Sophos Cloud Optix
It’s time to put another body part through the biometrics wringer in the ongoing quest to replace passwords.
This time, it’s your brain.
Specifically, researchers have been looking at how your brain responds to certain acronyms.
According to New Scientist, researchers found that volunteers’ brains had a reaction to each of 75 acronyms (e.g., FBI, DVD) in a way that was unique to each individual.
The difference between the volunteers’ brain reactions was enough for the system to pinpoint their identities with accuracy of up to 97%.
The study, from Neurocomputing, is titled – appropriately enough – Brainprint.
The work was done by a group of researchers from the Basque Center for Cognition and Binghamton University.
This isn’t the first time that unique brain activity has been looked at as a potential authentication factor.
Back in 2007, for example, scientists were looking at identifying people via unique patterns of brain activity.
The thing is, brains are full of noise that makes it tough to pick up clean measurements.
The Basque and Binghamton team has addressed the issue by focusing on brainwaves from one particular region of the brain that’s associated with the task of reading and recognising words, producing a clearer signal that can be measured more quickly.
There are various types of memories: episodic memories that record experience, and semantic memories that simply record word meanings.
Semantic memories are subtly different for each of us, making them potentially useful for authentication. As well, they don’t tend to change much over time, as opposed to episodic memories.
New Scientist gives the example of the word “bee.”
If you’re stung, episodic memory neurons that fire when you next read the word will change to accommodate your experience, though your semantic memory of the meaning of the word “bee” isn’t believed to change substantially.
Will the brainprint be potentially useful in authentication?
Maybe, but only after the researchers come up with a more convenient and comfortable way to access the information, given that the high degree of labeling accuracy was achieved with the use of three electrodes on the volunteers’ scalps: what the researchers said was the minimal possible number to acquire clean data.
Naked Security recently looked at something similar, though not brainprints per se: In January, researchers at the US military’s elite West Point military academy were awarded a multimillion dollar contract to produce a new identity verification system based on users’ behaviour.
Authentication has traditionally relied on users producing one or more of the following: something you know (such as a passwords or PIN), something you have (such as a number from an RSA key) or something you are (such as your fingerprints or face.)
The technology that West Point is working on, behaviour-based biometrics, adds another factor to the mix: something you do.
Transparent, behaviour-based biometrics – or a “cognitive fingerprint” – could provide the nudge that’s needed to push biometrics into the mainstream.
Brainprints also show promise, albeit with a) an inconvenient need to wire scalps, and b) an accuracy rate that the researchers describe as a good starting point, but not the kind of accuracy you’d want to have protecting a roomful of secrets.
In fact, the researchers’ accuracy rates are currently far less than achieved when scanning a fingerprint or an iris, according to biometrics expert Kevin Bowyer, of the University of Notre Dame in Indiana.
In addition, both brainprints and cognitive fingerprints have major obstacles to overcome before we see them seriously challenge the wheezy old standby of passwords.
The first is that you can’t change your biometrics. So what do you do if you’re compromised?
Still, they may point the way to a future without passwords.
After all, both cognitive fingerprints and brainprints offer the promise of continuous authentication, which is a marked improvement over the periodic authentication provided by logging on using a password or a iris.
Image of brain and padlock courtesy of Shutterstock.
Hello,
If the accout login is compromised, how will one replace the head? That’s a fundamental problem with most biometric solutions! I think it is better to stick with smartcards or tokens for password-less authentication.
How exactly would it be compromised? If someone did somehow create a machine that replicated your specific brainwaves, one would assume that you’re using a second factor. This just adds another option for second (or third) factor authentication. If someone manages to lift a recreate your fingerprint, disable fingerprint scanning as one of your authentication factors and replace it with an RSA token or iris scanner.
In the end, this doesn’t simply create a form of authentication that cannot be changed like a password can, but rather gives you another form of authentication that is nearly-impossible (or in this case, probably completely impossible; your brainwaves would be different under duress even) that can be used to replace a less secure form of authentication.
I think we’re talking less about replicating brainwaves than we are talking about the confidentiality of the resulting digital representation of said brainwaves. For instance, when a site I frequent has a data breach and all the hashes/passwords brought out into the open, I pretty much have to change my password to have some assurane that my account is still just for me, or elsewhere if I re-use that particular password attached to the same screenname.
Am I out of luckif that happens to the backend for biometric auth?
Agreed. There is a ton of research and news on fancy biometric auth, but this is a huge fundamental problem. And we have no idea how this might change over time, much like a scar can change invalidate a fingerprint. Personally, I don’t want that information stored somewhere fallible, especially if I eventually have to rely upon it for auth somewhere.
And 94% accuracy isn’t enough for me to trust my business upon.
Actually, it’s “up to 94%”, so don’t get your hopes too high 🙂
FBI and DVD aren’t acronyms; they’re abbreviations.
http://dictionary.reference.com/browse/acronym
Strictly, acronyms should be pronounceable as words, like RAM, FUBAR, VORIWOGOM and TEOTWAWKI.
But in modern parlance, initialisms that have become common enough to be written and spoken as words (and are routinely used without being spelled out first), like FBI, MVP, QPR and NSW, are unexceptionably called acronyms, too.
Saying that NSW (it’s a state in Australia, in case you’re wondering) isn’t an acronym is like saying that “virus” can’t be used as a general term for “malware”. Everyone knows you’re right, according to the letter of lexicographic law, but hardly anyone cares, and no-one is confused.
I watched a show on this last night on Nova. They used the Rock Band game guitar to imprint a password in the muscle memory of your brain. Something you could not divulge. Incredible.
I watched that same Nova program. The amazing thing is that you weren’t even consciously aware of the imprint on your brain yet it was able to authenticate you.
Brain password is very good idea. But, the cost will be another issue to use at mobile phones. It should be developed further with cheap cost, simple, unhackable, and easy to change.,