Researchers are working on a “brain password” system that could let you unlock your phone with your brainwaves—or your reaction to a photo of Leonardo DiCaprio.
“Like a password, it’s easy to reset; and like a biometric, it’s easy to use.”
To overcome password fatigue, many smartphones include facial recognition, fingerprint scans, and other biometric systems. The trouble with these easy-to-use tools, however, is that once compromised—and yes, they can be hacked—you can’t reset them.
“You can’t grow a new fingerprint or iris if that information is divulged,” says Wenyao Xu, assistant professor of computer science and engineering in the School of Engineering and Applied Sciences at the University at Buffalo.
“That’s why we’re developing a new type of password—one that measures your brainwaves in response to a series of pictures. Like a password, it’s easy to reset; and like a biometric, it’s easy to use.”
The “brain password,” which would require users to wear a headset, could have implications in banking, law enforcement, airport security, and other areas.
Unlocking your phone with your brain
“To the best of our knowledge, this is the first in-depth research study on a truly cancelable brain biometric system. We refer to this as ‘hard cancellation,’ meaning the original brain password can be reset without divulging the user’s identity,” says collaborator Zhanpeng Jin, associate professor of computer science and engineering at UB.
They describe the work in a study that will be presented June 11 at MobiSys 2018, a mobile computing conference that the Association for Computing Machinery will host in Germany.
Xu was motivated to create a cancelable biometric password after hackers stole the fingerprint files of 5.6 million workers from the US Office of Personal Management in 2015.
Perhaps the most accessible way to record brain activity is through electroencephalography, which uses electrodes to measure the brain’s unique patterns of electrical activity.
For their system, Xu and collaborators reconfigured a virtual reality headset, reducing the number of electrodes to six. Three record brain activity, two serve as grounds, and the last acts as a reference point. Typically, these headsets have 32 to 64 electrodes.
The electrodes recording brain activity measure three areas of the organ: the intraparietal sulcus (controls declarative memory), the inferior parietal lobule (processes face recognition), and the temporo parietal junction (reading comprehension).
Researchers chose specific image types to stimulate each brain region. They used animal pictures for the intraparietal sulcus because one’s memory of a certain animal can be highly individualized. For example, a person who suffered a spider bite will have a different reaction than someone who hasn’t.
For the inferior parietal lobule, researchers relied on recognizable celebrities such as Leonardo DiCaprio. For the temporo parietal junction, they used encouraging phrases such as “aspire to inspire.”
How does it work?
Users are shown the three images in rapid succession—1.2 seconds to be exact. The process is repeated three additional times. By the end of the fourth time, after 4.8 seconds, the brain password is ready.
Researchers recruited 179 adults—93 men, 86 women—to test the brain password. Test subjects’ average age was 30. They collected data from three sessions, including one that occurred five months after the original test. The goal of the last test was to see how brain passwords functioned over time.
Overall, brain passwords were more than 95 percent effective. The performance dipped slightly, by 1 percent, on the last test.
While wearing a headset may not appeal to common internet users, Xu says that may change over time, especially if the device becomes something more like Google Glass.
Plus, he says, companies with deep concerns about cybersecurity may be early adopters of the technology. As for privacy concerns, Xu says the system—even if hacked—would not divulge sensitive information.
“These passwords contain information gathered from only three channels in less than five seconds. Semantic memory attacks need much more time than that,” says Xu, who plans to continue work on the system to make it more reliable and appealing to users.