Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passthoughts, Not Passwords: Authentication Via Brainwaves

Posted by samzenpus on from the get-your-thinking-straight dept.

CowboyRobot writes "A new study by researchers from the U.C. Berkeley School of Information examined the brainwave signals of individuals performing specific actions to see if they can be consistently matched to the right individual. To measure the subjects' brainwaves, the team utilized the NeuroSky Mindset, a Bluetooth headset that records Electroencephalographic (EEG) activity. In the end, the team was able to match the brainwave signals with 99% accuracy (pdf). 'We are not trying to trace back from a brainwave signal to a specific person,' explains Prof. John Chuang, who led the team. 'That would be a much more difficult problem. Rather, our task is to determine if a presented brainwave signal matches the brainwave signals previously submitted by the user when they were setting up their pass-thought.'"

21 of 104 comments (clear)

  1. Walk by lockouts by jbmartin6 · · Score: 5, Funny

    Great, now anyone walking by can lock out my account with failed auth attempts

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:Walk by lockouts by ByOhTek · · Score: 4, Funny

      I'm more worried about them realizing I'm not human, from my brain waves. I don't want to go back to my homeworld! Also, how much testing did they do to ensure there aren't issues with emotional state or distraction? If I had a family even and was stuck listening to Beyonce or Katy Perry thanks to my sister's atrocious taste in "music"... Is having that crap stuck in my head going to prevent a login?

      --
      Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
  2. Never Work by Greyfox · · Score: 3, Funny

    I'm afraid that wouldn't work for several of my past managers. Heey-oh!

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  3. I don't need to know what you're thinking... by dclozier · · Score: 2

    I'll tell you what to think!
    http://xkcd.com/538/ ;)

  4. Talk about forgetting your password! by __aaltlg1547 · · Score: 5, Insightful

    "I thought my passthought. But maybe I didn't think it the right way. Let me try again..."

    Just what we need, an even more complicated and harder to use apparatus with a reduced probability of correctly identifying the right user.

    Since when is "works correctly 99% of the time" good enough for an authentication system?

    1. Re:Talk about forgetting your password! by ByOhTek · · Score: 3, Interesting

      Since when is "works correctly 99% of the time" good enough for an authentication system?

      And how often do you mistype your password? I doubt many get their password right even 90% of the time unless they have rather bad passwords.

      Also, there's false positive vs. false negative. False negatives aren't so bad (especially at 1%, when retries are possible). False positives are what are really of concern.

      --
      Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
    2. Re:Talk about forgetting your password! by jouassou · · Score: 4, Interesting

      Since when is "works correctly 99% of the time" good enough for an authentication system?

      It isn't. But it is an interesting proof-of-concept, which shows that using passthoughts as identification is actually possible.

      One interesting thought would be to combine passthoughts with other authentication technologies. Imagine walking up to a door that first performs face recognition and retina scans to determine who you appear to be. The system then accesses a database of passphrases associated with your user, displays a random one on a screen, and asks you to read it out loud. The system then uses a combination of voice recognition and brainwave scans to check if you're really who you appear to be.

      Although all these technologies currently have suboptimal success rates, they might yield good security if you combine them.

    3. Re:Talk about forgetting your password! by David_Hart · · Score: 4, Insightful

      "I thought my passthought. But maybe I didn't think it the right way. Let me try again..."

      Just what we need, an even more complicated and harder to use apparatus with a reduced probability of correctly identifying the right user.

      Since when is "works correctly 99% of the time" good enough for an authentication system?

      And what happens to the success rate if your brain chemistry and/or thought patterns change?

      We know that changes take place in the brain during puberty, pregnancy, when in love, stress, medical conditions, etc. I'm curious if their testing included these scenarios. Granted, it would prevent drive-by tweeting if people would have to calm down before they could login... (grin)

    4. Re:Talk about forgetting your password! by gnapster · · Score: 2

      Granted, it would prevent drive-by tweeting if people would have to calm down before they could login... (grin)

      I plan to set my passthought while browsing Reddit, so the only tweets I can send are drive-byes.

    5. Re:Talk about forgetting your password! by Kongming · · Score: 2

      I don't think that would be a concern, on account of the fact that they are probably relying mainly upon information that is not really "brain waves".

      The headset supposedly uses both EEG (brain waves) and EMG (electrical activity from muscle firing). However, measuring the electrical activity of neurons (very small and very weak) with any kind of specificity by using electrodes placed on the other side of the skull and other protective tissue is... let us just call it "nontrivial". EMG signals are much stronger.

      From the paper:

      "In particular, personalized mental tasks (e.g., sing their favorite song silently, focus on their personal pass-thought) do not produce higher signal similarity or authentication accuracy over mental tasks that are common to all subjects (e.g., close eyes and focus on breathing)."

      Similarly, this discussion includes a comment by someone who claims to have developed for the platform, "IMHO, the NeuroSky devices which are currently on the market exist mostly to record EMG from the forehead."

      The paper does not mention EMG. Perhaps they are are specifically avoiding making use of EMG information from the headset, although they do not mention any such technique in the paper. Personally, I would wager that unless you have significant changes to the musculature of your face and scalp or suffer new large-scale brain damage or other abnormalities, your "password" would not be terribly likely to change.

      --
      (no sig)
    6. Re:Talk about forgetting your password! by Immerman · · Score: 3, Insightful

      Indeed, though a 1% false-positive rate would still make for a really lousy attack vector for anyone with serious intent - you're unlikley to get past it for the first time when it matters, and unlike a password which stays compromised until changed which allows a leisurely preparatory attack, slipping through on a false positive probably won't reliably let you through a second time when it counts. Not something you'd want as the only layer of defense protecting your top secret documents, but a significant improvement over passwords. A huge advantage for most applications would be that it makes the security system immune to attack via social engineering, probably the single most successful attack vector in the world, as well as "security degredation by convenience" where people share around passwords for accounts with access to resources that are supposed to be restricted.

      Might also be very viable as part of a multi-factor authentication system, the pass-thought is already a two-factor system (thought + brain), adding a third factor with higher reliability would likely push the security beyond almost everything currently in use.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    7. Re:Talk about forgetting your password! by mjr167 · · Score: 2

      No, I think that is his point. And that it's a bad idea. If the user id is the password, you have the same problem you have with credit cards and SSNs. Acquiring a user's ID should not be enough to authenticate the user. The ID just identifies the user and can be used by people that need to refer to the user. You need something else to authenticate. Knowing my name shouldn't authenticate as me. Neither should having my fingers or my eyes.

      The idea to use the biometrics to identify the user and the pass-thought to authenticate might accomplish this, and you still separate ID and authentication.

  5. Helpdesk Request #65398 by Rob+Riggs · · Score: 3, Insightful

    Helpdesk,

    I need help logging in. I have a migraine and can't get my passthought right. Can you send up two aspirin tablets.

    Thanks

    --
    the growth in cynicism and rebellion has not been without cause
  6. Think happy thoughts by mwvdlee · · Score: 3, Funny

    So now every time I want to gain access I have to think the same thing I thought when I first entered the passthought.
    "Okay, no thinking of naked girls now, anything but naked girls. Betty White! Yes, Betty White completely dressed, dressed in sexy lingerie... oh god, not that either, that's horri*".
    "thank you, passthough recorded".

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  7. I'm thinking of a word. by PPH · · Score: 3, Funny

    Please try another thought password. "Tits" is not sufficiently secure.

    --
    Have gnu, will travel.
  8. Re: thoughtcrime is comeing by Anonymous Coward · · Score: 2, Insightful

    comeing

    But spelling crimes are already here.

  9. Whovians by drachenfyre · · Score: 2

    So now everyone who watches Doctor Who will set their passwords to "Crimson, Eleven, Delight, Petrichor".

    At least it'll be easy to get into my wife's computer.....

  10. Password reuse by arielCo · · Score: 2

    Who thought up this? Mordac the Preventer of Information Services?

    Concentrate on a new passthought ...

    Don't kill the Security guy. Don't kill the security guy.

    Error: You cannot use any of your last 3 passthoughts.
    Error: Your passthought is too common.

    GRAAAAH!!

    Error: Your passthought is too common.

    --
    This post contains no rudeness or derision of any kind. All arguments are friendly. Terms and exclusions may apply.
  11. The brain changes by degeneratemonkey · · Score: 2

    It would be interesting to see the results of an experiment which brings the same subjects back in 5 or 10 years and asks them to think the same passthoughts. I highly doubt as much accuracy would be observed.

    This is however an easy problem to solve: just change your passthought every few months.

  12. Re:Escalator to hell by Errol+backfiring · · Score: 3, Interesting

    But it might be quite easy with a live head. If you can intercept the signal, you can reproduce it. And intercepting a bluetooth signal should not be that hard. The problem is that it takes some "middle man hardware" to get the brainwaves into the computer. And middlemen can be a lot easier to fake. It is a bit like voice recognition: the voice may be personal and unique (or personal and unique enough), but recording a voice and playing it back is dead easy.

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
  13. Re:Why this is idiotic by JaredOfEuropa · · Score: 2

    That depends. On the one hand, if you're kidnapped, your brain might react differently under duress and the system would reject your logon attempt (and hopefully the kidnappers know that!). On the other hand, somewhere in the authentication chain, your brain waves are converted into electronic signals and at that point they could be "skimmed" and replayed, so it doesn't replace 2 factor authentication.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...