Your Brain Waves Could Soon Replace Passwords Entirely

Wenyao Xu and Feng Lin, assistant professors of Computer Science and Engineering at University at Buffalo and The State University of New York, write: Our team has been working with collaborators at other institutions for years, and has invented a new type of biometric that is both uniquely tied to a single human being and can be reset if needed. When a person looks at a photograph or hears a piece of music, her brain responds in ways that researchers or medical professionals can measure with electrical sensors placed on her scalp. We have discovered that every person's brain responds differently to an external stimulus, so even if two people look at the same photograph, readings of their brain activity will be different. This process is automatic and unconscious, so a person can't control what brain response happens. And every time a person sees a photo of a particular celebrity, their brain reacts the same way -- though differently from everyone else's.

We realized that this presents an opportunity for a unique combination that can serve as what we call a "brain password." It's not just a physical attribute of their body, like a fingerprint or the pattern of blood vessels in their retina. Instead, it's a mix of the person's unique biological brain structure and their involuntary memory that determines how it responds to a particular stimulus.

Usernames, not passwords

[enriquevagu]

Biometrics replace usernames, not passwords.

User names identify who you are. You are always the same person; that can never be changed.

Passwords validate your credentials. Passwords may be changed when they are discovered by a third party; usernames (or brain waves, as discussed in the summary) cannot be changed.

Re:Usernames, not passwords

[jiriw]

The article states otherwise. You change the 'password' by changing the stimulus (use a different photograph, for example).

Fingerprints can't be changed reliably (without surgery or self mutilation), that's true. And as such you could see them as a kind of username. And they should be used as such if the biometric sensor can't differentiate between the real you and a copy.
But when brain waves are used as described in the article, you can use them as a password, where your brain is the 'hasher' of your 'plain text' picture, and the 'hash' (brain waves) is compared to the recorded 'hash' in the database.

Soon replace?

[Oswald+McWeany]

My main disagreement with this article is over the word "soon".

Hungover

Will it work hungover?

Drunks everywhere need to know.

I suppose it could be a fail-safe to not work drunk or hungover.

Re:Easy to Hack Trump's Twitter

Why does everything have to turn political here on /. when the article is not even remotely related? People have no lives if all they do is worry about who is in the White House. I despised the BHO years, but I never once mentioned him or his cabinet in a tech forum when he was in office. I'm a conservative, and I don't think there is a single person in the current administration who supports my views or does what I think they should do, but I don't bring it up on tech forums where the isue at hand is not even political.

Identification != authenticaion

[140Mandak262Jamuna]

Brain waves, fingerprints, retinal scans, rectal scans too for that matter, are forms of identification that can identify someone.

Signatures, passwords, digital certificates, rsa id pair, signet rings, seals etc are forms of authentication and approval. Do not confuse between the two.

But.... Social security number, a form of identification is regularly misused and abused as authentication.

Whats worse is a wide array of semi public info, information easily known to close family members like mother's maiden name or where someone went to school masquerades as authentication for password reset process.

Re:Easy to Hack Trump's Twitter

[taustin]

Look at the NPC. It's almost like they don't have any other response to a story, except ORANGE MAN BAD.

It's called Trump Derangement Syndrome, and it results in ongoing, continuous hallucinations.

paid for By the FBI

[Joe_Dragon]

paid for By the FBI.

All right jay we just going show up a lot of pic's till your phone unlocks. and I just checked showing pics does not need to have your attorney with you.

NEVER. Brainwaves can't replace passwords.

[gavron]

Multiple factor authentication includes SOMETHING YOU HAVE (fob, fingerprint, retina, brainwaves, token) and SOMETHING YOU KNOW (PIN, password, passphrase, your mother's maiden name, etc.)

The key to good authentication is to require all factors to be presented in order to authenticate. A brainwave is definitely something you have, and like a fingerprint, it's something someone else can sample to force you to authenticate against your will. Even if it becomes so sophisticated as to be able to "read your mind" thinking a specific word ("pink elephant") all it would take is the black-hat actor asking you to think about "pink elephant" and your mind would do so, thereby authenticating.

Passwords, PINs, passphrases, challenges, etc. require us to ACTIVELY CHOOSE to authenticate. Law enforcement hates this. So do black-hat actors. Those of us who favor authentication love it.

Brain waves will NEVER REPLACE PASSWORDS ENTIRELY soon or at any other time.

Ehud

Re:Lead

[Gavagai80]

The writers of exaggerated unrealistic headlines that make everything sound like it'll change the world tomorrow are not idiots. They're paid to do exactly what they do, just like the "one weird trick" writers.