Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Science

Your Brain Waves Could Soon Replace Passwords Entirely (fastcompany.com) 104

Wenyao Xu and Feng Lin, assistant professors of Computer Science and Engineering at University at Buffalo and The State University of New York, write: Our team has been working with collaborators at other institutions for years, and has invented a new type of biometric that is both uniquely tied to a single human being and can be reset if needed. When a person looks at a photograph or hears a piece of music, her brain responds in ways that researchers or medical professionals can measure with electrical sensors placed on her scalp. We have discovered that every person's brain responds differently to an external stimulus, so even if two people look at the same photograph, readings of their brain activity will be different. This process is automatic and unconscious, so a person can't control what brain response happens. And every time a person sees a photo of a particular celebrity, their brain reacts the same way -- though differently from everyone else's.

We realized that this presents an opportunity for a unique combination that can serve as what we call a "brain password." It's not just a physical attribute of their body, like a fingerprint or the pattern of blood vessels in their retina. Instead, it's a mix of the person's unique biological brain structure and their involuntary memory that determines how it responds to a particular stimulus.

This discussion has been archived. No new comments can be posted.

Your Brain Waves Could Soon Replace Passwords Entirely

Comments Filter:
  • by enriquevagu ( 1026480 ) on Monday October 29, 2018 @12:00PM (#57555981)

    Biometrics replace usernames, not passwords.

    User names identify who you are. You are always the same person; that can never be changed.

    Passwords validate your credentials. Passwords may be changed when they are discovered by a third party; usernames (or brain waves, as discussed in the summary) cannot be changed.

    • by Anonymous Coward

      Biometrics replace usernames, not passwords.

      That is not an accurate way of depicting usernames, passwords, or biometrics. Usernames identify authorized users (unique account to track access, used to validate passwords, biometrics, etc against). Biometrics are used to identify a person (who you are), passwords are used as a shared secret to help validate identity (what you know). These are not the same and should not be treated as the same.

      The issue with most biometrics to date is that they can not be changed which is important to help prevent certain

      • by arth1 ( 260657 )

        That is not an accurate way of depicting usernames, passwords, or biometrics. Usernames identify authorized users (unique account to track access, used to validate passwords, biometrics, etc against). Biometrics are used to identify a person (who you are), passwords are used as a shared secret to help validate identity (what you know). These are not the same and should not be treated as the same.

        Don't forget the what you want part, i.e. authorization by the user[*]. Biometrics do not provide this.

        [*]: Authorization is a two way street - not only does the service authorize the user, but the user also authorizes the service. Take away user-initiated authorization, and you open for exploitation and coercion.

    • by jiriw ( 444695 ) on Monday October 29, 2018 @12:34PM (#57556235) Homepage

      The article states otherwise. You change the 'password' by changing the stimulus (use a different photograph, for example).

      Fingerprints can't be changed reliably (without surgery or self mutilation), that's true. And as such you could see them as a kind of username. And they should be used as such if the biometric sensor can't differentiate between the real you and a copy.
      But when brain waves are used as described in the article, you can use them as a password, where your brain is the 'hasher' of your 'plain text' picture, and the 'hash' (brain waves) is compared to the recorded 'hash' in the database.

    • That and i'm not sure that outside stimulus couldn't throw that off to begin with... like caffeine

       

    • User names identify who you are. You are always the same person; that can never be changed.

      If I've learned anything from infosec, biology and cyberpunk anime then it's that identity (to others and yourself) is quite mutable with the proper application of technology.

    • It's more accurate to say that usernames represent who you claim to be. Passwords are an attempt to verify that you are who you say you are... or that you are an authorized proxy.
  • I don't even want to know what goes on in someone's brain who can read about this research and can conclude that it will replace passwords anytime soon. For one thing the mind changes over time so we don't even have reason to believe that this unique response will remain static over time. Then there is the issue of industry adoption, not to mention the minor detail of needing to strap electrodes to your head connected to what is no doubt bulky and expensive hardware.
    • Eh we all hope to have the maximum impact on the world so we amp up the significance of what we do.

      But I wonder if it's always been like that, and whether people were at other times more realistic about their role in the world. Maybe it's the internet that's stimulating this distortion.

    • I suppose it could be useful for extreme high-security situations such as for access to military installations.
  • Soon replace? (Score:4, Insightful)

    by Oswald McWeany ( 2428506 ) on Monday October 29, 2018 @12:02PM (#57556003)

    My main disagreement with this article is over the word "soon".

  • Hungover (Score:2, Funny)

    by Anonymous Coward

    Will it work hungover?

    Drunks everywhere need to know.

    I suppose it could be a fail-safe to not work drunk or hungover.

  • Soon? I figure this is years, if not longer, before brain waves replace passwords entirely. It's another case of things looking best before they have to be widely used. Unfounded optimism abounds.
  • by Anonymous Coward

    Bullllshiiiiiiiiiiiiiiiiit.

  • So your system unlocks when you walk up to it.
  • We've had key fobs for decades. Databases have been able to hold more than 8 characters for a password for decades. Any system that hashes the user's password doesn't actually care how long the password is since it's hashed down to a fixed length anyway.

    The problem is not making use of key fobs to allow per account passwords to be stored so you don't have to share passwords between accounts and those passwords should be a long string of random characters that never need to be typed in.

    With key fobs, the a

  • I guess the something you have is your brain, the something you know is which selected piece of music, or a picture of your favorite porn star you chose to use.

    Seems pretty complicated and hard to save the info in your selected browsers password store,,,

  • I know not a lot of people have thought about this, but it's important. Passwords are one form of access rights. Keys are another. Heck, a secret handshake would be usable, if not entirely secure. The good ones though, they all have fundamental similarities:

    * They can be changed
    Someone lets the password slip? Loses a key? The enemy gets the launch codes? ... you need to be able to change it
    * They are reliable
    Ever get a drivers license that's valid 60% of the time?
    * They can

  • by Anonymous Coward

    So a dag guy can "force" you easily to use your password!

  • "Soon" only appears in the lead of the story. If Wenyao Xu Feng Lin or Zhanpeng Jin wrote it, they're idiots. If someone else did, *they're* idiots. Not from the tech, they promote that they can do it with a special hat with three sensors, from the world outside the lab. It's another of those "people need to change their basic habits to work" things, which won't happen (reference the dramatic adoption of Google Glass).

    Although I agree with others that their tests were "shallow", let us say, that's no
    • The writers of exaggerated unrealistic headlines that make everything sound like it'll change the world tomorrow are not idiots. They're paid to do exactly what they do, just like the "one weird trick" writers.

  • Biometrics cannot replace any secrets. They can, at best, be used to authenticate local presence in closed systems.

    "Authentication" via remote biometric measurement carries absolutely no guarantee that actual bio was involved and thus does not have any valid security properties.

    Such remote usage is *bad* both ways: An attacker can replay biometrics and a non-attacker cannot recover from biometric information copying,... ever!

    Think about that every time you show your fingerprint to random scanners. You

    • by mark-t ( 151149 )
      You can't fake somebody's brain though. And presenting a false hash of the expected brain to another machine to try and fake being somebody else would require compromising the target machine in the first place so that it wasn't going to do its own scanning, so you wouldn't just be able to arbitrarily pretend to be somebody else without literally making a duplicate of that person's brain.
      • by SLOGEN ( 165834 )

        I don't see a fundamental difference. You don't need to fake the brain, only the transmitted "measurements".

        My whole argument about biometrics security properties being tightly local is exactly the constraint needed to make an argument that you "would require compromising the target machine".

        "The sensors would record the persons brain waves. Just as when registering a fingerprint for an iPhones Touch ID, multiple readings would be needed to collect a complete initial record. Our research has confirmed that

        • by mark-t ( 151149 )

          You don't need to fake the brain, only the transmitted "measurements".

          Presumably, whatever is doing the transmitting is "trusted", and that's the thing you'd have to compromise.

  • by 140Mandak262Jamuna ( 970587 ) on Monday October 29, 2018 @01:35PM (#57556635) Journal
    Brain waves, fingerprints, retinal scans, rectal scans too for that matter, are forms of identification that can identify someone.

    Signatures, passwords, digital certificates, rsa id pair, signet rings, seals etc are forms of authentication and approval. Do not confuse between the two.

    But.... Social security number, a form of identification is regularly misused and abused as authentication.

    Whats worse is a wide array of semi public info, information easily known to close family members like mother's maiden name or where someone went to school masquerades as authentication for password reset process.

  • When a person looks at a photograph or hears a piece of music, her brain responds in ways that researchers or medical professionals can measure with electrical sensors placed on her scalp

    But remember, you must think in Russian [youtube.com].

  • by Joe_Dragon ( 2206452 ) on Monday October 29, 2018 @02:13PM (#57556895)

    paid for By the FBI.

    All right jay we just going show up a lot of pic's till your phone unlocks. and I just checked showing pics does not need to have your attorney with you.

  • Multiple factor authentication includes SOMETHING YOU HAVE (fob, fingerprint, retina, brainwaves, token) and SOMETHING YOU KNOW (PIN, password, passphrase, your mother's maiden name, etc.)

    The key to good authentication is to require all factors to be presented in order to authenticate. A brainwave is definitely something you have, and like a fingerprint, it's something someone else can sample to force you to authenticate against your will. Even if it becomes so sophisticated as to be able to "read your mi

  • Most of my coworkers would be unable to login...
  • So, anyone who shows me the photo gets my password? Sounds like every phisher's dream.

    Last I checked, access credentials need to be deniable -- no, you can't have my password/key/handshake. It's a secret.

  • by Anonymous Coward

    A password is NOT an identifier, it is an act of submitting something, voluntarily, with free will. A cut off index finger is NOT a password, nor is ANY biometric data.
    Biometric data can be replicated, whereas recalled memory you voluntarily submit is different, it is the sum of free will and identity.

  • This transforms "what you know" into a shade of "who you are". Stay with passcodes and passwords. The legal system would love for us to all move to biometrics, so we can't "forget" and deny them access.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...