Forget what you heard about magic rings, eye scans and two-step verification: The bar for log-in security has officially been raised with the most private password of all time: a thought.
Led by John Chuang of the UC Berkeley School of Information, a team of researchers have developed a device that verifies a user’s identity with brainwaves, or electroencephalograms (EEGs). Rather than an alphanumerical text password, this new device uses a “pass-thought.” Chuang and his team developed the system with a $100 Neurosky Mindset headset that uses Bluetooth technology to authenticate a person to the computer.
While wearing the headset, volunteers performed a series of seven mental tasks while researchers measured their brainwaves. First, all study participants performed the same three tasks: focusing on their breathing, imagining their finger moving up and down, listening for an audio tone and then responding by focusing on a dot on a piece of paper once the tone was heard. Taking EEG measurements of these tasks created a brainwave baseline of sorts for each individual.
In last four tasks, participants could choose a thought that represented a more “personalized secret.” They could imagine performing a repetitive motion from a sport of their choice, like kicking a ball or swinging a baseball bat. They could think about singing a song or imagining a set of objects with a distinct color scheme. Or they could choose their own thought and focus on it for ten seconds.
By measuring the subject’s unique brainwaves during this personalized cycle of tasks and cross referencing them with their baseline measurements, researchers were able to glean a unique EEG signature so that each “pass-thought” could identify individual users and distinguish them from other participants. Therefore, even if in the unlikely event that volunteers thought of the same “choice” tasks, their unique EEG signatures would prevent others from hacking their “pass-thought.”
By customizing each participant’s authentication threshold via the headset, researchers reduced error rates below one percent, which is comparable to more-invasive methods for measuring multi-channel EEG signals.
“We find that brainwave signals, even those collected using low-cost non-intrusive EEG sensors in everyday settings, can be used to authenticate users with high degrees of accuracy,” researchers concluded in a university news release.
Researchers outlined their techniques and findings in their paper “I Think, Therefore I Am: Usability and Security of Authentication Using Brainwaves.”