Skip to content
Naked Security Naked Security

Brainprints hit 100% accuracy at identity verification

Sorry: at least for now, this authentication is a bit electrode-reliant for the likes of most civilians and their iPhones.

Brainprint. Bee. Lady Gaga.

When you read those words, the part of your brain that assigns meaning to words sparkled, firing neurons in a pattern that’s both consistent and unique to each of us.

It’s called, in fact, a brainprint: a biometric attribute that researchers have been studying for use in authentication for years.

If researchers had strapped what’s basically a swimcap outfitted with electrodes – otherwise known as an electroencephalogram headset – on your head, they could have recorded your brainwaves, emitted in less than a second per word, as you read, and thus would have come away with a way to tell that you are really you.

You’ve likely heard of this form of biometric before: back in 2007, for example, scientists were looking at identifying people via unique patterns of brain activity.

More recently, in May 2015, researchers at the Basque Center for Cognition and Binghamton University published a study detailing their attempts to identify individuals by their brains’ reaction to acronyms (e.g., FBI, DVD).

At the time they published their original study in the academic journal Neurocomputing, the team had achieved a decent accuracy rate in identifying individuals by brainprint.

The researchers were able to identify, with 97% accuracy, one person out of a group of 32 by that person’s responses to words or images that flashed on a monitor for half a second.

To achieve even that level of not quite good enough accuracy, they had to find a way to filter out all the noise that a human brain produces and which makes it tough to pick up clean measurements.

They did so by focusing on brainwaves from one particular region of the brain that’s associated with the task of reading and recognizing words, thus cutting through the chatter to attain a clearer signal that can be measured more quickly.

There are various types of memories: episodic memories that record experience, and semantic memories that simply record word meanings.

Semantic memories are subtly different for each of us, making them potentially useful for authentication. They also don’t tend to change much over time, as opposed to episodic memories.

The team has since managed to refine its efforts yet further, to achieve 100% accuracy.

As described in a magazine put out by Binghamton, the team recorded the brain activity of people wearing an electroencephalogram headset while they looked at a series of 500 images designed specifically to elicit unique response: e.g., a slice of pizza, a boat, Anne Hathaway, the word “conundrum,” the strong pro or con most of us feel when presented with sushi.

Again, each image flashed on a monitor for only half a second.

They were spot on, 100% of the time, when identifying one person out of a group of 30.

The magazine quotes one of the team leaders, Binghamton Assistant Professor of Psychology Sarah Laszlo:

When you take hundreds of these images, where every person is going to feel differently about each individual one, then you can be really accurate in identifying which person it was who looked at them just by their brain activity.

Choosing images that tend to elicit a strong reaction seems to have been one of the refinements: for example, the team used images of sushi.

If you’ve ever eaten it, you probably fall into one of two camps: you think it’s sublime, or you think it’s slimy.

Either way, your brain’s kneejerk – also known as nonvolitional – response will be decisive.

Assistant Professor of Electrical and Computer Engineering Zhanpeng Jin, another leader of the research team, told the Binghamton magazine that the team’s research on brainprints has been more successful than past efforts to use brain activity as a biometric in part because they focused on nonvolitional brain response rather than active thinking:

The key idea is that we want to identify and recognize the individual person based on their inside thinking. Inside-brain activity is not visible to anyone else.

Even more exciting is that we want to use a nonvolitional response. That means even the user cannot be aware of it.

There are yet more benefits to brainprints when compared with other forms of biometrics.

To recap, the problems with biometrics to date have included:

Fingerprint workarounds: There’s always the possibility of cutting off an authenticating finger, but that’s quite Hollywood. There’s also a far less James Bond villainesque technique: that of creating a fake fingerprint made of wood glue. That’s how researchers have fooled fingerprint scanners in both the Galaxy S5 and the iPhone 5s Touch ID.

Retina/iris scan workarounds: Researchers have shown that iris or retina scanners can be tricked, similar to how it’s done with fingerprint scanners: the replica is a digital iris imprint reconstructed from digital images of an eye.

The problem is, you can’t cancel the authentication factor if it’s a finger or an eyeball: you can’t simply grow new ones if they get (unfortunately) lost, damaged, or (more flinch-worthy still) stolen.

In compariso, you can’t cut off somebody’s brain: that would render it quite incapable of producing the authentication factor that is a brainprint, given that it, and its former host, would both be dead.

And, unlike irsies or fingerprints, you can in fact change a brainprint: you simply reset it to whatever your brain registers when it views a different image.

Laszlo:

If someone’s fingerprint is stolen, that person can’t just grow a new finger to replace the compromised fingerprint – the fingerprint for that person is compromised forever.

Fingerprints are ‘non-cancellable.’ Brainprints, on the other hand, are potentially cancellable. So, in the unlikely event that attackers were actually able to steal a brainprint from an authorized user, the authorized user could then ‘reset’ his brainprint.

The ability to reset the brainprint could be used not only if a brainprint were somehow compromised by a criminal, but also if something traumatic – or even something positive and life-changing, such as childbirth – were to happen to change an individual’s reactions.

What if you threatened an individual, to try to force them to use their brainprints?

The researchers suspect it wouldn’t work, Jin said:

We think that you can’t even threaten somebody and have their brainprint still work, because if you threaten someone, say with violence, that makes them stressed out.

When you are stressed, your brain activity changes quite dramatically. We think that stress would prevent the person from being able to use his brainprint to authenticate the system.

Regardless of brainprints’ alleged superiority over other biometrics, don’t expect to use them to unlock your mobile phone or log into banking sites anytime soon.

First drawback: that electrode-reading shower cap thing.

The technology is too expensive, too cumbersome and too time-consuming – it takes several minutes to collect a fresh brainprint for purposes of verification – to make sense for mass production and use in low-security applications, at least for now.

Rather, the researchers envision brainprints as potentially being used at checkpoints for high-security locations, such as military or nuclear facilities.

Jin:

The expense of the equipment and the amount of time that it takes to collect a brainprint is, at least now, much too long for someone to want to use it to get into an iPhone or get into a computer, because you don’t want to spend 2 minutes recording brain activity every time you want to look at your phone.

Quick note: Of course, the bit that’s missing from the “100% accuracy” claims in all of this is how the system behaves when it fails, or is confronted with an unknown person.

Differentiating between 30 different people from a known group with 100% accuracy is impressive. But what happens when a stranger shows up?

Does the system reject everyone else? Does it admit everyone else? Or does it randomly match every stranger with one of the 30 identities already in the group?

How security systems fail is at least as important as how they behave under ideal circumstances – because there are no “ideal circumstances” once cybercrooks enter the equation.

Image of Brain Print courtesy of Shutterstock.com

10 Comments

User: ring ring
Help desk: Helpdesk how can I help you?
User: Good morning, my electroencephalogram headset isn’t working I can’t log in, can you please help me?
Help desk: I’m not sure, have you changed your mind lately?
User: Are you saying that because I’m a woman? that’s sexist. I’m calling your manager!
Help desk: okay, please try to log in now.
User: I don’t need your help anymore.
Help desk: your welcome,,,

I don’t think this is going to work if it fails when you’re stressed out. People get stressed out for different reasons all the time. Then finding out your access was rejected is going to make it even worse.

There is no such thing as a retina scan. It is a capture – a picture. Nothing is physically scanned. Come on sophos you can do better.

In what way is “a captured image” not “a scan”? When you have X-ray tomography, it’s called “a CAT scan”, even though it uses electromagnetic radiation rather than physical contact. When I capture images of documents with a special, light-based peripheral I own, this electromagnetic capture process process is called “scanning”, and the device is called “a scanner.” (Says so on the box.)

I think that the term “retina scan” is [a] well-established in the literature [b] well-understood and [c] perfectly well-chosen.

Do not lose your mind!

Even if it achieves 0% false rejection and 0% false acceptance at the same time, it is not fit for user authentication although it may be good for individual identification. How can it repel the replay of the copied data?

The claim of 100% should be proven at least against 1,000 people, not 30.

You’d want a good supply of not-registered users (say 9000 of them, giving you 10,000 people to try logging in) too.

“But brainwaves can’t be lost”

What if you have a stroke? Develop Alzheimer’s? Or dementia?

I removed that sentence. I think the researchers may have backed themselves both ways here. They eem to want to claim the consistency of brainwaves as one aspect of the strength of their system, and the variability of brainwaves as another part of that strength.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?