Your Brain Waves Could Soon Replace Passwords Entirely

Wenyao Xu and Feng Lin, assistant professors of Computer Science and Engineering at University at Buffalo and The State University of New York, write: Our team has been working with collaborators at other institutions for years, and has invented a new type of biometric that is both uniquely tied to a single human being and can be reset if needed. When a person looks at a photograph or hears a piece of music, her brain responds in ways that researchers or medical professionals can measure with electrical sensors placed on her scalp. We have discovered that every person's brain responds differently to an external stimulus, so even if two people look at the same photograph, readings of their brain activity will be different. This process is automatic and unconscious, so a person can't control what brain response happens. And every time a person sees a photo of a particular celebrity, their brain reacts the same way -- though differently from everyone else's.

We realized that this presents an opportunity for a unique combination that can serve as what we call a "brain password." It's not just a physical attribute of their body, like a fingerprint or the pattern of blood vessels in their retina. Instead, it's a mix of the person's unique biological brain structure and their involuntary memory that determines how it responds to a particular stimulus.

Re:

[Mashiki]

Look at the NPC. It's almost like they don't have any other response to a story, except ORANGE MAN BAD.

To the article at hand though, I can see a lot of issues with this. People with chronic headaches and migraines, people with alzheimer's, especially early onset, people with MS. Those that have head injuries say from sports, since we know the damage is cumulative. That unique brain signature becomes more of an issue, and we haven't even started on stuff like dementia, schizophrenia, and so on.

Re:

[Anonymous Coward]

Why does everything have to turn political here on /. when the article is not even remotely related? People have no lives if all they do is worry about who is in the White House. I despised the BHO years, but I never once mentioned him or his cabinet in a tech forum when he was in office. I'm a conservative, and I don't think there is a single person in the current administration who supports my views or does what I think they should do, but I don't bring it up on tech forums where the isue at hand is not e

Re:

[Mashiki]

Why does everything have to turn political here on /. when the article is not even remotely related?

Short answer: The people spouting "orange man bad" and the associated crap are so bent out of shape over Hillary losing, that they have to attach politics to everything in order to justify their support of her and their lack of support for him. That leaves you and me and everyone else three options:

(1)Ignore it. (2)Mock the piss out of them with a dose of reality. (3)Attempt reasonable discussion and hope they get out of their delusion. I prefer option 2, usually with memes.

Re:

[Tablizer]

Look at the NPC. It's almost like they don't have any other response...

What do you have against the National Planning Commission (of Nepal)?

Re:

[taustin]

Look at the NPC. It's almost like they don't have any other response to a story, except ORANGE MAN BAD.

It's called Trump Derangement Syndrome [wikipedia.org], and it results in ongoing, continuous hallucinations.

Re:

[Mashiki]

It's almost like he's trying to completely dehumanize

Sorry, you don't get to play this game. After the last decade of labeling people sexists, racists, misogynists, homophobes, transphobes, race traitors, uncle toms, house ni**ers, xenophobes, red necks, country hicks, and of course nazi's.

I hope you enjoy the rule set you've created. Or maybe it's because the NPC meme just strikes too close to home, and you know you're simply spouting garbage, devaluing words, and simply don't care. Somethingsomething groupthink.

Re:

[taustin]

The left (especially the party leadership for the Democrats) are acting more and more like they're building an extremist cult. They act increasingly deranged and disconnected from reality, and set increasingly insane and impossible goals. This is a necessary step to create a cult; it isolates the membership from the mainstream, to keep them from seeing how deranged their leadership is, and how deranged they, themselves are becoming. I suspect the party leadership has realized how screwed they are, and are j

Re:

[illumina+us]

What are you talking about? Let's just compare/contrast the last two leaders (and for this purpose we are going to say POTUS) of the DNC and GOP. Just pick two random speeches; any two. Please tell me which one you think is deranged. I'm getting really sick of this tribal mentality nonsense. We don't discuss issues anymore. Politics has degraded into the equivalent of WWE smack talk.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Ol Olsoc]

The left (especially the party leadership for the Democrats) are acting more and more like they're building an extremist cult.

Says the guy who approves of the party of the MagaBomber.

Re:

[Mashiki]

Says the guy who approves of the party of the MagaBomber.

You mean the guy who openly said he hated Trump. How's that reasoning working out for ya?

Re:

[Mashiki]

You skipped psychology 101, and basics of human interactions in stressed environments. Try again without the word salad, and then back up assertions with fact, I'll wait for you to hit the brick wall in your reasoning.

Re:

[Tablizer]

The trace will be flat.

Actually, I suspect his brainwaves will look like his signature. [newsapi.com.au]

Re:

[ChoGGi]

It'll be fine, you just update it every time, and account for the variances (that'll make it more secure...), I'm sure no major changes will ever happen to your brain.
After all it's just three properly located sensors you need to attach to your head,

https://ieeexplore.ieee.org/do... [ieee.org]
Interesting considering the fc article says 32 sensors, the paper says 30 and one of the authors of the paper also helped write the article...

The total duration of the experiment was approximately 1.5 hours,
including 0.5 hour for electrode placement and variable time
in the breaks between blocks

30 mins to attach them (I assume that's the 30 sensor, but it also seems like the 3 sen

Usernames, not passwords

[enriquevagu]

Biometrics replace usernames, not passwords.

User names identify who you are. You are always the same person; that can never be changed.

Passwords validate your credentials. Passwords may be changed when they are discovered by a third party; usernames (or brain waves, as discussed in the summary) cannot be changed.

Re:

[Anonymous Coward]

Biometrics replace usernames, not passwords.

That is not an accurate way of depicting usernames, passwords, or biometrics. Usernames identify authorized users (unique account to track access, used to validate passwords, biometrics, etc against). Biometrics are used to identify a person (who you are), passwords are used as a shared secret to help validate identity (what you know). These are not the same and should not be treated as the same.

The issue with most biometrics to date is that they can not be changed which is important to help prevent certain

Re:

[arth1]

That is not an accurate way of depicting usernames, passwords, or biometrics. Usernames identify authorized users (unique account to track access, used to validate passwords, biometrics, etc against). Biometrics are used to identify a person (who you are), passwords are used as a shared secret to help validate identity (what you know). These are not the same and should not be treated as the same.

Don't forget the what you want part, i.e. authorization by the user[*]. Biometrics do not provide this.

[*]: Authorization is a two way street - not only does the service authorize the user, but the user also authorizes the service. Take away user-initiated authorization, and you open for exploitation and coercion.

Re:Usernames, not passwords

[jiriw]

The article states otherwise. You change the 'password' by changing the stimulus (use a different photograph, for example).

Fingerprints can't be changed reliably (without surgery or self mutilation), that's true. And as such you could see them as a kind of username. And they should be used as such if the biometric sensor can't differentiate between the real you and a copy.
But when brain waves are used as described in the article, you can use them as a password, where your brain is the 'hasher' of your 'plain text' picture, and the 'hash' (brain waves) is compared to the recorded 'hash' in the database.

Re:

[pr0fessor]

That and i'm not sure that outside stimulus couldn't throw that off to begin with... like caffeine

 

Re:

[Calydor]

Or a headache, or stress, or having slept badly, or someone talking to you ...

Re:

[Gravis Zero]

User names identify who you are. You are always the same person; that can never be changed.

If I've learned anything from infosec, biology and cyberpunk anime then it's that identity (to others and yourself) is quite mutable with the proper application of technology.

Re:

[wirelessjb]

It's more accurate to say that usernames represent who you claim to be. Passwords are an attempt to verify that you are who you say you are... or that you are an authorized proxy.

Soon? Maybe someday; emphasis on maybe

[Zero__Kelvin]

I don't even want to know what goes on in someone's brain who can read about this research and can conclude that it will replace passwords anytime soon. For one thing the mind changes over time so we don't even have reason to believe that this unique response will remain static over time. Then there is the issue of industry adoption, not to mention the minor detail of needing to strap electrodes to your head connected to what is no doubt bulky and expensive hardware.

Re:

[iMadeGhostzilla]

Eh we all hope to have the maximum impact on the world so we amp up the significance of what we do.

But I wonder if it's always been like that, and whether people were at other times more realistic about their role in the world. Maybe it's the internet that's stimulating this distortion.

Re:

[RespekMyAthorati]

I suppose it could be useful for extreme high-security situations such as for access to military installations.

Soon replace?

[Oswald McWeany]

My main disagreement with this article is over the word "soon".

Re:

[jfdavis668]

Soon...

Re:

[sacrilicious]

Prediction: Won't happen, ever.

Hungover

[Anonymous Coward]

Will it work hungover?

Drunks everywhere need to know.

I suppose it could be a fail-safe to not work drunk or hungover.

Re:

[sheramil]

Do you really want to be operating your phone or computer if you're that drunk?

"Soon" ???

[QuietLagoon]

Soon? I figure this is years, if not longer, before brain waves replace passwords entirely. It's another case of things looking best before they have to be widely used. Unfounded optimism abounds.

Bull

[Anonymous Coward]

Bullllshiiiiiiiiiiiiiiiiit.

Replace with Gravitational Waves

[jfdavis668]

So your system unlocks when you walk up to it.

Re:

[jfdavis668]

That will keep out Chinese and Russian hackers.

Another expensive solution to a solved problem

[KalvinB]

We've had key fobs for decades. Databases have been able to hold more than 8 characters for a password for decades. Any system that hashes the user's password doesn't actually care how long the password is since it's hashed down to a fixed length anyway.

The problem is not making use of key fobs to allow per account passwords to be stored so you don't have to share passwords between accounts and those passwords should be a long string of random characters that never need to be typed in.

With key fobs, the a

My Brain is My Password. Verify Me.

[bobstreo]

I guess the something you have is your brain, the something you know is which selected piece of music, or a picture of your favorite porn star you chose to use.

Seems pretty complicated and hard to save the info in your selected browsers password store,,,

Basic requirements for access rights

[quietwalker]

I know not a lot of people have thought about this, but it's important. Passwords are one form of access rights. Keys are another. Heck, a secret handshake would be usable, if not entirely secure. The good ones though, they all have fundamental similarities:

* They can be changed
Someone lets the password slip? Loses a key? The enemy gets the launch codes? ... you need to be able to change it
* They are reliable
Ever get a drivers license that's valid 60% of the time?
* They can

Involuntary response

[Anonymous Coward]

So a dag guy can "force" you easily to use your password!

Lead

[Oligonicella]

"Soon" only appears in the lead of the story. If Wenyao Xu Feng Lin or Zhanpeng Jin wrote it, they're idiots. If someone else did, *they're* idiots. Not from the tech, they promote that they can do it with a special hat with three sensors, from the world outside the lab. It's another of those "people need to change their basic habits to work" things, which won't happen (reference the dramatic adoption of Google Glass).

Although I agree with others that their tests were "shallow", let us say, that's no

Re:

[Gavagai80]

The writers of exaggerated unrealistic headlines that make everything sound like it'll change the world tomorrow are not idiots. They're paid to do exactly what they do, just like the "one weird trick" writers.

Biometrics cannot replace secrets

[SLOGEN]

Biometrics cannot replace any secrets. They can, at best, be used to authenticate local presence in closed systems.

"Authentication" via remote biometric measurement carries absolutely no guarantee that actual bio was involved and thus does not have any valid security properties.

Such remote usage is *bad* both ways: An attacker can replay biometrics and a non-attacker cannot recover from biometric information copying,... ever!

Think about that every time you show your fingerprint to random scanners. You

Re:

[mark-t]

You can't fake somebody's brain though. And presenting a false hash of the expected brain to another machine to try and fake being somebody else would require compromising the target machine in the first place so that it wasn't going to do its own scanning, so you wouldn't just be able to arbitrarily pretend to be somebody else without literally making a duplicate of that person's brain.

Re:

[SLOGEN]

I don't see a fundamental difference. You don't need to fake the brain, only the transmitted "measurements".

My whole argument about biometrics security properties being tightly local is exactly the constraint needed to make an argument that you "would require compromising the target machine".

"The sensors would record the persons brain waves. Just as when registering a fingerprint for an iPhones Touch ID, multiple readings would be needed to collect a complete initial record. Our research has confirmed that

Re:

[mark-t]

You don't need to fake the brain, only the transmitted "measurements".

Presumably, whatever is doing the transmitting is "trusted", and that's the thing you'd have to compromise.

Identification != authenticaion

[140Mandak262Jamuna]

Brain waves, fingerprints, retinal scans, rectal scans too for that matter, are forms of identification that can identify someone.

Signatures, passwords, digital certificates, rsa id pair, signet rings, seals etc are forms of authentication and approval. Do not confuse between the two.

But.... Social security number, a form of identification is regularly misused and abused as authentication.

Whats worse is a wide array of semi public info, information easily known to close family members like mother's maiden name or where someone went to school masquerades as authentication for password reset process.

But remember,...

[necro81]

When a person looks at a photograph or hears a piece of music, her brain responds in ways that researchers or medical professionals can measure with electrical sensors placed on her scalp

But remember, you must think in Russian [youtube.com].

paid for By the FBI

[Joe_Dragon]

paid for By the FBI.

All right jay we just going show up a lot of pic's till your phone unlocks. and I just checked showing pics does not need to have your attorney with you.

NEVER. Brainwaves can't replace passwords.

[gavron]

Multiple factor authentication includes SOMETHING YOU HAVE (fob, fingerprint, retina, brainwaves, token) and SOMETHING YOU KNOW (PIN, password, passphrase, your mother's maiden name, etc.)

The key to good authentication is to require all factors to be presented in order to authenticate. A brainwave is definitely something you have, and like a fingerprint, it's something someone else can sample to force you to authenticate against your will. Even if it becomes so sophisticated as to be able to "read your mi

Nope

[LordHighExecutioner]

Most of my coworkers would be unable to login...

Umm, _secret_ password

[holophrastic]

So, anyone who shows me the photo gets my password? Sounds like every phisher's dream.

Last I checked, access credentials need to be deniable -- no, you can't have my password/key/handshake. It's a secret.

Identifier is not a password

[Anonymous Coward]

A password is NOT an identifier, it is an act of submitting something, voluntarily, with free will. A cut off index finger is NOT a password, nor is ANY biometric data.
Biometric data can be replicated, whereas recalled memory you voluntarily submit is different, it is the sum of free will and identity.

No, not with current laws.

[Mal-2]

This transforms "what you know" into a shade of "who you are". Stay with passcodes and passwords. The legal system would love for us to all move to biometrics, so we can't "forget" and deny them access.

Time for Americans to think like Russians.

[geekymachoman]

https://www.youtube.com/watch?... [youtube.com]

"My brain? That's my second favorite organ!"

[DutchUncle]

Woody Allen, "Sleeper" https://www.youtube.com/watch?... [youtube.com]