Just when you’re getting used to the fingerprint scanners on your smartphone, here comes the next evolution of biometrics, with a brainy twist -- brainprints.
Indeed, if the results of a new study from Binghamton University in New York can be applied broadly in the marketplace, this new innovation may do away with e-mail, bank account and social media passwords, as well as fingerprint and retina scanning, forever.
In “Brainprint,” the new study published in the academic journal Neurocomputing, researchers demonstrated the viability of relying on the way your brain responds to certain words in place of traditional alphanumeric passwords. The researchers observed the brain signals of 45 volunteers as they read a list of 75 acronyms, including FBI and DVD.
Specifically, researchers recorded the brain's reaction to each group of letters, with a special focus on the part of the brain associated with reading and recognizing words. The results: participants' brains reacted differently to each acronym. So differently, in fact, that a computer system was able to identify each volunteer with 94 percent accuracy. Could brainwaves actually be used by security systems to verify a person's identity? Researchers think so.
Why Brainprints Are Appealing
Brain biometrics are appealing because they are cancellable and there’s no way criminals can steal a brain scan the way they could a password, or even a finger or retina scan, said Sarah Laszlo, assistant professor of psychology and linguistics at Binghamton University and co-author of "Brainprint."
"If someone's fingerprint is stolen, that person can't just grow a new finger to replace the compromised fingerprint -- the fingerprint for that person is compromised forever,” Laszlo said. “Fingerprints are 'non-cancellable.' Brainprints, on the other hand, are potentially cancellable. So, in the unlikely event that attackers were actually able to steal a brainprint from an authorized user, the authorized user could then 'reset' their brainprint."
Of course, this is more futuristic than realistic in the near-term. Zhanpeng Jin, assistant professor at Binghamton University's departments of Electrical and Computer Engineering, and Biomedical Engineering, doesn’t see brainprint as the kind of system that would be mass-produced for low-security applications -- at least not any time soon. But he said it could have important security applications.
"We tend to see the applications of this system as being more along the lines of high-security physical locations, like the Pentagon or Air Force Labs, where there aren't that many users that are authorized to enter, and those users don't need to constantly be authorizing the way that a consumer might need to authorize into their phone or computer," Jin said.
Will It Hit the Mainstream?
We caught up with Charles King, principal analyst at Pund-IT, to get his take on this newfangled approach to security. He told us the concept of brainprints and the initial research findings are intriguing.
“I agree with the researchers that circumstances where brainprints would be useful would mostly be in high-security use cases, including military and government applications where the stakes are particularly high and the number of participating users is fairly low,” King said.
Like the researchers, he said he doubted the general market will see the technology any time soon, if ever. He offered some fairly simple reasons.
“In basic security scenarios, brainprints qualify as a ‘pounding tacks with a sledgehammer’ solution,” King said. “Plus, since it's been difficult to impossible to get consumers to use proven security measures, like two-factor authentication, how hard would it be to convince them that the equivalent of an aluminum foil skullcap is the best way forward?”
Posted: 2015-06-07 @ 11:22pm PT
Brainwave monitoring shares the same problem of biometrics in general, i.e., the trade-off between false acceptance and false rejection.
Whether iris, face, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.
Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.
In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at