

Brainwave based authentication prototype from UC Berkeley - m0hit
http://www.ischool.berkeley.edu/newsandevents/news/20130403brainwaveauthentication

======
emily37
In a similar vein, Usenix Security 2012 had a session called "The Brain" with
these two papers:
[https://www.usenix.org/conference/usenixsecurity12/neuroscie...](https://www.usenix.org/conference/usenixsecurity12/neuroscience-
meets-cryptography-designing-crypto-primitives-secure)
[https://www.usenix.org/conference/usenixsecurity12/feasibili...](https://www.usenix.org/conference/usenixsecurity12/feasibility-
side-channel-attacks-brain-computer-interfaces)

The first is only slightly related to this article; it uses implicit learning
to train users to authenticate with secrets that they cannot recall
consciously (and therefore can't be coerced into revealing).

The second is about recovering secret information from brain-computer
interfaces, and though this seems very relevant to the proposal of
authenticating via "passthoughts", neither of these papers seem to cite each
other.

(The Berkeley paper is at
[http://www.kisc.meiji.ac.jp/~ethicj/USEC13/submissions/usec1...](http://www.kisc.meiji.ac.jp/~ethicj/USEC13/submissions/usec13_submission_06.pdf.))

~~~
anologwintermut
Having been in that session, no one I met thought at all highly about the
second paper.

First, it was unlikely you'd actually ever enter sensitive data while using
one of those EEGs( as they are only used in games). Ironically, If you
deployed this authentication method, you'd actually be providing an exploit
vector since you could plausibly alter the authentication game to cause to
measure something more sinister

This is important because the second complaint everyone had was the usenix
paper didn't actually read information covertly. They asked you to think about
your PIN number and flashed digits on screen to see if you recognized them(not
covert at all). Effectively this was stuff that was known to be doable with
medical grade EEGs years ago.

Of course, if you basically have an authentication mechanism that mimics there
awful experiment, the results might actually apply.

------
anologwintermut
Summary of the actual paper: they take a single sensor EEG sample of your
brain doing some simple task and compare it to both a set of samples of your
brain doing the task (this comparison results is the selfsim value) and of a
bunch of other people doing the task(resuliting in the crossSim score). "if
the percent di erence between selfSim and crossSim is greater than or equal to
T, we accept the authentication attempt. If not, we reject it."

Of course, this actually says nothing about the feasibility of emulating
someone else's signal (which may get way easier if its a single sensor).

Im skeptical of this both that it will hold of to an adversarial attacker and
that its actually right. Deciding that something is a unique identifier off a
small sample size reminds me of some of the really bad forensic techniques
people used (e.g. [0])

[0][http://www.washingtonpost.com/wp-
dyn/content/article/2007/11...](http://www.washingtonpost.com/wp-
dyn/content/article/2007/11/17/AR2007111701681.html)

------
jlgreco
I wonder how easy it is to use while drunk. Do they do usability testing
trials for that?

------
StavrosK
Has anyone used this MindSet in the article? I remember a similar technology
coming out, but didn't see anything happening there. Has anyone used any of
these for gaming or UI control?

~~~
chipsy
MindSet is used in the game "Throw Trucks With Your Mind," which recently had
a successful Kickstarter campaign. I've played with a prototype build of the
game, the headset works great although I'm surprised that it's also precise
enough for user authentication.

~~~
StavrosK
Ah, thank you. Is it worth buying to play around with? I don't even know how
you'd control things with it...

~~~
chipsy
I haven't looked into building anything(I've just played with demos when
they're available) but my understanding is that what is offered in most of
these neurointerface platforms is an API for simple things, and then low-level
access to digital signals, with one channel for each area of the brain being
sampled. So if you're doing things low-level expect to be applying some DSP
knowledge.

------
duaneb
I wonder how this would interact with duress—especially considering sometimes
it's especially import to log on under duress, sometime's it's especially
important to NOT log on.

------
masenf
Something like this could make authentication (and potentially other tasks)
with face-computing devices seamless and secure!

~~~
duaneb
Woah, let's see if it still works when you're pissed at you're spouse.

------
datashaman
So to steal things you must steal their brains? This is how the zombie
apocalypse starts...

------
infoman
that reminds me of my 5 year old little poem [http://information-
man.com/googles-personal_healthcare_gmail...](http://information-
man.com/googles-personal_healthcare_gmail_brainwave_id-generation_2b/)

------
BikeEra
This is very interesting. Thanks for sharing!

------
caycep
one thing would be to look at the paper, and also the quality of the telemetry
they are getting from this.

~~~
icegreentea
Don't have time to read through it (have other papers which I have to get
through first!) but here's a draft of their paper that they submitted for the
conference.

[http://www.kisc.meiji.ac.jp/~ethicj/USEC13/submissions/usec1...](http://www.kisc.meiji.ac.jp/~ethicj/USEC13/submissions/usec13_submission_06.pdf)

