Slashdot Mirror

← Back to Stories (view on slashdot.org)

Your Brain Waves Could Soon Replace Passwords Entirely (fastcompany.com)

Posted by msmash on from the pushing-the-limits dept.

Wenyao Xu and Feng Lin, assistant professors of Computer Science and Engineering at University at Buffalo and The State University of New York, write: Our team has been working with collaborators at other institutions for years, and has invented a new type of biometric that is both uniquely tied to a single human being and can be reset if needed. When a person looks at a photograph or hears a piece of music, her brain responds in ways that researchers or medical professionals can measure with electrical sensors placed on her scalp. We have discovered that every person's brain responds differently to an external stimulus, so even if two people look at the same photograph, readings of their brain activity will be different. This process is automatic and unconscious, so a person can't control what brain response happens. And every time a person sees a photo of a particular celebrity, their brain reacts the same way -- though differently from everyone else's.

We realized that this presents an opportunity for a unique combination that can serve as what we call a "brain password." It's not just a physical attribute of their body, like a fingerprint or the pattern of blood vessels in their retina. Instead, it's a mix of the person's unique biological brain structure and their involuntary memory that determines how it responds to a particular stimulus.

52 of 104 comments (clear)

  1. Usernames, not passwords by enriquevagu · · Score: 5, Insightful

    Biometrics replace usernames, not passwords.

    User names identify who you are. You are always the same person; that can never be changed.

    Passwords validate your credentials. Passwords may be changed when they are discovered by a third party; usernames (or brain waves, as discussed in the summary) cannot be changed.

    1. Re:Usernames, not passwords by Anonymous Coward · · Score: 1

      Biometrics replace usernames, not passwords.

      That is not an accurate way of depicting usernames, passwords, or biometrics. Usernames identify authorized users (unique account to track access, used to validate passwords, biometrics, etc against). Biometrics are used to identify a person (who you are), passwords are used as a shared secret to help validate identity (what you know). These are not the same and should not be treated as the same.

      The issue with most biometrics to date is that they can not be changed which is important to help prevent certain types of attacks. Since the technology referenced here is operating more like a challenge response mechanism, this has certain advantages. The image that is used for invoking the brain scan can be different, pull from a set of known images, and be refreshed. This uses the brain like a unique hashing function. Since the images can be changed periodically, this would enhance security and help prevent attacks such as replay attacks and other issues. It still has significant issues with implementation, but the idea is a definite improvement for biometrics.

      Biometrics, passwords, usernames, and authentication tokens do not replace each other. They are all part of securely identifying and validating authorized access.

    2. Re:Usernames, not passwords by jiriw · · Score: 3, Informative

      The article states otherwise. You change the 'password' by changing the stimulus (use a different photograph, for example).

      Fingerprints can't be changed reliably (without surgery or self mutilation), that's true. And as such you could see them as a kind of username. And they should be used as such if the biometric sensor can't differentiate between the real you and a copy.
      But when brain waves are used as described in the article, you can use them as a password, where your brain is the 'hasher' of your 'plain text' picture, and the 'hash' (brain waves) is compared to the recorded 'hash' in the database.

    3. Re:Usernames, not passwords by pr0fessor · · Score: 1

      That and i'm not sure that outside stimulus couldn't throw that off to begin with... like caffeine

       

    4. Re:Usernames, not passwords by Gravis+Zero · · Score: 1

      User names identify who you are. You are always the same person; that can never be changed.

      If I've learned anything from infosec, biology and cyberpunk anime then it's that identity (to others and yourself) is quite mutable with the proper application of technology.

      --
      Anons need not reply. Questions end with a question mark.
    5. Re:Usernames, not passwords by arth1 · · Score: 1

      That is not an accurate way of depicting usernames, passwords, or biometrics. Usernames identify authorized users (unique account to track access, used to validate passwords, biometrics, etc against). Biometrics are used to identify a person (who you are), passwords are used as a shared secret to help validate identity (what you know). These are not the same and should not be treated as the same.

      Don't forget the what you want part, i.e. authorization by the user[*]. Biometrics do not provide this.

      [*]: Authorization is a two way street - not only does the service authorize the user, but the user also authorizes the service. Take away user-initiated authorization, and you open for exploitation and coercion.

    6. Re:Usernames, not passwords by Calydor · · Score: 1

      Or a headache, or stress, or having slept badly, or someone talking to you ...

      --
      -=This sig has nothing to do with my comment. Move along now=-
    7. Re:Usernames, not passwords by wirelessjb · · Score: 1

      It's more accurate to say that usernames represent who you claim to be. Passwords are an attempt to verify that you are who you say you are... or that you are an authorized proxy.

  2. Soon? Maybe someday; emphasis on maybe by Zero__Kelvin · · Score: 1

    I don't even want to know what goes on in someone's brain who can read about this research and can conclude that it will replace passwords anytime soon. For one thing the mind changes over time so we don't even have reason to believe that this unique response will remain static over time. Then there is the issue of industry adoption, not to mention the minor detail of needing to strap electrodes to your head connected to what is no doubt bulky and expensive hardware.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    1. Re:Soon? Maybe someday; emphasis on maybe by iMadeGhostzilla · · Score: 1

      Eh we all hope to have the maximum impact on the world so we amp up the significance of what we do.

      But I wonder if it's always been like that, and whether people were at other times more realistic about their role in the world. Maybe it's the internet that's stimulating this distortion.

    2. Re:Soon? Maybe someday; emphasis on maybe by RespekMyAthorati · · Score: 1

      I suppose it could be useful for extreme high-security situations such as for access to military installations.

  3. Soon replace? by Oswald+McWeany · · Score: 3, Insightful

    My main disagreement with this article is over the word "soon".

    --
    "That's the way to do it" - Punch
    1. Re:Soon replace? by jfdavis668 · · Score: 1

      Soon...

    2. Re:Soon replace? by sacrilicious · · Score: 1

      Prediction: Won't happen, ever.

      --
      - First they ignore you, then they laugh at you, then ???, then profit.
  4. Hungover by Anonymous Coward · · Score: 2, Funny

    Will it work hungover?

    Drunks everywhere need to know.

    I suppose it could be a fail-safe to not work drunk or hungover.

    1. Re:Hungover by sheramil · · Score: 1

      Do you really want to be operating your phone or computer if you're that drunk?

  5. Re:Easy to Hack Trump's Twitter by Mashiki · · Score: 1, Interesting

    Look at the NPC. It's almost like they don't have any other response to a story, except ORANGE MAN BAD.

    To the article at hand though, I can see a lot of issues with this. People with chronic headaches and migraines, people with alzheimer's, especially early onset, people with MS. Those that have head injuries say from sports, since we know the damage is cumulative. That unique brain signature becomes more of an issue, and we haven't even started on stuff like dementia, schizophrenia, and so on.

    --
    Om, nomnomnom...
  6. "Soon" ??? by QuietLagoon · · Score: 1

    Soon? I figure this is years, if not longer, before brain waves replace passwords entirely. It's another case of things looking best before they have to be widely used. Unfounded optimism abounds.

  7. Bull by Anonymous Coward · · Score: 1

    Bullllshiiiiiiiiiiiiiiiiit.

  8. Replace with Gravitational Waves by jfdavis668 · · Score: 1

    So your system unlocks when you walk up to it.

    1. Re:Replace with Gravitational Waves by jfdavis668 · · Score: 1

      That will keep out Chinese and Russian hackers.

  9. Another expensive solution to a solved problem by KalvinB · · Score: 1

    We've had key fobs for decades. Databases have been able to hold more than 8 characters for a password for decades. Any system that hashes the user's password doesn't actually care how long the password is since it's hashed down to a fixed length anyway.

    The problem is not making use of key fobs to allow per account passwords to be stored so you don't have to share passwords between accounts and those passwords should be a long string of random characters that never need to be typed in.

    With key fobs, the account provider could issue the password when you register instead of having the user pick one. Put in your email address, give access to the fob, the provider can write a single password to their account file on your fob, done.

    --
    Work Safe Porn
  10. Re:changes in your thoughts by ChoGGi · · Score: 1

    It'll be fine, you just update it every time, and account for the variances (that'll make it more secure...), I'm sure no major changes will ever happen to your brain.
    After all it's just three properly located sensors you need to attach to your head,

    https://ieeexplore.ieee.org/do...
    Interesting considering the fc article says 32 sensors, the paper says 30 and one of the authors of the paper also helped write the article...

    The total duration of the experiment was approximately 1.5 hours,
    including 0.5 hour for electrode placement and variable time
    in the breaks between blocks

    30 mins to attach them (I assume that's the 30 sensor, but it also seems like the 3 sensor test would take longer to do the actual testing), and I didn't bother looking too hard to see how long it'd take for the "password".

    Fourth, all data analyzed here were collected in a single session,
    meaning that the question of the biometric permanence
    of the CEREBRE protocol is still an open one. Addressing
    this question will require asking participants to repeat the
    protocol multiple times with temporal delay between sessions-
    acquisition of this data is currently ongoing in the lab

  11. Re:Another alt-rightie tries to silence others by Mashiki · · Score: 1, Insightful

    It's almost like he's trying to completely dehumanize

    Sorry, you don't get to play this game. After the last decade of labeling people sexists, racists, misogynists, homophobes, transphobes, race traitors, uncle toms, house ni**ers, xenophobes, red necks, country hicks, and of course nazi's.

    I hope you enjoy the rule set you've created. Or maybe it's because the NPC meme just strikes too close to home, and you know you're simply spouting garbage, devaluing words, and simply don't care. Somethingsomething groupthink.

    --
    Om, nomnomnom...
  12. My Brain is My Password. Verify Me. by bobstreo · · Score: 1

    I guess the something you have is your brain, the something you know is which selected piece of music, or a picture of your favorite porn star you chose to use.

    Seems pretty complicated and hard to save the info in your selected browsers password store,,,

  13. Basic requirements for access rights by quietwalker · · Score: 1

    I know not a lot of people have thought about this, but it's important. Passwords are one form of access rights. Keys are another. Heck, a secret handshake would be usable, if not entirely secure. The good ones though, they all have fundamental similarities:

    * They can be changed
        Someone lets the password slip? Loses a key? The enemy gets the launch codes? ... you need to be able to change it
    * They are reliable
        Ever get a drivers license that's valid 60% of the time?
    * They can be transferred/communicated
        Leaving a job and your replacement needs access? Sold your car and the new owner would like to drive it?
    * The correct form of access isn't easily accessible
        You don't tape the access code to the security door. You do use a key fob with a rotating access code. Etcetera, Etcetera.

    There's others, like auditing and such, but the thing is, biometrics fail on every one of these to some extent. Ever try to give someone else your fingerprints, or change them? Did you know that your fingerprints will subtly change over time - or quite quickly in some cases; ever burn your fingers on an iron? They're not changable (in a deliberate sense), reliable, communicable, and their very nature makes them relatively publicly accessible.

    They're not a replacement for passwords, and never will be, regardless of the level and sophistication of tech we arrive at. They're a way to provide convenience at the cost of security, like your amazon echo.

  14. Re:Easy to Hack Trump's Twitter by Anonymous Coward · · Score: 2, Insightful

    Why does everything have to turn political here on /. when the article is not even remotely related? People have no lives if all they do is worry about who is in the White House. I despised the BHO years, but I never once mentioned him or his cabinet in a tech forum when he was in office. I'm a conservative, and I don't think there is a single person in the current administration who supports my views or does what I think they should do, but I don't bring it up on tech forums where the isue at hand is not even political.

  15. Involuntary response by Anonymous Coward · · Score: 1

    So a dag guy can "force" you easily to use your password!

  16. Lead by Oligonicella · · Score: 1
    "Soon" only appears in the lead of the story. If Wenyao Xu Feng Lin or Zhanpeng Jin wrote it, they're idiots. If someone else did, *they're* idiots. Not from the tech, they promote that they can do it with a special hat with three sensors, from the world outside the lab. It's another of those "people need to change their basic habits to work" things, which won't happen (reference the dramatic adoption of Google Glass).

    Although I agree with others that their tests were "shallow", let us say, that's not what will kill it.

    FTA:

    Then the person would put on a soft comfortable hat or padded helmet with electrical sensors inside.

    "Soon" we'll be seeing soft hats or helmets hanging on the ATM to verify us. Oh, we have to buy our own? Right. Not gonna happen either way.

    1. Re:Lead by Gavagai80 · · Score: 2

      The writers of exaggerated unrealistic headlines that make everything sound like it'll change the world tomorrow are not idiots. They're paid to do exactly what they do, just like the "one weird trick" writers.

      --
      This space intentionally left blank
  17. Biometrics cannot replace secrets by SLOGEN · · Score: 1

    Biometrics cannot replace any secrets. They can, at best, be used to authenticate local presence in closed systems.

    "Authentication" via remote biometric measurement carries absolutely no guarantee that actual bio was involved and thus does not have any valid security properties.

    Such remote usage is *bad* both ways: An attacker can replay biometrics and a non-attacker cannot recover from biometric information copying,... ever!

    Think about that every time you show your fingerprint to random scanners. You are effectively giving away your (lifetime) biometric to the scanner so it can simulate it to the authentication software. It could choose to store and forward to others and pretend that your finger is there at will. You are effectively trusting *every* scanner not to do this.

    --
    SLOGEN [ http://ungdomshus.nu : Sebastian cover music]
    1. Re:Biometrics cannot replace secrets by mark-t · · Score: 1

      You can't fake somebody's brain though. And presenting a false hash of the expected brain to another machine to try and fake being somebody else would require compromising the target machine in the first place so that it wasn't going to do its own scanning, so you wouldn't just be able to arbitrarily pretend to be somebody else without literally making a duplicate of that person's brain.

      --
      File under 'M' for 'Manic ranting'
    2. Re:Biometrics cannot replace secrets by SLOGEN · · Score: 1

      I don't see a fundamental difference. You don't need to fake the brain, only the transmitted "measurements".

      My whole argument about biometrics security properties being tightly local is exactly the constraint needed to make an argument that you "would require compromising the target machine".

      "The sensors would record the persons brain waves. Just as when registering a fingerprint for an iPhones Touch ID, multiple readings would be needed to collect a complete initial record. Our research has confirmed that a combination of pictures like this would evoke brain wave readings that are unique to a particular person, and consistent from one login attempt to another." -- TFA

      This suggest that one would simply need such a "complete initial record" to pose as your brain. That would make sense as attackers and the "real" authenticator would then have the same information. You certainly don't want two different systems authenticating off the "complete initial record".

      Maybe some difference in information can be maintained in a secrecy of the images show in the "real" scenario, but it should be quite hard make that difference remain. At least some of it would leek every time you authenticate.

      For this to work, I think you would essentially need the brain to work as a cryptographic secure hash-function. Maybe it really does, but I think such a claim requires quite a bit more than "Our research has found that the new brain password would be very hard for attackers to figure out, even if they tried to use the old brainwave readings as an aid" and "demonstrated to provide 100% identification accuracy in a pool of 50 participants"

      --
      SLOGEN [ http://ungdomshus.nu : Sebastian cover music]
    3. Re:Biometrics cannot replace secrets by mark-t · · Score: 1

      You don't need to fake the brain, only the transmitted "measurements".

      Presumably, whatever is doing the transmitting is "trusted", and that's the thing you'd have to compromise.

      --
      File under 'M' for 'Manic ranting'
  18. Re:Easy to Hack Trump's Twitter by Tablizer · · Score: 1

    Look at the NPC. It's almost like they don't have any other response...

    What do you have against the National Planning Commission (of Nepal)?

    --
    Table-ized A.I.
  19. Re:Easy to Hack Trump's Twitter by Tablizer · · Score: 1

    The trace will be flat.

    Actually, I suspect his brainwaves will look like his signature.

    --
    Table-ized A.I.
  20. Identification != authenticaion by 140Mandak262Jamuna · · Score: 2
    Brain waves, fingerprints, retinal scans, rectal scans too for that matter, are forms of identification that can identify someone.

    Signatures, passwords, digital certificates, rsa id pair, signet rings, seals etc are forms of authentication and approval. Do not confuse between the two.

    But.... Social security number, a form of identification is regularly misused and abused as authentication.

    Whats worse is a wide array of semi public info, information easily known to close family members like mother's maiden name or where someone went to school masquerades as authentication for password reset process.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  21. Re:Easy to Hack Trump's Twitter by taustin · · Score: 2

    Look at the NPC. It's almost like they don't have any other response to a story, except ORANGE MAN BAD.

    It's called Trump Derangement Syndrome, and it results in ongoing, continuous hallucinations.

  22. But remember,... by necro81 · · Score: 1

    When a person looks at a photograph or hears a piece of music, her brain responds in ways that researchers or medical professionals can measure with electrical sensors placed on her scalp

    But remember, you must think in Russian.

  23. paid for By the FBI by Joe_Dragon · · Score: 2

    paid for By the FBI.

    All right jay we just going show up a lot of pic's till your phone unlocks. and I just checked showing pics does not need to have your attorney with you.

  24. NEVER. Brainwaves can't replace passwords. by gavron · · Score: 2

    Multiple factor authentication includes SOMETHING YOU HAVE (fob, fingerprint, retina, brainwaves, token) and SOMETHING YOU KNOW (PIN, password, passphrase, your mother's maiden name, etc.)

    The key to good authentication is to require all factors to be presented in order to authenticate. A brainwave is definitely something you have, and like a fingerprint, it's something someone else can sample to force you to authenticate against your will. Even if it becomes so sophisticated as to be able to "read your mind" thinking a specific word ("pink elephant") all it would take is the black-hat actor asking you to think about "pink elephant" and your mind would do so, thereby authenticating.

    Passwords, PINs, passphrases, challenges, etc. require us to ACTIVELY CHOOSE to authenticate. Law enforcement hates this. So do black-hat actors. Those of us who favor authentication love it.

    Brain waves will NEVER REPLACE PASSWORDS ENTIRELY soon or at any other time.

    Ehud

  25. Nope by LordHighExecutioner · · Score: 1

    Most of my coworkers would be unable to login...

  26. Re:Another alt-rightie tries to silence others by illumina+us · · Score: 1, Troll

    What are you talking about? Let's just compare/contrast the last two leaders (and for this purpose we are going to say POTUS) of the DNC and GOP. Just pick two random speeches; any two. Please tell me which one you think is deranged. I'm getting really sick of this tribal mentality nonsense. We don't discuss issues anymore. Politics has degraded into the equivalent of WWE smack talk.

    --
    -illumina+us "I put on my robe and wizard hat..."
  27. Umm, _secret_ password by holophrastic · · Score: 1

    So, anyone who shows me the photo gets my password? Sounds like every phisher's dream.

    Last I checked, access credentials need to be deniable -- no, you can't have my password/key/handshake. It's a secret.

  28. Re:Another alt-rightie tries to silence others by Ol+Olsoc · · Score: 1

    The left (especially the party leadership for the Democrats) are acting more and more like they're building an extremist cult.

    Says the guy who approves of the party of the MagaBomber.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  29. Identifier is not a password by Anonymous Coward · · Score: 1

    A password is NOT an identifier, it is an act of submitting something, voluntarily, with free will. A cut off index finger is NOT a password, nor is ANY biometric data.
    Biometric data can be replicated, whereas recalled memory you voluntarily submit is different, it is the sum of free will and identity.

  30. No, not with current laws. by Mal-2 · · Score: 1

    This transforms "what you know" into a shade of "who you are". Stay with passcodes and passwords. The legal system would love for us to all move to biometrics, so we can't "forget" and deny them access.

    --
    How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
  31. Time for Americans to think like Russians. by geekymachoman · · Score: 1

    https://www.youtube.com/watch?...

  32. Re:Another alt-rightie tries to silence others by Mashiki · · Score: 1

    Says the guy who approves of the party of the MagaBomber.

    You mean the guy who openly said he hated Trump. How's that reasoning working out for ya?

    --
    Om, nomnomnom...
  33. Re:Easy to Hack Trump's Twitter by Mashiki · · Score: 1

    Why does everything have to turn political here on /. when the article is not even remotely related?

    Short answer: The people spouting "orange man bad" and the associated crap are so bent out of shape over Hillary losing, that they have to attach politics to everything in order to justify their support of her and their lack of support for him. That leaves you and me and everyone else three options:

    (1)Ignore it. (2)Mock the piss out of them with a dose of reality. (3)Attempt reasonable discussion and hope they get out of their delusion. I prefer option 2, usually with memes.

    --
    Om, nomnomnom...
  34. "My brain? That's my second favorite organ!" by DutchUncle · · Score: 1

    Woody Allen, "Sleeper" https://www.youtube.com/watch?...

  35. Re:Another alt-rightie tries to silence others by Mashiki · · Score: 1

    You skipped psychology 101, and basics of human interactions in stressed environments. Try again without the word salad, and then back up assertions with fact, I'll wait for you to hit the brick wall in your reasoning.

    --
    Om, nomnomnom...