Passwords are the bane of many a computer user’s existence. Experts recommend long strings of characters containing a mix of upper and lowercase letters, numbers and symbols that may be difficult to crack, but can also be difficult to remember. Despite there being simple techniques for creating difficult-to-crack passwords that are easy to remember and horror stories of identify theft abound, the top two most common passwords remain “12345” and “password”. But a study out of Binghampton University (BU) in New York suggests brainwaves could be a promising alternative to verify a user’s identity.
Researchers at BU read a list of 75 acronyms, such as FBI and DVD, to 45 volunteers and observed the brainwaves that resulted from each group of letters, focusing on the part of the brain associated with reading and recognizing words. This was done with the placement of just three electrodes on the scalp, which is the minimum number that can be used and still obtain a clean reading.
While each respondent’s brainwaves exhibited identifiable features that were consistent in response to a given acronym, the reactions – or “brainprints” – were different enough between respondents to allow a computer system to identify each volunteer with an accuracy of 94 percent. These results were also stable over time, with identification possible after a lag of up to six months.
Sarah Laszlo, assistant professor of psychology and linguistics at BU and study co-author, says that brain biometrics offer a number of advantages over other physical characteristics used for biometrics, such as fingerprints or retinas. For example, both of these can be stolen by malicious means, rendering them unusable by the user since they can’t be replaced.
“If someone’s fingerprint is stolen, that person can’t just grow a new finger to replace the compromised fingerprint – the fingerprint for that person is compromised forever,” points out Laszlo. “Fingerprints are ‘non-cancellable.’ Brainprints, on the other hand, are potentially cancellable. So, in the unlikely event that attackers were actually able to steal a brainprint from an authorized user, the authorized user could then ‘reset’ their brainprint.”
While the researchers don’t see brainprints as a potential replacement for passwords for low security applications in the near future – after all, who wants to hook themselves up to an electroencephalograph (EEG) just to log into their email – they do see the technology having potential in high security environments.
“We tend to see the applications of this system as being more along the lines of high-security physical locations, like the Pentagon or Air Force Labs, where there aren’t that many users that are authorized to enter, and those users don’t need to constantly be authorizing the way that a consumer might need to authorize into their phone or computer,” says Zhanpeng Jin, assistant professor at Binghamton University’s departments of Electrical and Computer Engineering, and Biomedical Engineering.
The team’s study appears in the journal Neurocomputing.