that either, that's horri*".
"thank you, passthough recorded".
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
I don't want to carry another device to attach to my notebook, small computer, or iWatch. When they get it to work with out an accessory I'll consider it. It shouldn't be too hard; for many years my wife has been only too willing to tell my what current thoughts and feelings are.
The current headset is unwieldy. Would the banks make you put on a headset and think "i am the real me" when you get to the teller's station instead of signing on the electronic signature pad?
How the hell do they expect me to do password resets now?
Please try another thought password. "Tits" is not sufficiently secure.
Have gnu, will travel.
So how does this deal with replay type attacks, where you "record" the brainwaves and play them back?
DARPA is looking for biometric authentication methods that don't require the active participation of the user. For instance, if you had a smartphone that detected your unique smell, it could do that without you needing to tell it to authenticate, or to have a particular password, etc. And, you could authenticate continuously, rather than just when starting to use the device.
these sorts of schemes are also much more difficult to fake with a replica, unlike things like fingerprint readers
DARPA-BAA-13-16 Active Authentication
Because brains certainly don't change over time.
So now everyone who watches Doctor Who will set their passwords to "Crimson, Eleven, Delight, Petrichor".
At least it'll be easy to get into my wife's computer.....
yay! It's not like they could be hacked by flickering lights, screens, etc. Or anything like that. Tarkovsky, you there?
"My brain is my password. Verify me".
OTOH... Since that can't be recorded on a tape, it gets kinda messy.
It's an interesting study, but from a security point of view, If I wanted to get into somebody's system that used this type of authentication, then I would only need to get them to think about it while I am recording their brainwaves.
Another security vulnerability question is, can we figure out anybody's password on any system, if we can record their brainwaves while they are thinking about it?
OK, so my passthought is "boobs".
It works fine for awhile.
Then, it stops working.
I call the service desk.
Service Desk: How can I be helping you today?
Me: My passthought doesn't work.
Service Desk: Can you turn it off and on?
Me: it is a thought. I use it to logon.
Service Desk:What thought are you thinking?
Me: boobs.
Service Desk: Are you thinking about boobs?
Me: Yes boobs.
Service Desk: What kind of boobs can I help you with today?
Who thought up this? Mordac the Preventer of Information Services?
Concentrate on a new passthought ...
Don't kill the Security guy. Don't kill the security guy.
Error: You cannot use any of your last 3 passthoughts.
Error: Your passthought is too common.
GRAAAAH!!
Error: Your passthought is too common.
This post contains no rudeness or derision of any kind. All arguments are friendly. Terms and exclusions may apply.
History will repeat itself. Stay-Puft Marshmallow Man. Enough said.
I had this idea at a Usenix conference back in 2001. It's not new.
Crimson Eleven Delight Petrichor
systemd is Roko's Basilisk.
It would be interesting to see the results of an experiment which brings the same subjects back in 5 or 10 years and asks them to think the same passthoughts. I highly doubt as much accuracy would be observed.
This is however an easy problem to solve: just change your passthought every few months.
Another cool toy that will input your NTLM password for you....
Unless it works with migraines, cluster headaches, stress, anxiety, depression/grief, happiness, exhaustion, pain, and a slew of other conditions that affect brainwave patterns (heck, even caffeine can throw off brainwave patterns) this is too error prone to be reliably used.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
..to think in Russian....at least if unlocking Firefox.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Ease of use is definitely enhanced, but there's really not much increase in security to be had here: if a hardware device reads a "passthought", chances are that its just going to encode the string with some one-way hash function, which then gets stored in a password database using some other one-way hash function. From an intruder's perspective, this is a solved problem: keyspace exhaustion attacks defeat the one-way hash function by trading time for memory.
Aside from getting rid of common passwords, and increasing average password string-length (which can't be much longer without intolerably increasing the demands on auth server CPUs), this method is not much more secure than regular passwords, as circumventing it will simply require a rainbow table for the hash, and a modified client-side eeglib.so, or what-have-you, that reads the EEG device.
Apples shares plummeted 14% in after hours trading today as the company continues to battle their network security problems. Details are still forthcoming, but it appears their main campus is still closed, with the employees milling about in the parking lot. It is believed to be related to their roll-out of a new Electroencephalographic (EEG) based security system. One anonymous executive said, "Ya, looks like the 'think different' campaign really backfired."
"Bob can't login must be high again..."
Doesn't this defeat the purpose of a password/passphrase? Think about it, now all the government or anyone has to do to get your password is bring you to the scanner and say don't think of your password, or what is your password, etc. It will be very difficult for people to NOT think of their password, so the people you want to keep out will have even easier access than they would have had with a normal password system. I am not a fan of any biometric password systems, it is simply too easy to force me to let you in in those systems. Finger prints? No problem cut off my finger or find my prints and create fake digits with those prints. Brainwaves? Just hook my brain up to a scanner. Iris, force me to open my eye or just remove it from my head. If you think that the FBI wouldn't force you to hook your brain up to the scanner to get your password you are naive and living in a dream world. These types of security measures make us less secure.
AlphaA
One title comes to mind, Brian Falkner's Brain Jack......
I see a lot of people talking about thinking a word. That's so 1965.
Instead, you'd remember what your house looks like. Or think about the time your kid said something cute. Or imagine an impossible spring that actually becomes less resistant as you apply pressure.
Something like that, not "Durr, 'BoogieMan2008!'".